Title

Sensitive data transmitted between interconnected organizations must be encrypted using an approved mechanism for the classification level of the data transmitted. (Cat II impact)

Discussion

The use of encryption at the appropriate level to secure the confidentiality and integrity of sensitive information is imperative to ensure a data breach does not occur when transiting a transport network. If the information shared between interconnecting sites is marked for anything other than public release or is need to know, then it must use encryption correlating with the classification of the data in transit. Unclassified/FOUO will need to use a FIPS 140-2 validated cryptographic module. Classified traffic needs to use an NSA approved encryption standard.

Check Content

Determine whether the proper encryption standard is deployed for the classification of information being shared between interconnected organizations. Unclassified/FOUO or any need-to-know data will need to use a FIPS 140-2 validated cryptographic module. Classified traffic must use an NSA approved encryption standard. If the proper encryption standard is not in use for sharing information between interconnected sites, this is a finding.

Fix Text

Implement an approved encryption mechanism for the classification of data being shared between interconnected organizations. Unclassified/FOUO or any need-to-know data will need to use a FIPS 140-2 validated cryptographic module. Classified traffic must use an NSA approved encryption standard.

Additional Identifiers

Rule ID: SV-51533r1_rule

Vulnerability ID: V-39666

Group Title: ENTD0270 - Sensitive data sent between organizations not encrypted.

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.