ECCT-2

ECCT-2 Encryption for Confidentiality (Data at Transmit)

Overview

Classified data transmitted through a network that is cleared to a lower level than the data being transmitted are separately encrypted using NSA-approved cryptography (See also DCSR-3).

MAC / CONF	Impact	Subject Area
CLASSIFIED	High	Enclave Computing Environment

Details

Threat
Without separation of different classification levels of data, classified data transmitted would be disclosed, modified, or destroyed by unauthorized users. This implementation guide is aimed to help system engineering teams implement proper cryptography to protect classified information transmitted.

Guidance
1. The system engineering team (e.g., project manager, system engineers, security engineer, and IA personnel) shall perform the following: a. Identify a list of NSA-approved encryption methods (e.g., NSA-certified Type-1 HAIPE devices) that can encrypt classified information transmitted through a network that is cleared to a lower level than the data being transmitted b. Research NSA-certified HAIPE devices (e.g., KG-250, KG-240) c. Perform an analysis of advantages and disadvantages of individual encryption devices based on system’s operational requirements and available fund d. Select an encryption device that is the most suitable to the system’s environment to encrypt classified data transmitted e. Install and test the encryption capability in a lab environment to ensure classified data is transmitted in encrypted form through a separate tunnel f. Implement the devices into the system in the operational environment

Guidance

1. The system engineering team (e.g., project manager, system engineers, security engineer, and IA personnel) shall perform the following:
  a. Identify a list of NSA-approved encryption methods (e.g., NSA-certified Type-1 HAIPE devices) that can encrypt classified information transmitted through a network that is cleared to a lower level than the data being transmitted
  b. Research NSA-certified HAIPE devices (e.g., KG-250, KG-240)
  c. Perform an analysis of advantages and disadvantages of individual encryption devices based on system’s operational requirements and available fund
  d. Select an encryption device that is the most suitable to the system’s environment to encrypt classified data transmitted
  e. Install and test the encryption capability in a lab environment to ensure classified data is transmitted in encrypted form through a separate tunnel
  f. Implement the devices into the system in the operational environment

References

High Assurance Internet Protocol Interoperability Specification (HAIPIS)
FIPS 197, Advanced Encryption Standard. 26 November 2001
FIPS 140-2, Security Requirements for Cryptographic Modules, 25 May 2001
NIST SP 800-21, Guideline for Implementing Cryptography in the Federal Government, November 1999
NIST SP 800-36, Guide to Selecting Information Security Products, October 2003