Guidance

Encryption of MODII at rest

Updated 22 October 2024

Industry Security Notice Number 2020/07

Subject: Encryption of MODII at rest

Introduction

The UK Defence Supply Base stores, processes, and forwards a significant amount of MOD Identifiable Information (MODII) in digital formats, for which encryption at rest is required.

Issue

This ISN 2020/07 provides interim clarification of the use of Off The Shelf (OTS) products to provide encryption, whilst the MOD and National approaches to endorsement of products and services is reviewed.

Status

This ISN 2020/07 supersedes - ISN 2020/03 and ISN 2018/02, which was issued on 26 April 2018.

It will be noted that all products in ISN 2018/02 which are either:

• a. no longer commercially available and/or

• b. related to obsolescent or obsolete platform versions have been removed from this document.

Action by Industry

Where and when members of the UK Defence Supply Base need to encrypt MOD material in digital formats, they shall follow the stipulations below, in respect of:

• Product Selection

• Product Use

• Security Breaches

Product Selection

The following generic scenarios for encryption at rest are identified:

• Digital Storage Media & Devices (DSMD), comprising of:

• Internal Storage Drives (ISD)

• Removable Storage Media & Devices (RSMD), in particular:

• a. External Storage Drives (ESD)

• b. Flash Storage Devices ^{[footnote 1]} (FSD)

• c. Optical Storage Media ^{[footnote 2]}(OSM)

• d. Individual Files & Folders (IFF)

The need to encrypt will vary depending on the specific scenario; for instance the presumption for portable equipment’s tends to needing encryption, whereas the presumption for servers in protected data centres will tend to not needing encryption.

It should be noted that although this ISN 2020/07 relates to Data At Rest (DAR) protection, the IFF option differs from DSMD in that it can also be used to protect MOD material when being forwarded on RSMD, both as email attachments, and within shared storage scenarios such as “cloud”. This use of DAR encryption for attachments and shared storage differs from Data In Motion (DIM) protection, which relates to the encryption of the communication media itself.

In all cases where DAR encryption is used to protect information being forwarded, the encryption key or password shall be securely transmitted by separate means to that used for the encrypted material.

At present MOD recognises two types of legacy Endorsement for encryption products for Digital Storage Media & Devices:

• Approved - evaluation and certification by NCSC ^{[footnote 3]}

• Acceptable - evaluated by the Technical Authorities of another nation and/or approved by the former DIPCOG ^{[footnote 4]}

Where multiple options to protect MOD material exist, the presumption shall be that an approved solution is preferred over an acceptable solution for any new acquisition, and any variation from this presumption must be explicitly agreed with the risk owner.

Annex A provides a summary of such legacy endorsements currently retained for products that are still available and maintained. This will continue to apply until both NCSC and MOD approval processes mature, after which an updated ISN will be issued as appropriate.

It is recognised that there may be a requirement to use products that are not included at Annex A, and in such cases encryption products that have not been through any approval process may be considered if there is sufficient justification for doing so and the risks associated with them have been assessed, managed and agreed as part of the Accreditation process. When choosing such a product, it is recommended that only those carrying an official certification of evaluation from a trusted organisation, such as the legacy CSIA ^{[footnote 5]} Claims Tested Mark (CCT Mark), or FIPS-140 assurance under the Crypto Module Validation Program (CMVP), are considered for use.

In all cases, the selection of encryption products should be documented in the Risk Management and Accreditation Document Set (RMADS). Use of products not on the list must be highlighted to the relevant Risk Owner for a decision.

Where continued use of existing products that are no longer still available and/or maintained is planned, and/or the platform which they protect is either obsolescent or obsolete, this must be highlighted to the relevant Risk Owner for a decision.

Product Use

Once encrypted, the MOD material must still be protected in accordance with all relevant control measures for the classification.

Some encryption products, especially those at High Grade (HG), will force compliance to a password of set length and complexity, whereas others will allow the user a certain amount of flexibility. Current NCSC guidance on passwords advocates balancing risk against a simpler approach to password management.

Password complexity should be set appropriately against requirement; a longer more complex password may be appropriate for any DMSD that is to be sent to an external party using a shared password, whereas a more memorable passphrase may be used when retained within a secure environment. Shared passwords should be transported and secured separately from the media with which it is associated.

It is stressed that the selection and usage of an approved or accepted generic product or service cannot be assumed to cover all risk in specific instances, and furthermore that endorsements are given at a particular moment in time. It is therefore important to:

• Consider the product or service in the context in which it is to be used

• Ensure that the product or service is clearly identified within evidence given to any independent authorising party (for Defence and much of Defence Industry, typically the accreditor)

• Maintain the product or service throughout its lifecycle

• Monitor for disclosed vulnerabilities

• Share any encountered problems, and in particular susceptibilities, with relevant colleagues, include MOD through the Defence Industry WARP (DefIndWARP)

Security Breaches

All confirmed or suspected breaches involving MOD information must be accurately and quickly reported to your Security Officer, in line with your company procedures, for onward transmission as necessary to DefIndWARP. The report should include details of quantities, location(s), overall classification (taking into account aggregation) and any handling instructions or need-to-know restrictions.

