When it comes to protecting classified data, you have your choice of encryption standards. A number of them exist around the world, and each encryption standard has a testing authority and an approval authority. This blog talks about the most influential and well-known standards for securing data-at-rest (DAR) and what it takes to protect classified information from falling into the wrong hands.
Type 1 and Commercial Solutions for Classified (CSfC)
In the United States, the U.S. Government recognizes two basic standards for the protection of United States Government (USG) classified data. These two standards are managed by the National Security Agency (NSA).
Type 1
The Type 1 program has been around for decades. While the technology performing the encryption may have changed, the processes and approvals have remained intact. Details regarding the program are not publicly available. Think of the Type 1 program as government off-the-shelf (GOTS). These evaluations are performed by the NSA itself (in conjunction with the vendor), and the products are then “certified.” No public list is available of certified products, but companies may advertise those products separately. Type 1 encryption products are international.
CSfC
The CSfC program was started by NSA a few years back and is gaining traction and infrastructure. The processes are all publicly available and free to read. Think of the CSfC program as commercial off-the-shelf (COTS). While the program is managed by the NSA, the evaluations are performed in the U.S. by the National Information Assurance Partnership (NIAP) following the appropriate Common Criteria (CC) protection profiles. So, while CSfC is mainly a U.S. standard, the results are recognized by 31 other countries.
FIPS 140-2
Canada and the U.S. share a commercial encryption standard known as FIPS 140-2. This standard is widely known around the world but supported primarily by the U.S. and Canada. “FIPS” (as most people refer to it) is only concerned with encryption and not with the implementation of that encryption (see Common Criteria below). Hence some say that FIPS is an “inch wide and a mile deep.” In the U.S., encryption modules are evaluated and certified by the National Institute of Standards and Technology (NIST). FIPS 140-3 will replace 140-2 in September 2021.
Common Criteria Recognition Agreement (CCRA)
Currently, 31 countries are part of the CCRA. 17 are “authorizing” members while 14 are “consuming” members. The authorizing members actively participate in development of the requirements in documents called “protection profiles.” Evaluations performed in one country are recognized in the other member countries. In the U.S., CC evaluations are performed by NIAP, and the products are then “certified.” In contrast with FIPS, Common Criteria is sometimes said to be a “mile wide and an inch deep”. CC products often use FIPS 140-2 certified encryption modules as the basis for encryption systems.
NATO Information Assurance Product Catalogue (NIAPC)
The North Atlantic Treaty Organization (NATO) publishes a list of information assurance products that may be used in NATO equipment. NATO does not perform a separate evaluation itself, but depends on the host country for that endorsement. For U.S. products, an endorsement must be received from the NSA.
Table 1 shows each of these standards and the countries that recognize them. Type 1 products are GOTS products, subject to International Traffic in Arms Regulations (ITAR) restriction, and may only be sold to members of the “5 Eyes” or “FVEY.” CSfC, FIPS, and Common Criteria products are typically ITAR free, allowing export to many approved countries. NIAPC products are approved for use by NATO countries but may also be CSfC approved, CCRA certified, and FIPS 140-2 certified.
To find out more about CSfC encryption, check out our white paper CSfC Series: Data-at-Rest Capability Package 4.8.
Table - Encryption Standards and Associated Countries
| Countries |
Type 1 (5 Eyes) |
CSfC |
CCRA |
FIPS 140-2 |
NATO |
|---|---|---|---|---|---|
|
United States |
X |
X |
X |
X |
X |
|
Canada |
X |
|
X |
X |
X |
|
United Kingdom |
X |
|
X |
|
X |
|
New Zealand |
X |
|
X |
|
|
|
Australia |
X |
|
X |
|
|
|
France |
|
|
X |
|
X |
|
Germany |
|
|
X |
|
X |
|
India |
|
|
X |
|
X |
|
Italy |
|
|
X |
|
X |
|
Japan |
|
|
X |
|
X |
|
Malaysia |
|
|
X |
|
X |
|
Netherlands |
|
|
X |
|
X |
|
New Zealand |
|
|
X |
|
X |
|
Norway |
|
|
X |
|
X |
|
Republic of Korea |
|
|
X |
|
|
|
Singapore |
|
|
X |
|
|
|
Spain |
|
|
X |
|
X |
|
Sweden |
|
|
X |
|
X |
|
Turkey |
|
|
X |
|
X |
|
Austria |
|
|
X |
|
X |
|
Czech Republic |
|
|
X |
|
X |
|
Denmark |
|
|
X |
|
X |
|
Ethiopia |
|
|
X |
|
|
|
Finland |
|
|
X |
|
|
|
Greece |
|
|
X |
|
X |
|
Hungary |
|
|
X |
|
X |
|
Indonesia |
|
|
X |
|
|
|
Israel |
|
|
X |
|
|
|
Pakistan |
|
|
X |
|
|
|
Poland |
|
|
X |
|
X |
|
Qatar |
|
|
X |
|
|
|
Slovak Republic |
|
|
|
|
X |
|
Belgium |
|
|
|
|
X |
|
Denmark |
|
|
|
|
X |
|
Iceland |
|
|
|
|
X |
|
Luxembourg |
|
|
|
|
X |
|
Bulgaria |
|
|
|
|
X |
|
Estonia |
|
|
|
|
X |
|
Latvia |
|
|
|
|
X |
|
Lithuania |
|
|
|
|
X |
|
Montenegro |
|
|
|
|
X |
|
North Macedonia |
|
|
|
|
X |