ECCR-2

ECCR-2 Encryption for Confidentiality (Data at Rest)

Overview

If required by the information owner, NIST-certified cryptography is used to encrypt stored classified non-SAMI information.

MAC / CONF	Impact	Subject Area
CLASSIFIED	Medium	Enclave Computing Environment

Details

Threat
Without proper cryptography methods being used, it would affect the confidentiality, integrity, and availability of classified non-SAMI information. This implementation guide is aimed to help information owners implement proper cryptography to protect all classified non-SAMI information stored within the enclave.

Guidance
1. The information owner shall determine whether non-SAMI in the classified enclave requires encryption-at-rest to protect privacy and need-to-know. 2. If the classified enclave contains non-SAMI, the system engineering team (e.g., project manager, system engineers, and IA personnel) shall perform the following: a. Identify a list of NIST-certified cryptography algorithms and keys (e.g., 3DES, AES) that can encrypt stored classified non-SAMI information b. Research vendors products that have been certified based on NIST-certified cryptography c. Perform an analysis of advantages and disadvantages of individual cryptography products based on system’s operational requirements and available fund d. Select a product that is the most suitable to the system’s environment to encrypt classified non-SAMI information e. Test the encryption capability in a lab environment f. Implement the NIST-approved cryptography into the system in the operational environment

Guidance

1. The information owner shall determine whether non-SAMI in the classified enclave requires encryption-at-rest to protect privacy and need-to-know.
2. If the classified enclave contains non-SAMI, the system engineering team (e.g., project manager, system engineers, and IA personnel) shall perform the following:
  a. Identify a list of NIST-certified cryptography algorithms and keys (e.g., 3DES, AES) that can encrypt stored classified non-SAMI information
  b. Research vendors products that have been certified based on NIST-certified cryptography
  c. Perform an analysis of advantages and disadvantages of individual cryptography products based on system’s operational requirements and available fund
  d. Select a product that is the most suitable to the system’s environment to encrypt classified non-SAMI information
  e. Test the encryption capability in a lab environment
  f. Implement the NIST-approved cryptography into the system in the operational environment

References

FIPS 197, Advanced Encryption Standard. 26 November 2001
FIPS 140-2, Security Requirements for Cryptographic Modules, 25 May 2001
NIST SP 800-21, Guideline for Implementing Cryptography in the Federal Government, November 1999
NIST SP 800-67, Recommendation for the Triple Data Encryption Algorithm (TDEA) Block Cipher, May 1004
NIST SP 800-36, Guide to Selecting Information Security Products, October 2003