Encryption of MODII at rest
Updated 5 December 2024
Industry Security Notice Number 2020/07
Subject: Encryption of MODII at rest
Introduction
The UK Defence Supply Base stores, processes, and forwards a significant amount of MOD Identifiable Information (MODII) in digital formats, for which encryption at rest is required.
Issue
This ISN 2020/07 provides interim clarification of the use of Off The Shelf (OTS) products to provide encryption, whilst the MOD and National approaches to endorsement of products and services is reviewed.
Status
This ISN 2020/07 supersedes - ISN 2020/03 and ISN 2018/02, which was issued on 26 April 2018.
It will be noted that all products in ISN 2018/02 which are either:
-
a. no longer commercially available and/or
-
b. related to obsolescent or obsolete platform versions have been removed from this document.
Action by Industry
Where and when members of the UK Defence Supply Base need to encrypt MOD material in digital formats, they shall follow the stipulations below, in respect of:
• Product Selection
• Product Use
• Security Breaches
Product Selection
The following generic scenarios for encryption at rest are identified:
• Digital Storage Media & Devices (DSMD), comprising of:
• Internal Storage Drives (ISD)
• Removable Storage Media & Devices (RSMD), in particular:
-
a. External Storage Drives (ESD)
-
b. Flash Storage Devices [footnote 1] (FSD)
-
c. Optical Storage Media [footnote 2](OSM)
-
d. Individual Files & Folders (IFF)
The need to encrypt will vary depending on the specific scenario; for instance the presumption for portable equipment’s tends to needing encryption, whereas the presumption for servers in protected data centres will tend to not needing encryption.
It should be noted that although this ISN 2020/07 relates to Data At Rest (DAR) protection, the IFF option differs from DSMD in that it can also be used to protect MOD material when being forwarded on RSMD, both as email attachments, and within shared storage scenarios such as “cloud”. This use of DAR encryption for attachments and shared storage differs from Data In Motion (DIM) protection, which relates to the encryption of the communication media itself.
In all cases where DAR encryption is used to protect information being forwarded, the encryption key or password shall be securely transmitted by separate means to that used for the encrypted material.
At present MOD recognises two types of legacy Endorsement for encryption products for Digital Storage Media & Devices:
• Approved - evaluation and certification by NCSC [footnote 3]
• Acceptable - evaluated by the Technical Authorities of another nation and/or approved by the former DIPCOG [footnote 4]
Where multiple options to protect MOD material exist, the presumption shall be that an approved solution is preferred over an acceptable solution for any new acquisition, and any variation from this presumption must be explicitly agreed with the risk owner.
Annex A provides a summary of such legacy endorsements currently retained for products that are still available and maintained. This will continue to apply until both NCSC and MOD approval processes mature, after which an updated ISN will be issued as appropriate.
It is recognised that there may be a requirement to use products that are not included at Annex A, and in such cases encryption products that have not been through any approval process may be considered if there is sufficient justification for doing so and the risks associated with them have been assessed, managed and agreed as part of the Accreditation process. When choosing such a product, it is recommended that only those carrying an official certification of evaluation from a trusted organisation, such as the legacy CSIA [footnote 5] Claims Tested Mark (CCT Mark), or FIPS-140 assurance under the Crypto Module Validation Program (CMVP), are considered for use.
In all cases, the selection of encryption products should be documented in the Risk Management and Accreditation Document Set (RMADS). Use of products not on the list must be highlighted to the relevant Risk Owner for a decision.
Where continued use of existing products that are no longer still available and/or maintained is planned, and/or the platform which they protect is either obsolescent or obsolete, this must be highlighted to the relevant Risk Owner for a decision.
Product Use
Once encrypted, the MOD material must still be protected in accordance with all relevant control measures for the classification.
Some encryption products, especially those at High Grade (HG), will force compliance to a password of set length and complexity, whereas others will allow the user a certain amount of flexibility. Current NCSC guidance on passwords advocates balancing risk against a simpler approach to password management.
Password complexity should be set appropriately against requirement; a longer more complex password may be appropriate for any DMSD that is to be sent to an external party using a shared password, whereas a more memorable passphrase may be used when retained within a secure environment. Shared passwords should be transported and secured separately from the media with which it is associated.
It is stressed that the selection and usage of an approved or accepted generic product or service cannot be assumed to cover all risk in specific instances, and furthermore that endorsements are given at a particular moment in time. It is therefore important to:
• Consider the product or service in the context in which it is to be used
• Ensure that the product or service is clearly identified within evidence given to any independent authorising party (for Defence and much of Defence Industry, typically the accreditor)
• Maintain the product or service throughout its lifecycle
• Monitor for disclosed vulnerabilities
• Share any encountered problems, and in particular susceptibilities, with relevant colleagues, include MOD through the Defence Industry WARP (DefIndWARP)
Security Breaches
All confirmed or suspected breaches involving MOD information must be accurately and quickly reported to your Security Officer, in line with your company procedures, for onward transmission as necessary to DefIndWARP. The report should include details of quantities, location(s), overall classification (taking into account aggregation) and any handling instructions or need-to-know restrictions.
