ECCT-1

ECCT-1 Encryption for Confidentiality (Data at Transmit)

Overview

Unclassified, sensitive data transmitted through a commercial or wireless network are encrypted using NIST-certified cryptography (See also DCSR-2).

MAC / CONF	Impact	Subject Area
SENSITIVE	Medium	Enclave Computing Environment

Details

Threat
Without protecting unclassified, sensitive information using encryption methods, sensitive data transmitted through unprotected network could be disclosed, modified, or destroyed by unauthorized users. This implementation guide is aimed to help system engineering teams implement proper cryptography to protect sensitive information transmitted through a commercial or wireless network.

Guidance
The system engineering team (e.g., project manager, system engineers, security engineer, and IA personnel) shall perform the following: 1. Identify a list of NIST-certified cryptography (3DES, AES) to encrypt unclassified, sensitive information transmitted through a commercial or wireless network 2. Research vendor products (e.g., virtual private network [VPN], secure sockets layer [SSL], secure shell [SSH]) using NIST-certified cryptography 3. Perform an analysis of advantages and disadvantages of individual encryption products based on system’s operational requirements and available fund 4. Select an encryption product (with the latest version) that is the most suitable to the system’s environment to encrypt sensitive data transmitted 5. Install and test the encryption capability in a lab environment to ensure that sensitive data transmitted in encryption through a commercial or wireless network 6. Implement the device into the system in the operational environment

Guidance

The system engineering team (e.g., project manager, system engineers, security engineer, and IA personnel) shall perform the following:

1. Identify a list of NIST-certified cryptography (3DES, AES) to encrypt unclassified, sensitive information transmitted through a commercial or wireless network
2. Research vendor products (e.g., virtual private network [VPN], secure sockets layer [SSL], secure shell [SSH]) using NIST-certified cryptography
3. Perform an analysis of advantages and disadvantages of individual encryption products based on system’s operational requirements and available fund
4. Select an encryption product (with the latest version) that is the most suitable to the system’s environment to encrypt sensitive data transmitted
5. Install and test the encryption capability in a lab environment to ensure that sensitive data transmitted in encryption through a commercial or wireless network
6. Implement the device into the system in the operational environment

References

DISA Wireless STIG, 15 April 2004
FIPS 197, Advanced Encryption Standard. 26 November 2001
FIPS 140-2, Security Requirements for Cryptographic Modules, 25 May 2001
NIST SP 800-21, Guideline for Implementing Cryptography in the Federal Government, November 1999
NIST SP 800-67, Recommendation for the Tripe Data Encryption Algorithm (TDEA) Block Cipher, May 2004
NIST SP 800-36, Guide to Selecting Information Security Products, October 2003