UCF STIG Viewer Logo

ECNK-2 Encryption for Need-To-Know


SAMI information in transit through a network at the same classification level is encrypted using NSA-approved cryptography. This is to separate it for need-to-know reasons. This is in addition to ECCT (encryption for confidentiality – data in transit).

MAC / CONF Impact Subject Area
CLASSIFIED Medium Enclave Computing Environment


Confidentiality of need-to-know information can be compromised easily when transmitted through a network in an unencrypted state.  Certified cryptography methods provide important functionality to protect against intentional and accidental compromise and alteration of data.

1. NSA-approved cryptography shall be used to separate compartments or protect “need-to-know” information among cleared users on classified systems.  For such uses the DAA may select the cryptographic mechanisms (including commercially available products) to be used after consulting with the Data Owner on requirements.  The DAA shall also consult with NSA for assistance and advice regarding the security of the proposed implementation.  They should pay particular attention to key management, since appropriate secure key management is an important factor in overall system security.
2. NSA approved cryptography consists of an approved algorithm; an implementation that has been approved for the protection of classified information in a particular environment; and a supporting key management infrastructure.
3. The NSA Director shall review and approve all cryptographic implementations intended to protect national security systems and/or national security information and provide advice and assistance to U.S. Government Departments and Agencies in identifying protection requirements and selecting the encryption algorithms and product implementations most appropriate to their needs.


  • DCID 6/3, Protecting Sensitive Compartmented Information Within Information Systems, 12 April 2002
  • CNSSP-15, Fact Sheet No. 1 for the National Policy on the Use of the Advanced Encryption Standard (AES) to Protect National Security Systems and National Security Information, June 2003
  • FIPS 140-2, Security Requirements for Cryptographic Modules, 25 May 2001
  • FIPS 196, Entity Authentication Using Public Key Cryptography, 18 February 1997
  • FIPS 197, Advanced Encryption Standard (AES), 26 November 2001