UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

ECCR-3 Encryption for Confidentiality (Data at Rest)


Overview

If a classified enclave contains SAMI and is accessed by individuals lacking an appropriate clearance for SAMI, then NSA-approved cryptography is used to encrypt all SAMI stored within the enclave.

MAC / CONF Impact Subject Area
CLASSIFIED High Enclave Computing Environment

Details

Threat
Without proper cryptography methods being used, it would affect the confidentiality, integrity, and availability of Sources and Methods Intelligence (SAMI).  This implementation guide is aimed to help information owners implement proper cryptography to protect all SAMI information stored within the enclave.

Guidance
1. The information owner shall determine if the classified enclave contains SAMI and is accessed by individuals lacking an appropriate clearance for SAMI.
2. If the classified enclave is affected, the system engineering team (e.g., project manager, system engineers, and IA personnel) shall perform the following:
  a. Obtain a list of NSA-approved cryptography algorithms and keys (e.g., AES, private and public keys)
  b. Research and obtain a list of NSA-approved encryption products (e.g., HAIPE devices)
  c. Perform an analysis of advantages and disadvantages of individual cryptography methods based on system’s operational requirements and available fund
  d. Select a cryptography method that is the most suitable to the system environment to encrypt SAMI information stored within the enclave
  e. Test the encryption capability in a lab environment
  f. Implement the NSA-approved cryptography into the system in the operational environment

References

  • High Assurance Internet Protocol Interoperability Specification (HAIPIS)
  • FIPS 197, Advanced Encryption Standard. 26 November 2001
  • FIPS 140-2, Security Requirements for Cryptographic Modules, 25 May 2001
  • NIST SP 800-21, Guideline for Implementing Cryptography in the Federal Government, November 1999
  • NIST SP 800-36, Guide to Selecting Information Security Products, October 2003