The ever-evolving landscape of data security demands constant vigilance, especially for those handling Controlled Unclassified Information (CUI). A presentation by Greg Cooper, Cybersecurity SME & Security Engineer, at the USAF Cyber Monthly meeting shed light on common misconceptions surrounding data encryption and the critical role of obtaining the correct certifications for your specific data classification.
While encryption is widely understood as a crucial security measure, misconceptions abound. A common fallacy is that focusing solely on encrypting data-in-transit offers sufficient protection. The reality is far more nuanced. Technical data, for example, can also qualify as CUI, requiring robust encryption strategies.
Perhaps the most critical takeaway concerns the limitations of FIPS 140-3 compliance. While this standard offers a baseline for cryptographic modules, it doesn’t guarantee CUI protection. For CUI encryption, solutions must hold NIAP-CC certification, ensuring they meet rigorous security standards established by the National Information Assurance Partnership (NIAP).
NIAP plays a central role in evaluating cybersecurity products for use with CUI and Classified (CSfC) data. Overseen by the National Security Agency (NSA), NIAP validates FIPS-compliant modules against established Protection Profiles. This rigorous evaluation process typically takes 90-180 days.
For data classified as National Security Systems (NSS), cryptographic requirements are dictated by Commercial National Security Algorithms (CNSA). Crucially, CNSA 2.0 introduces new algorithms, with a 2025 deadline for transitioning to these updated standards.
The Importance of Choosing the Right Encryption
According to the Defense Contract Management Agency (DCMA), failing to meet the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 security requirements has been the number one finding across the last three years of audits for Department of Defense (DoD) contractors [1]. This highlights the critical role that proper encryption plays in securing Controlled Unclassified Information (CUI) and Classified data.
Image Data Source: Defense Contract Management Agency (DCMA) – Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) Powerpoint
Obtaining the right encryption solution hinges on understanding the classification of your data. Here’s a breakdown of the encryption requirements for CUI and Classified data:
Controlled Unclassified Information (CUI):
Encryption mandated by AFMAN 17-1301, paragraph 4.7 [2].
Cybersecurity products require NIAP-CC certification.
Classified Data at Rest (DAR):
Must use NSA-approved cryptographic and key management systems [2].
Two approved options:
Government Off-the-Shelf (GOTS)/Type 1 hardware
Commercial Solutions for Classified (CSfC)
Understanding the Differences Between NIAP and CSfC
While leveraging industry innovation through the CSfC strategy offers efficiency benefits, it’s important to understand the key differences between CSfC and NIAP-certified products. CSfC solutions require two independent layers of encryption for adequate protection, differing significantly from the single layer approach employed by NIAP-certified products.
The Role of Authorizing Officials (AOs) and Path to NSA Approval
Authorizing Officials (AOs) play a vital role in ensuring proper implementation of all security requirements outlined in the Capability Package (CP). This includes reviewing compliance matrices and signing off on the Registration Form.
The presentation concluded with a detailed overview of the process for obtaining NSA approval for both CUI and CSfC solutions. By understanding the nuances of data classification and the appropriate encryption solutions, organizations can ensure the confidentiality and integrity of their sensitive information.
Remember: Encryption is a powerful tool, but its effectiveness hinges on selecting the right solution for your specific data classification. Don’t be fooled by common misconceptions – ensure you have the correct certifications in place to safeguard your valuable information.
Glossary
CNSA: Commercial National Security Algorithms
CNSS: Committee on National Security Systems
CNSSI: CNSS Instruction
CNSSP: CNSS Policy
COTS: Commercial Off-the-Shelf
CSfC: Commercial Solutions for Classified
DAR: Data at Rest
CP: Capability Package
DCMA: Defense Contract Management Agency
DoD: Department of Defense
GOTS: Government Off-the-Shelf
IA: Information Assurance
NIST: National Institute of Standards and Technology
NIAP: National Information Assurance Partnership
NIAP-CC: National Information Assurance Partnership / Common Criteria
NSA: National Security Agency
About the Author
Ben Warner, CRU Data Security Group | Throughout his career, Ben Warner honed his cybersecurity expertise working with the United States military. He worked on projects involving security and protection of networks holding some of the nation’s most sensitive and classified information with Applied Research Solutions at Wright-Patterson Air Force Base. He has also worked with Booz Allen, a leading cyber defense contractor, and GE Aviation, and is a veteran of the U.S. Air Force. Ben can be reached online at linkedin.com/in/davidbenwarner/