ECTM-2 Transmission Integrity Controls
Overview
Good engineering practices with regards to the integrity mechanisms of COTS, GOTS, and custom developed solutions are implemented for incoming and outgoing files, such as parity checks and cyclic redundancy checks (CRCs). Mechanisms are in place to assure the integrity of all transmitted information (including labels and security parameters) and to detect or prevent the hijacking of a communication session (e.g., encrypted or covert communication channels).
| MAC / CONF | Impact | Subject Area |
|---|---|---|
| MACI MACII | Medium | Enclave Computing Environment |
Details
| Threat |
|---|
| Integrity of transmitted information is at risk if good engineering practices are not implemented. Â Error detection methods like parity checks, checksums, and CRCs along with mechanisms to detect and prevent the hijacking of communication sessions mitigate the integrity risk of incoming and outgoing files during transmission. |
| Guidance |
|---|
| 1. COTS, GOTS, and custom developed solutions shall implement some form of error detection to enhance data integrity during transmission. 2. Schematics, diagrams, or some other form of documentation shall show system data flows, the communication mediums, and the associated protection mechanisms. 3. Integrity checkers such as Tripwire can be utilized to detect suspicious activity by searching a program or file to determine if it has been altered or changed. Integrity checkers are usually checksum based with cryptographic checksums providing the highest level of security. 4. COTS or GOTS IA and IA enabled products shall be searched and evaluated for covert channels and if applicable, potential cryptographic key leakage from the cryptographic module. The following programs are used to evaluate and validate IA products: The International Common Criteria for Information Security Technology Evaluation Mutual Recognition Arrangement; The National Security Agency (NSA) /National Institute of Standards and Technology (NIST) National Information Assurance Partnership (NIAP) Evaluation and Validation Program; or The NIST Federal Information Processing Standard (FIPS) validation program. 5. A validated products list can be found at the http://niap.nist.gov website along with procedures to get a product through the validation process. |
References
- NIST SP 800-23, Guideline to Federal Organizations on Security Assurance and Acquisition/Use of Tested/Evaluated Products, August 2000
- NIST SP 800-27, Engineering Principles for Information Technology Security (A Baseline for Achieving Security), Revision A, June 2004
- NIST SP 800-36, Guide to Selecting Information Security Products, October 2003
- NCSC TG-030, A Guide To Understanding Covert Channel Analysis of Trusted Systems, Version 1, November 1993
- NSA, U.S. Government Protection Profile for Single-level Operating Systems in Environments Requiring Medium Robustness, Version 1.67, 30 October 2003
- CCIMB-99-031, Common Criteria for Information Technology Security Evaluation, August 1999
- DOD 8500.2, Information Assurance Implementation, 06 February 2003
- NSTISSP No. 11, National Information Assurance Acquisition Policy - Revised Fact Sheet, July 2003