ECCR-3

ECCR-3 Encryption for Confidentiality (Data at Rest)

Overview

If a classified enclave contains SAMI and is accessed by individuals lacking an appropriate clearance for SAMI, then NSA-approved cryptography is used to encrypt all SAMI stored within the enclave.

MAC / CONF	Impact	Subject Area
CLASSIFIED	High	Enclave Computing Environment

Details

Threat
Without proper cryptography methods being used, it would affect the confidentiality, integrity, and availability of Sources and Methods Intelligence (SAMI). This implementation guide is aimed to help information owners implement proper cryptography to protect all SAMI information stored within the enclave.

Guidance
1. The information owner shall determine if the classified enclave contains SAMI and is accessed by individuals lacking an appropriate clearance for SAMI. 2. If the classified enclave is affected, the system engineering team (e.g., project manager, system engineers, and IA personnel) shall perform the following: a. Obtain a list of NSA-approved cryptography algorithms and keys (e.g., AES, private and public keys) b. Research and obtain a list of NSA-approved encryption products (e.g., HAIPE devices) c. Perform an analysis of advantages and disadvantages of individual cryptography methods based on system’s operational requirements and available fund d. Select a cryptography method that is the most suitable to the system environment to encrypt SAMI information stored within the enclave e. Test the encryption capability in a lab environment f. Implement the NSA-approved cryptography into the system in the operational environment

Guidance

1. The information owner shall determine if the classified enclave contains SAMI and is accessed by individuals lacking an appropriate clearance for SAMI.
2. If the classified enclave is affected, the system engineering team (e.g., project manager, system engineers, and IA personnel) shall perform the following:
  a. Obtain a list of NSA-approved cryptography algorithms and keys (e.g., AES, private and public keys)
  b. Research and obtain a list of NSA-approved encryption products (e.g., HAIPE devices)
  c. Perform an analysis of advantages and disadvantages of individual cryptography methods based on system’s operational requirements and available fund
  d. Select a cryptography method that is the most suitable to the system environment to encrypt SAMI information stored within the enclave
  e. Test the encryption capability in a lab environment
  f. Implement the NSA-approved cryptography into the system in the operational environment

References

High Assurance Internet Protocol Interoperability Specification (HAIPIS)
FIPS 197, Advanced Encryption Standard. 26 November 2001
FIPS 140-2, Security Requirements for Cryptographic Modules, 25 May 2001
NIST SP 800-21, Guideline for Implementing Cryptography in the Federal Government, November 1999
NIST SP 800-36, Guide to Selecting Information Security Products, October 2003