Requirement
Essential Cybersecurity Controls (ECC – 2 : 2024) - Control - 2-8-3 – The cybersecurity requirements for cryptography must include at least the requirements in the National Cryptographic Standards; published by NCA and each national entity is required to choose and implement the appropriate cryptographic standard level based on the nature and sensitivity of the data, systems and networks to be protected, and based on the risk assessment by the entity; and as per related laws and regulations; according to the following:
Understanding the Requirement
This control requires organizations to adopt cryptographic controls that meet the National Cryptographic Standards and to select the appropriate standard level based on a documented risk assessment and data sensitivity. The three objectives (2-8-3-1, 2-8-3-2 and 2-8-3-3) imply: classify data and systems by sensitivity; map protection requirements to the national standard levels; and implement cryptographic mechanisms, key lifecycle and procedural controls accordingly. This control is part of the Essential Cybersecurity Controls (ECC – 2 : 2024) framework and expects both technical and governance measures so cryptography is applied consistently and auditable across the entity.
Technical Implementation
- Perform a cryptography-focused risk assessment and data classification. Inventory all data repositories and services that use or should use cryptography (web apps, email, databases, backups, endpoints). Classify data (e.g., public, internal, confidential, regulated) and document the protection level required by the National Cryptographic Standards for each class.
- Select algorithms and key sizes per the national standard. Enforce approved algorithms (for example, AES-256 or the standard-approved symmetric ciphers; RSA/ECC key sizes or national curves as required) and hashing (SHA-2/3 family if specified). Update configurations to disallow deprecated ciphers, weak hashes, and short key lengths on servers, appliances, and client software.
- Harden transport and application crypto settings. Require TLS 1.2+ (preferably TLS 1.3) across public-facing and internal services, explicitly configure secure cipher suites and forward secrecy, disable SSL/early TLS, and enable HSTS where appropriate. For APIs and internal services, use mutual TLS or strong token-based alternatives if required by the standard.
- Implement robust key and certificate lifecycle management. Use a centralized Key Management Service (KMS) or cloud KMS/HSM for high-sensitivity keys, enforce access controls and separation of duties, document cryptoperiods and rotation schedules, automate certificate issuance and renewal where possible, and maintain secure key backup and destruction procedures.
- Encrypt data at rest and in transit with practical controls. Apply full-disk or file-level encryption on laptops and servers holding sensitive data, enable database encryption, and protect backups. Ensure encryption implementations use approved modes (e.g., AES-GCM) and that keys are never stored alongside plaintext data.
- Governance, monitoring, and change control. Maintain written crypto policy that maps data classes to required cryptographic levels, include cryptography requirements in procurement and vendor contracts, perform periodic crypto configuration scans and certificate inventories, and review cryptographic implementations after platform or standard changes.
Example in a Small or Medium Business
An SMB accounting firm with 30 employees holds client financial records and tax documents that are regulated and sensitive. The firm performs a quick risk assessment, classifies client ledgers and tax returns as "confidential," and maps that classification to the national cryptographic standard level requiring strong symmetric encryption and secure key management. They enable TLS 1.3 with approved cipher suites on their client portal and internal VPN, and configure their web servers to disable weak ciphers and old TLS versions. For data at rest they enable AES-256 file encryption on servers and require full-disk encryption on all employee laptops using OS-native solutions tied to enterprise credentials and TPM. The firm subscribes to a managed cloud KMS for encryption keys, limits KMS access to two administrators through role-based access controls, and documents key rotation every 12 months with automated reminders. They also include cryptographic requirements in contracts with their cloud backup provider and require evidence of compliance when onboarding vendors. Finally, they maintain a short cryptography policy, perform quarterly certificate inventory scans, and log certificate expirations and key usage to demonstrate compliance during audits.
Summary
Meeting Control 2-8-3 means combining a risk-based selection of national-standard cryptography with clear operational controls: classify data, map required protection levels, implement approved algorithms and hardened transport settings, and manage keys and certificates centrally with enforced rotation and access controls. For SMBs, practical steps—centralizing key management, applying OS and cloud-native encryption features, automating certificate tasks, and documenting policies—create an auditable, maintainable cryptographic posture that satisfies the national standard and reduces exposure from weak or mismanaged cryptography.
