UCF STIG Viewer Logo

ECCT-2 Encryption for Confidentiality (Data at Transmit)


Classified data transmitted through a network that is cleared to a lower level than the data being transmitted are separately encrypted using NSA-approved cryptography (See also DCSR-3).

MAC / CONF Impact Subject Area
CLASSIFIED High Enclave Computing Environment


Without separation of different classification levels of data, classified data transmitted would be disclosed, modified, or destroyed by unauthorized users.  This implementation guide is aimed to help system engineering teams implement proper cryptography to protect classified information transmitted.

1. The system engineering team (e.g., project manager, system engineers, security engineer, and IA personnel) shall perform the following:
  a. Identify a list of NSA-approved encryption methods (e.g., NSA-certified Type-1 HAIPE devices) that can encrypt classified information transmitted through a network that is cleared to a lower level than the data being transmitted
  b. Research NSA-certified HAIPE devices (e.g., KG-250, KG-240)
  c. Perform an analysis of advantages and disadvantages of individual encryption devices based on system’s operational requirements and available fund
  d. Select an encryption device that is the most suitable to the system’s environment to encrypt classified data transmitted
  e. Install and test the encryption capability in a lab environment to ensure classified data is transmitted in encrypted form through a separate tunnel
  f. Implement the devices into the system in the operational environment


  • High Assurance Internet Protocol Interoperability Specification (HAIPIS)
  • FIPS 197, Advanced Encryption Standard. 26 November 2001
  • FIPS 140-2, Security Requirements for Cryptographic Modules, 25 May 2001
  • NIST SP 800-21, Guideline for Implementing Cryptography in the Federal Government, November 1999
  • NIST SP 800-36, Guide to Selecting Information Security Products, October 2003