Page 173 - Cyber Defense eMagazine August 2024
P. 173
Obtaining the right encryption solution hinges on understanding the classification of your data. Here's a
breakdown of the encryption requirements for CUI and Classified data:
Controlled Unclassified Information (CUI):
Encryption mandated by AFMAN 17-1301, paragraph 4.7 [2].
Cybersecurity products require NIAP-CC certification.
Classified Data at Rest (DAR):
Must use NSA-approved cryptographic and key management systems [2].
Two approved options:
Government Off-the-Shelf (GOTS)/Type 1 hardware
Commercial Solutions for Classified (CSfC)
Understanding the Differences Between NIAP and CSfC
While leveraging industry innovation through the CSfC strategy offers efficiency benefits, it's important to
understand the key differences between CSfC and NIAP-certified products. CSfC solutions require two
independent layers of encryption for adequate protection, differing significantly from the single layer
approach employed by NIAP-certified products.
The Role of Authorizing Officials (AOs) and Path to NSA Approval
Authorizing Officials (AOs) play a vital role in ensuring proper implementation of all security requirements
outlined in the Capability Package (CP). This includes reviewing compliance matrices and signing off on
the Registration Form.
The presentation concluded with a detailed overview of the process for obtaining NSA approval for both
CUI and CSfC solutions. By understanding the nuances of data classification and the appropriate
encryption solutions, organizations can ensure the confidentiality and integrity of their sensitive
information.
Remember: Encryption is a powerful tool, but its effectiveness hinges on selecting the right solution for
your specific data classification. Don't be fooled by common misconceptions – ensure you have the
correct certifications in place to safeguard your valuable information.
Cyber Defense eMagazine – August 2024 Edition 173
Copyright © 2024, Cyber Defense Magazine. All rights reserved worldwide.
