ECNK-2

ECNK-2 Encryption for Need-To-Know

Overview

SAMI information in transit through a network at the same classification level is encrypted using NSA-approved cryptography. This is to separate it for need-to-know reasons. This is in addition to ECCT (encryption for confidentiality – data in transit).

MAC / CONF	Impact	Subject Area
CLASSIFIED	Medium	Enclave Computing Environment

Details

Threat
Confidentiality of need-to-know information can be compromised easily when transmitted through a network in an unencrypted state. Certified cryptography methods provide important functionality to protect against intentional and accidental compromise and alteration of data.

Guidance
1. NSA-approved cryptography shall be used to separate compartments or protect “need-to-know” information among cleared users on classified systems. For such uses the DAA may select the cryptographic mechanisms (including commercially available products) to be used after consulting with the Data Owner on requirements. The DAA shall also consult with NSA for assistance and advice regarding the security of the proposed implementation. They should pay particular attention to key management, since appropriate secure key management is an important factor in overall system security. 2. NSA approved cryptography consists of an approved algorithm; an implementation that has been approved for the protection of classified information in a particular environment; and a supporting key management infrastructure. 3. The NSA Director shall review and approve all cryptographic implementations intended to protect national security systems and/or national security information and provide advice and assistance to U.S. Government Departments and Agencies in identifying protection requirements and selecting the encryption algorithms and product implementations most appropriate to their needs.

Guidance

1. NSA-approved cryptography shall be used to separate compartments or protect “need-to-know” information among cleared users on classified systems. For such uses the DAA may select the cryptographic mechanisms (including commercially available products) to be used after consulting with the Data Owner on requirements. The DAA shall also consult with NSA for assistance and advice regarding the security of the proposed implementation. They should pay particular attention to key management, since appropriate secure key management is an important factor in overall system security.
2. NSA approved cryptography consists of an approved algorithm; an implementation that has been approved for the protection of classified information in a particular environment; and a supporting key management infrastructure.
3. The NSA Director shall review and approve all cryptographic implementations intended to protect national security systems and/or national security information and provide advice and assistance to U.S. Government Departments and Agencies in identifying protection requirements and selecting the encryption algorithms and product implementations most appropriate to their needs.

References

DCID 6/3, Protecting Sensitive Compartmented Information Within Information Systems, 12 April 2002
CNSSP-15, Fact Sheet No. 1 for the National Policy on the Use of the Advanced Encryption Standard (AES) to Protect National Security Systems and National Security Information, June 2003
FIPS 140-2, Security Requirements for Cryptographic Modules, 25 May 2001
FIPS 196, Entity Authentication Using Public Key Cryptography, 18 February 1997
FIPS 197, Advanced Encryption Standard (AES), 26 November 2001