Encryption of MODII at rest – GOV.UK

Industry Security Notice Number 2020/07

Subject: Encryption of MODII at rest

The UK Defence Supply Base stores, processes, and forwards a significant amount of MOD Identifiable Information (MODII) in digital formats, for which encryption at rest is required.

This ISN 2020/07 provides interim clarification of the use of Off The Shelf (OTS) products to provide encryption, whilst the MOD and National approaches to endorsement of products and services is reviewed.

This ISN 2020/07 supersedes - ISN 2020/03 and ISN 2018/02, which was issued on 26 April 2018.

It will be noted that all products in ISN 2018/02 which are either:

Where and when members of the UK Defence Supply Base need to encrypt MOD material in digital formats, they shall follow the stipulations below, in respect of:

Product Selection

Product Use

Security Breaches

The following generic scenarios for encryption at rest are identified:

Digital Storage Media & Devices (DSMD), comprising of:

Internal Storage Drives (ISD)

Removable Storage Media & Devices (RSMD), in particular:

a. External Storage Drives (ESD)

b. Flash Storage Devices [footnote 1] (FSD)

c. Optical Storage Media [footnote 2](OSM)

d. Individual Files & Folders (IFF)

The need to encrypt will vary depending on the specific scenario; for instance the presumption for portable equipments tends to needing encryption, whereas the presumption for servers in protected data centres will tend to not needing encryption.

It should be noted that although this ISN 2020/07 relates to Data At Rest (DAR) protection, the IFF option differs from DSMD in that it can also be used to protect MOD material when being forwarded on RSMD, both as email attachments, and within shared storage scenarios such as cloud. This use of DAR encryption for attachments and shared storage differs from Data In Motion (DIM) protection, which relates to the encryption of the communication media itself.

In all cases where DAR encryption is used to protect information being forwarded, the encryption key or password shall be securely transmitted by separate means to that used for the encrypted material.

At present MOD recognises two types of legacy Endorsement for encryption products for Digital Storage Media & Devices:

Approved - evaluation and certification by NCSC [footnote 3]

Acceptable - evaluated by the Technical Authorities of another nation and/or approved by the former DIPCOG [footnote 4]

Where multiple options to protect MOD material exist, the presumption shall be that an approved solution is preferred over an acceptable solution for any new acquisition, and any variation from this presumption must be explicitly agreed with the risk owner.

Annex A provides a summary of such legacy endorsements currently retained for products that are still available and maintained. This will continue to apply until both NCSC and MOD approval processes mature, after which an updated ISN will be issued as appropriate.

It is recognised that there may be a requirement to use products that are not included at Annex A, and in such cases encryption products that have not been through any approval process may be considered if there is sufficient justification for doing so and the risks associated with them have been assessed, managed and agreed as part of the Accreditation process. When choosing such a product, it is recommended that only those carrying an official certification of evaluation from a trusted organisation, such as the legacy CSIA [footnote 5] Claims Tested Mark (CCT Mark), or FIPS-140 assurance under the Crypto Module Validation Program (CMVP), are considered for use.

In all cases, the selection of encryption products should be documented in the Risk Management and Accreditation Document Set (RMADS). Use of products not on the list must be highlighted to the relevant Risk Owner for a decision.

Where continued use of existing products that are no longer still available and/or maintained is planned, and/or the platform which they protect is either obsolescent or obsolete, this must be highlighted to the relevant Risk Owner for a decision.

Once encrypted, the MOD material must still be protected in accordance with all relevant control measures for the classification.

Some encryption products, especially those at High Grade (HG), will force compliance to a password of set length and complexity, whereas others will allow the user a certain amount of flexibility. Current NCSC guidance on passwords advocates balancing risk against a simpler approach to password management.

Password complexity should be set appropriately against requirement; a longer more complex password may be appropriate for any DMSD that is to be sent to an external party using a shared password, whereas a more memorable passphrase may be used when retained within a secure environment. Shared passwords should be transported and secured separately from the media with which it is associated.

It is stressed that the selection and usage of an approved or accepted generic product or service cannot be assumed to cover all risk in specific instances, and furthermore that endorsements are given at a particular moment in time. It is therefore important to:

Consider the product or service in the context in which it is to be used

Ensure that the product or service is clearly identified within evidence given to any independent authorising party (for Defence and much of Defence Industry, typically the accreditor)

Maintain the product or service throughout its lifecycle

Monitor for disclosed vulnerabilities

Share any encountered problems, and in particular susceptibilities, with relevant colleagues, include MOD through the Defence Industry WARP (DefIndWARP)

All confirmed or suspected breaches involving MOD information must be accurately and quickly reported to your Security Officer, in line with your company procedures, for onward transmission as necessary to DefIndWARP. The report should include details of quantities, location(s), overall classification (taking into account aggregation) and any handling instructions or need-to-know restrictions.

This ISN 2020/07 will expire when superseded or withdrawn.

The point of contact in respect of this ISN is:

ISN 2020/03

Keys:

ISD Internal Storage Devices

ESD External Storage Devices

FSD Flash Storage Devices

Optical Storage Media

IFF Individual Files and Folders

Link:
Encryption of MODII at rest - GOV.UK