Validity / Expiry Date
This ISN 2020/07 will expire when superseded or withdrawn.
MOD Point of Contact Details
The point of contact in respect of this ISN is:
Info & Info-Cyber Policy Team Directorate of Cyber Defence & Risk (CyDR) Ministry of Defence
Tel: +44-20-721-83746 (PSTN)
Email: ISSDes-DAIS-CIISPInfoSyPol@mod.gov.uk (Multiuser)
Annexes
Annex A. Table of Endorsed Encryption Products
ISN 2020/03
Keys:
-
ISD – Internal Storage Devices
-
ESD – External Storage Devices
-
FSD – Flash Storage Devices
-
Optical Storage Media
-
IFF – Individual Files and Folders
Serial | Encryption Product | Highest Classification | Type | Application | Reduction in Classification | Remarks | ||||
---|---|---|---|---|---|---|---|---|---|---|
ISD | ESD | FSD | OSM | IFF | ||||||
20-L-01 | BeCrypt Protect Commercial Product Assurance | OFFICIAL (all types) | Approved | ✓ | ✓ | ✓ | None - As original information. | |||
20-L-02 | iStorage diskAshur DT2 HDD | OFFICIAL (all types) | Approved | ✓ | None - As original information. | |||||
20-L-03 | iStorage diskAshur PRO2 HDD/SDD | OFFICIAL (all types) | Approved | ✓ | None - As original information. | |||||
20-L-04 | L3 TRL Technology CATAPAN® SDV | TOP SECRET | Approved | ✓ | OFFICIAL | |||||
20-L-05 | Lumension Endpoint Security Device Control | OFFICIAL (all types) | Acceptable | ✓ | ✓ | ✓ | ✓ | None - As original information. | Formerly Sanctuary. Requires version 4.3.2 onwards. | |
20-L-06 | Microsoft BitLocker7 | OFFICIAL (all types) | Approved | ✓ | None - As original information. | |||||
20-L-07 | SDMS Secure Drive | SECRET | Acceptable | ✓ | None - As original information. |
Serial | Encryption Product | Highest Classification | Type | Application | Reduction in Classification | Remarks | ||||
---|---|---|---|---|---|---|---|---|---|---|
ISD | ESD | FSD | OSM | IFF | ||||||
20-L-08 | SDMS Mk III AESLock Encrypted USB Sticks | OFFICIAL (all types) | Acceptable | ✓ | None - As original information. | Colour-coded BUFF | ||||
SECRET | Acceptable | ✓ | None - As original information | Colour-coded PINK. MUST be Isolator variant | ||||||
20-L-09 | ViaSat Eclypt 300 Core Baseline | OFFICIAL (all types) | Approved | ✓ | None - As original information. | |||||
20-L-10 | ViaSat Eclypt 300 Freedom Baseline | OFFICIAL (all types) | Approved | ✓ | None - As original information. | |||||
20-L-11 | ViaSat Eclypt 600 Freedom | TOP SECRET | Approved | ✓ | Varies | Refer to associated NCSC Security Procedures | ||||
20-L-12 | ViaSat Eclypt 300 Nano Baseline | OFFICIAL (all types) | Approved | ✓ | None - As original information. | |||||
20-L-13 | ViaSat Eclypt 400 Core Baseline Plus | OFFICIAL (all types) | Approved | ✓ | None - As original information. | |||||
20-L-14 | ViaSat Eclypt 400 Freedom Baseline Plus | OFFICIAL (all types) | Approved | ✓ | None - As original information. | |||||
20-L-15 | ViaSat Eclypt 400 Nano Baseline Plus | OFFICIAL (all types) | Approved | ✓ | None - As original information. |
Serial | Encryption Product | Highest Classification | Type | Application | Reduction in Classification | Remarks | ||||
---|---|---|---|---|---|---|---|---|---|---|
ISD | ESD | FSD | OSM | IFF | ||||||
20-L-16 | ViaSat Eclypt 600 Core Enhanced | TOP SECRET | Approved [footnote 6] | ✓ | Varies | Refer to associated NCSC Security Procedures | ||||
20-L-17 | ViaSat Eclypt 600 Nano Enhanced | TOP SECRET | Approved | ✓ | Varies | Refer to associated NCSC Security Procedures | ||||
20-L-18 | WinZip | OFFICIAL (all types) | Acceptable | ✓ | ✓ | ✓ | None - As original information. | Previous guidance stated only WinZip 10 and upwards should be used; however the newest version available should be selected |
-
Typically referred to as “USB Sticks”. ↩
-
In particular, CDs and DVDs. ↩
-
National Cyber Security Centre, previously CESG. ↩
-
The former MOD/Industry Defence Infosec Product Cooperation Group. ↩
-
Laterally CESG. ↩
-
NOTE: The approved products list is taken from the NCSC website and is correct as of publication date of this ISN; however service providers are recommended to check for any changes to the list. ↩