CHAPTER 6 – PART 5
Encryption Security Standards
1 BACKGROUND
All
USDA agencies and staff offices need to transmit Sensitive But Unclassified
(SBU) over open networks. In using IT
to continuously improve mission performance, the USDA is becoming more interconnected
to open networks and other emergent global networks. The openness of these networks enables malicious cyber attacks
against sensitive USDA assets and increases the potential risk to sensitive
information. This risk is compounded
through the use of the Internet and other non-secure mediums such as Wireless
Local Area Network technology, Microwave, and Radio technologies. This technology includes utilizing Laptops
and Personal Electronic Devices (such as cellular telephones, pagers and hand held
computers) to communicate and process USDA information from any location.
Encryption
methods can protect sensitive information during storage and transmission. They provide important functionality to
reduce the risk of intentional and accidental compromise and alteration of
data. Encryption algorithms use a
mechanism called a key, which is used to render the information unreadable
during transmission. While the information
is encrypted it is mathematically protected against disclosure because it is
cannot be read by some one who does not have a corresponding key to decrypt the
information. Encryption methods serve
as part of the USDA defense-in-depth strategy and provide reasonable protection
of sensitive information at a comparatively low cost.
The primary
factor that must be considered when determining if encryption is required is
data sensitivity. Data sensitivity is a
measure of the importance and nature of the information processed, stored, and
transmitted by an IT system to the organization’s mission and day-to-day
operations. The sensitivity of
information can be addressed by analyzing the system requirements for
confidentiality, integrity, and availability.
2 POLICY
All USDA
agencies and staff offices will use the Approved Protocols and Protection
Techniques outlined in Section 3, Procedures, below. Encryption will be used in all IT systems that process and store
SBU to preclude disclosure to unauthorized internal and external parties. This policy also applies to all parties that
store and process SBU on behalf of USDA agencies and staff offices.
Policy
Exception Requirements –
Agencies will submit all policy exception requests directly to the ACIO for
Cyber Security. Exceptions to policy
will be considered only in terms of implementation time; exceptions will not be
granted to the requirement to conform to this policy. Exceptions that are approved will be interim in nature and will
require that each agency report this Granted Policy Exception (GPE) as a Plan
of Action & Milestone (POA&M) in their FISMA reporting, with a
GPE notation, until full compliance is achieved. Interim exceptions expire with each fiscal year. Compliance exceptions that require longer
durations will be renewed on an annual basis with an updated timeline for
completion. CS will monitor all
approved. All SBU/SSI information will
be encrypted, no exceptions will be considered to this requirement.
3 Procedures
This
Sensitive Information Transmission Policy sets forth the following
requirements:
(1)
All telecommunication
and network encryption systems will have an encryption plan approved by the
agency Information Systems Security Program Manager (ISSPM) or Security
Officer;
(2)
All
sensitive USDA information transmitted will be encrypted in accordance with the
Media Encryption Chart requirements outlined in Table 2;
(3)
Sufficient
redundancy and capacity needs to be incorporated into departmental or agency
mission critical and essential communication systems to prevent transmission of
SBU/SSI information in clear text;
(4)
SBU/SSI will
be processed and store as required by DM3535-001, USDA’s C2 Level of Trust;
(5)
Agencies and
staff offices will exercise control over keys used in any encrypted
transmissions.
Approved Protocols and Protection Techniques - All protocols
must deploy either the Triple DES or the Advanced Encryption
Standard approved by NIST. Encryption products used to protect sensitive information will conform to the NIST Cryptographic Module Validation Program validated listing. All encryption implementations will conform to the Level 2 Security requirements as specified in FIPS-140-2 unless otherwise identified in this policy. Agencies should contact CS for key size recommendations or any specific protocol questions. These requirements aid in providing a trusted computing base for encryption services which is essential for maintaining the confidentiality, integrity and non-repudiation of the sensitive information that these systems process. The Encryption Algorithms shown below can be used to protect sensitive information:
(1) IPSEC- is a suite of authentication and encryption protocols, suitable for all types of Internet Protocol (IP) traffic and is used to create virtual private networks (VPN) which allow sensitive information to be sent securely between two end stations or networks over an un-trusted communications medium. IPSEC technology should be considered as a technology to secure Internet and other IP communications within the USDA and agency corporate networks and to connect to authorized external customers at defined locations;
(2) Secure Shell (SSH) – may be deployed solely for the remote administration of sensitive systems;
(3)
Secure
Sockets Layer (SSL) – the
secure sockets layer specification may be deployed to provide secured access to
sensitive information on Web servers.
