SS-08-040.03 Cryptographic Controls

Issue Date: 3/31/2008

Effective Date: 12/15/2014

Review Date: 7/1//2018

PURPOSE

The State has a fiduciary duty and at times a legal responsibility to adequately protect non-public, sensitive, personnel, constituent and/or proprietary information for which it owns or has custodial responsibility. There are circumstances when the risk of compromise or exposure to sensitive state data is greater than acceptable by the data owner, or by law, and compensating security control measures are insufficient. When increased confidentiality, authenticity, integrity or non-repudiation of information is critical, the use of cryptographic controls may be warranted.

Cryptography is a discipline that embodies principles, means and methods for providing several security services: confidentiality, data integrity, authentication and non-repudiation.

This standard establishes the conditions and minimum requirements for implementing cryptographic controls in state information systems requiring them.

SCOPE; ENFORCEMENT; AUTHORITY; EXCEPTIONS

Enterprise Information Security Charter PS-08-005

STANDARD

Agencies shall use cryptographic controls where the security objectives of confidentiality, authentication, non-repudiation or data integrity is categorized MODERATE or higher; or when the risk of compromise or exposure is greater than acceptable by the business or data owner; or when required by policy, law, or regulation.

Agencies shall select cryptographic technology based on the security objectives, applicable policies, laws, regulations and performance requirements.

Cryptographic modules, algorithms, keys and implementations used for State information systems shall be compliant with FIPS 140-2 or its successors.

Use of cryptographic implementations that are not at least FIPS security level 1 compliant or do not meet minimum security requirements defined for security level 1 must be approved by the Senior Agency Information Security Officer (SAISO) and justified in an approved exception request. These cryptographic implementations must also be detailed in the system security plan including any compensating controls and a plan forward to address compliance deficiencies.

When concerns about physical tampering or hacking of the cryptographic module itself exist, use of FIPS security level 2 modules or higher is required.

Agencies shall implement end-to-end cryptographic security controls for, but not limited to, the following:

  • For identity and authentication credentials in storage or transit When non-repudiation is required
  • To store cryptographic algorithm and key information For secure wireless communications
  • For ANY sensitive  data  such  as  transmitting  a  person’s social security number over the internet or other communications where the risk of compromise or exposure is higher than acceptable and compensating controls are insufficient

Security officers and/or cryptographic officers shall:

  • Be properly trained to ensure the continued secure operations and maintenance of the cryptographic components and    proper destruction or archive of keys when a system is decommissioned.
  • Be notified and participate in any process where cryptographic systems are modified and ensure all changes are in accordance with change management policies and procedures.
  • Be notified when a cryptographic system, encrypted data or transmission is believed to be exposed or compromised.

SUPPLEMENTAL EXCEPTION

Encrypted data shall be decrypted prior to being transferred to the Georgia Archives for long term storage. The Georgia Archives shall assume responsibility for providing appropriate control measures to maintain the confidentiality, integrity, availability and non-repudiation of the information in their charge.

See Georgia Archives - http://www.georgiaarchives.org/

RELATED ENTERPRISE POLICIES, STANDARDS, GUIDELINES

Use of Cryptography PS-08-024

REFERENCES

  • NIST Computer Security Resource Center-  http://csrc.nist.gov/
  • SP 800-53 Security and Privacy Controls for Federal Information Systems and Organizations
    • SC 12-Cryptographic Key Establishment and Management
    • SC 13-Use of Cryptography
  • FIPS 140-2 Security Requirements for Cryptographic Modules
  • SP 800-12 (chapter 19) Introduction to Computer Security
  • NIST Handbook
  • SP 800-21 Guideline for Implementing Cryptography in the Federal Government
  • SP 800-57 Recommendation for Key Management
  • SP 800-56 Recommendations for Pair-Wise Key Establishment Schemes
  • SP 800-63 Electronic Authentication Guideline
  • NIST Cryptographic Key Tool Kit http://csrc.nist.gov/CryptoToolkit/tkkeymgmt.html
  • NIST Cryptographic Module Validation Program

http://csrc.nist.gov/groups/STM/cmvp/index.html

TERMS and DEFINITIONS

Cryptography - A branch of applied mathematics (algorithms) concerned with encrypting and decrypting data such that the sender’s identity (authentication and non-repudiation), data confidentiality, integrity or origin can be assured.

Encryption - The process of converting ordinary information (plain text) into unintelligible character strings (i.e., cipher text)

Decryption - The reverse, moving from unintelligible cipher text to plaintext.

A cipher (or cypher) - A pair of algorithms which perform this encryption and the reversing decryption.

Key (or cryptographic key) - A parameter used in conjunction with a cryptographic algorithm that an entity with knowledge of the key can reproduce or reverse the operation (encrypt or decrypt) while an entity without knowledge of the key cannot.

FIPS 140-2 Compliant Cryptographic Modules –  cryptographic implementations including, but not limited to, hardware components or modules, software/firmware programs or modules or any combination thereof that employ approved security functions such as cryptographic algorithms, cryptographic key management techniques, and authentication techniques and validated through the Cryptographic Module Validation Program (CMVP).

Non-Repudiation - A service that is used to provide assurance of the integrity and origin of data in such a way that the integrity and origin can be verified by a third party.

Authentication - A process that establishes origin of information or determines an entity’s identity.

Advanced Authentication (also referred to as strong authentication) -  Uses techniques that require multi-factor identity credentials to confirm a user’s identity and/or authority to access information resources.

Identity/authentication credentials are information known only to a user and recognized by the system such as passwords, private keys, symmetric keys, tokens, biometric data or digital signature algorithm used to positively identify that user and allow access to system resources.