Validity / Expiry Date

This ISN 2020/07 will expire when superseded or withdrawn.

MOD Point of Contact Details

The point of contact in respect of this ISN is:

Info & Info-Cyber Policy Team Directorate of Cyber Defence & Risk (CyDR) Ministry of Defence

Tel: +44-20-721-83746 (PSTN)

Email: ISSDes-DAIS-CIISPInfoSyPol@mod.gov.uk (Multiuser)

Annexes

Annex A. Table of Endorsed Encryption Products

ISN 2020/03

Keys:

• ISD – Internal Storage Devices

• ESD – External Storage Devices

• FSD – Flash Storage Devices

• Optical Storage Media

• IFF – Individual Files and Folders

Serial	Encryption Product	Highest Classification	Type	Application					Reduction in Classification	Remarks
				ISD	ESD	FSD	OSM	IFF
20-L-01	BeCrypt Protect Commercial Product Assurance	OFFICIAL (all types)	Approved	✓	✓	✓			None - As original information.
20-L-02	iStorage diskAshur DT2 HDD	OFFICIAL (all types)	Approved		✓				None - As original information.
20-L-03	iStorage diskAshur PRO2 HDD/SDD	OFFICIAL (all types)	Approved		✓				None - As original information.
20-L-04	L3 TRL Technology CATAPAN® SDV	TOP SECRET	Approved		✓				OFFICIAL
20-L-05	Lumension Endpoint Security Device Control	OFFICIAL (all types)	Acceptable		✓	✓	✓	✓	None - As original information.	Formerly Sanctuary. Requires version 4.3.2 onwards.
20-L-06	Microsoft BitLocker7	OFFICIAL (all types)	Approved	✓					None - As original information.
20-L-07	SDMS Secure Drive	SECRET	Acceptable		✓				None - As original information.

Serial	Encryption Product	Highest Classification	Type	Application					Reduction in Classification	Remarks
				ISD	ESD	FSD	OSM	IFF
20-L-08	SDMS Mk III AESLock Encrypted USB Sticks	OFFICIAL (all types)	Acceptable			✓			None - As original information.	Colour-coded BUFF
		SECRET	Acceptable			✓			None - As original information	Colour-coded PINK. MUST be Isolator variant
20-L-09	ViaSat Eclypt 300 Core Baseline	OFFICIAL (all types)	Approved	✓					None - As original information.
20-L-10	ViaSat Eclypt 300 Freedom Baseline	OFFICIAL (all types)	Approved		✓				None - As original information.
20-L-11	ViaSat Eclypt 600 Freedom	TOP SECRET	Approved		✓				Varies	Refer to associated NCSC Security Procedures
20-L-12	ViaSat Eclypt 300 Nano Baseline	OFFICIAL (all types)	Approved			✓			None - As original information.
20-L-13	ViaSat Eclypt 400 Core Baseline Plus	OFFICIAL (all types)	Approved	✓					None - As original information.
20-L-14	ViaSat Eclypt 400 Freedom Baseline Plus	OFFICIAL (all types)	Approved		✓				None - As original information.
20-L-15	ViaSat Eclypt 400 Nano Baseline Plus	OFFICIAL (all types)	Approved			✓			None - As original information.

Serial	Encryption Product	Highest Classification	Type	Application					Reduction in Classification	Remarks
				ISD	ESD	FSD	OSM	IFF
20-L-16	ViaSat Eclypt 600 Core Enhanced	TOP SECRET	Approved [footnote 6]	✓					Varies	Refer to associated NCSC Security Procedures
20-L-17	ViaSat Eclypt 600 Nano Enhanced	TOP SECRET	Approved			✓			Varies	Refer to associated NCSC Security Procedures
20-L-18	WinZip	OFFICIAL (all types)	Acceptable			✓	✓	✓	None - As original information.	Previous guidance stated only WinZip 10 and upwards should be used; however the newest version available should be selected

1. Typically referred to as “USB Sticks”. ↩

2. In particular, CDs and DVDs. ↩

3. National Cyber Security Centre, previously CESG. ↩

4. The former MOD/Industry Defence Infosec Product Cooperation Group. ↩

5. Laterally CESG. ↩

6. NOTE: The approved products list is taken from the NCSC website and is correct as of publication date of this ISN; however service providers are recommended to check for any changes to the list. ↩