ECNK-1

ECNK-1 Encryption for Need-To-Know

Overview

Information in transit through a network at the same classification level, but which must be separated for need-to-know reasons, is encrypted, at a minimum, with NIST-certified cryptography. This is in addition to ECCT (encryption for confidentiality – data in transit).

MAC / CONF	Impact	Subject Area
CLASSIFIED SENSITIVE	Medium	Enclave Computing Environment

Details

Threat
Confidentiality of need-to-know information can be compromised easily when transmitted through a network in an unencrypted state. Certified cryptography methods provide important functionality to protect against intentional and accidental compromise and alteration of data.

Guidance
1. Identify system components processing sensitive and unclassified information (classified and sensitive national security systems are covered by the ECNK-2 control). 2. NIST issues standards and guidelines used to protect sensitive information as Federal Information Processing Standards (FIPS) publications. Federal agencies must comply with all mandatory standards. 3. A system manager shall select an encryption method to protect need-to-know information in transit by using, at a minimum, a NIST certified cryptographic method. By using FIPS, the manager knows that the standard has been developed and the algorithm has been tested against this standard and the results validated by NIST. NIST validation means the algorithm has been found to be adequate for the protection of sensitive government data.

Guidance

1. Identify system components processing sensitive and unclassified information (classified and sensitive national security systems are covered by the ECNK-2 control).
2. NIST issues standards and guidelines used to protect sensitive information as Federal Information Processing Standards (FIPS) publications. Federal agencies must comply with all mandatory standards.
3. A system manager shall select an encryption method to protect need-to-know information in transit by using, at a minimum, a NIST certified cryptographic method. By using FIPS, the manager knows that the standard has been developed and the algorithm has been tested against this standard and the results validated by NIST. NIST validation means the algorithm has been found to be adequate for the protection of sensitive government data.

References

NIST SP 800-32, Introduction to Public Key Technology and the Federal PKI Infrastructure, February 2001
NIST SP 800-29, A Comparison of the Security Requirements for Cryptographic Modules in FIPS 140-1 and FIPS 140-2, June 2001
NIST SP 800-25, Federal Agency Use of Public Key Technology for Digital Signatures and Authentication, October 2000
NIST SP 800-21, Guideline for Implementing Cryptography in the Federal Government, November 1999
FIPS 140-2, Security Requirements for Cryptographic Modules, 25 May 2001
FIPS 196, Entity Authentication Using Public Key Cryptography, 18 February 1997
FIPS 197, Advanced Encryption Standard (AES), 26 November 2001