When SSL is used to protect USDA sensitive information, the latest
version (currently SSLv3) should be used with 128-bit encryption;
(4)
Virtual
Private Networks (VPN) –
should be deployed in environments where data-link layer encryption would not
be a practical solution to maintain and operate. VPN technology using IPSEC encryption allows it to be implemented
independent from a particular link layer communications technology (e.g., HDLC,
Frame Relay, FDDI, Ethernet, Gigabit Ethernet, ATM, etc.) As such, this policy strongly encourages the
use of VPN technology to secure departmental and agency sensitive communications;
(5) Data-Link (symmetrical) Encryption – may be used in environments where Virtual Private Network management would not be a reasonable encryption implementation to maintain and operate and where the use and management of VPN technology would not be warranted;
(6) Pretty
Good Privacy (PGP) – may be used to protect sensitive information
transmitted via e-mail using a minimum key size of 2048 bits. Public key information may be maintained on
public or internal PGP key servers;
(7) Public
Key Infrastructure (PKI) – These implementations are suitable for all
environments and must follow Cyber
Security DM3530-003, Public Key Infrastructure (PKI)
Technology;
4 REsponsibilities
a The Associate CIO for Cyber Security
will:
(1)
Provide
technical policies and standards for encryption that is to be deployed
throughout the USDA’s Information Technology environment;
(2)
Formulate
departmental encryption strategies;
(3)
Promptly review
for approval requests for policy exceptions and provide a response to the
agency/mission area;
(4)
Conduct
periodic reviews to ensure compliance by USDA agencies with this policy by
auditing encryption implementations; and,
(5)
Periodically
review and update this policy and the procedures as required.
b Agency
Management and Information Technology Officials or Chief Information Officer
will:
(1)
Ensure the
provisions of this policy are implemented in all agency/mission area IT
environments;
(2)
Develop and
prepare an Encryption Plan in accordance with Table 1 of this document. This plan will detail encryption use for all
agency networks and mobile computing systems;
(3)
Make sure that
all relevant agency personnel are acquainted with the provisions of this policy
and procedures with a focus on the Information Systems Security Program Manager
and System/Network Administrators;
(4)
Make certain
that all agency security plans and internal operating procedures include
encryption as part of the plan’s technical controls with instructions for the
secure use of approved encryption protocols;
(5)
Prepare formal
exception requests for encryption algorithms and techniques that do not meet
the requirements of this policy in conformance with the policy exception
section above; exceptions will be signed by the Agency Head/CIO and will be
forwarded to OCIO; and,
(6) Receive, review and coordinate a response and mitigation strategy/schedule to the Associate CIO for Cyber Security for any deviations from this policy not covered by a pre-existing waiver.
c The
agency Information Systems Security Program Managers(ISSPM) will:
(1)
In
coordination with the agency SA/NA will ensure
that all agency telecommunication and computing infrastructures comply with
this policy and standards;
(2)
Review
agency Encryption Plans to ensure that they comply with the requirements of
this policy;
(3)
Include the
requirements of this policy in agency security program and system security
plans and internal operating procedures to ensure secure use of approved
encryption algorithms, protocols and techniques;
(4)
In
conjunction with the agency SA/NA, ensure that all VPN connections are
centrally managed and users of VPN systems are fully authenticated;
(5)
Conduct
periodic reviews of all encryption to determine compliance with protocols and
standards; report any non-compliant encryption algorithms and methods to the
Agency Head/CIO and monitor non-compliance remediation;
(6)
Participate
in the preparation of waiver packages, as required.
d Agency
System/Network Administrators will:
(1)
Ensure that
agency encryption complies with this policy and standards;
(2)
Include
these standards and approved protocols in
systems that address internal operating procedures for encryption;
(3)
Participate
in the central management of all agency VPN connections ensuring that users of
VPN services are fully authenticated; the system owner of the application or
network that is the provider of the sensitive information being accessed must
manage each end of the VPN service;
(4)
Review all
agency encryption implementations to ensure that they comply with this policy;
actively participate in the preparation of waiver packages, as required.
- END –
In accordance with the Office of Management and Budget Guidance on Data
Availability and Encryption, each implementation will include an encryption
plan. Required components in the
agency encryption plan include:
(a)
A configuration layout, showing complete end-to-end details of the
telecommunication or computer systems encryption points;
(b)
The type of encryption to be used;
(c)
The source of key generation and insertion for symmetrical encryption
methods;
(d)
The cryptographic period required; that is, the amount of time before a
session key should be updated. The maximum valid age of the cryptographic
period is 60 days; and
(e)
The system procedures for key loading, key generation, key protection and
distribution, key recovery and key destruction.
Each agency
will have key recovery procedures to recover sensitive information encrypted
when the information is stored electronically.
Transmission Media Encryption Required Comments Local Area Networks No If LAN is accredited E-mail Yes,
by Agency If
transmitting SBU data Tail Circuit Yes,
by Agency If
transmitting SBU data Dedicated Circuits Yes, by Agency If transmitting SBU data (Analog, Digital, Broadband, ATM, Frame
Relay) WAN Circuits Yes TSO
provides (Between Nodes) USDA Backbone Network Yes TSO
provides Agency Networks Yes If
transmitting SBU data Infrared Yes,
Agency If
transmitting SBU data (Laptops, PDAs) in
a Public Area Satellite Yes,
Agency If
transmitting SBU data within
Footprint Microwave Yes,
Agency If
transmitting SBU data Node
to Node Wireless Yes,
Agency If
transmitting SBU data (Radio, Cell Phones)
Media Encryption Chart