Requirement:
The cybersecurity requirements for cryptography must include at least the requirements in the National Cryptographic Standards; published by NCA and each national entity is required to choose and implement the appropriate cryptographic standard level based on the nature and sensitivity of the data, systems and networks to be protected, and based on the risk assessment by the entity; and as per related laws and regulations; according to the following:
Sub-Controls:
2-8-3-1:
Requirement:
Approved cryptographic systems and solutions standards and its technical and regulatory limitations.
Control Implementation Guidelines:
- Define and document the requirements of this ECC in the cybersecurity requirements document and must be approved by the representative
- Define standard controls of approved cryptographic solutions and use NCA's cryptographic standard controls, including, but not limited to:
- Acceptable symmetric and asymmetric cryptographic fundamentals
- PKI Procedures
- Key Cycle Management Procedure
- Define standard controls and technical limitations of approved cryptographic solutions and ensure their compliance with national cryptography standard controls, including but not limited to:
- Acceptable symmetric and asymmetric cryptographic designs
- Acceptable common application protocols related to cryptography
- PKI technologies and tools
- Key cycle management techniques and tools
Expected Deliverables:
- Cryptography standard controls document approved by the organization (e.g., electronic copy or official hard copy)
- Formal approval by the head of the organization or his/her deputy on such standard controls (e.g., via the organization's official e-mail, paper or electronic signature)
- Evidence showing the implementation of the requirements of the approved technical cryptographic solutions standard controls and the restrictions applied to them (e.g., a screenshot showing evidence of ensuring that modern and advanced technologies are used to implement the standard controls of approved technical cryptography solutions and the restrictions applied to all systems in the organization)
2-8-3-2:
Requirement:
Secure management of cryptographic keys during their lifecycles.
Control Implementation Guidelines:
- Define and document the requirements of this ECC in the cybersecurity requirements document and must be approved by the representative
- Define and approve procedures for the secure management of cryptographic keys during their lifecycle
- Define and implement appropriate and advanced techniques for the secure management of cryptographic keys during their lifecycle, including, but not limited to:
- Cryptographic key storage mechanism
- Cryptographic key transfer mechanism
- key creation and destruction mechanism
- Review the effectiveness of technologies used for the secure management of cryptographic keys
Expected Deliverables:
- Cybersecurity policy that covers all the requirements of cryptography in the organization (e.g., electronic copy or official hard copy)
- Cybersecurity procedure that covers all the requirements of cryptographic keys management in the organization (e.g., electronic copy or official hard copy)
- Document that defines the technology effectiveness review cycle used for the secure management of cryptographic keys during their lifecycle
- Formal approval by the head of the organization or his/her deputy on such documents (e.g., via the organization's official e-mail, paper or electronic signature)
- Evidence that the secure management requirements for cryptographic keys are implemented throughout their lifecycle (e.g., a screenshot showing evidence to ensure that cryptographic key settings are configured to the best standard controls for the secure management of cryptographic keys during their lifecycle)
2-8-3-3:
Requirement:
Encryption of data in-transit, at-rest, and while processing as per classification and related laws and regulations.
Control Implementation Guidelines:
- Define and document the requirements of this ECC in the cybersecurity requirements document and must be approved by the representative
- Define appropriate and advanced technologies to encrypt data in transit based on their classification, including but not limited to:
- TLS (Transport Layer Security) must be used
- Define appropriate and advanced technologies to encrypt data in transit based on their classification
- Review the effectiveness of technologies used to encrypt data in transit based on classification
- Define appropriate and advanced technologies to encrypt data in storage based on their classification, including but not limited to:
- TDE (Transparent Data Encryption) must be used
- Define appropriate and advanced technologies to encrypt data in storage based on their classification
- Review the effectiveness of technologies used to encrypt data in storage based on classification
Expected Deliverables:
- Cryptography of data in transit document approved by the organization (e.g., electronic copy or official hard copy)
- Formal approval by the head of the organization or his/her deputy on such procedures (e.g., via the organization's official e-mail, paper or electronic signature)
- Evidence that data in transit cryptography requirements must be implemented based on their classification (but not limited to a screenshot showing the implementation of data in transit encryption based on its classification)
- Cryptography of data in storage document approved by the organization (e.g., electronic copy or official hard copy)
- Evidence that data in storage cryptography requirements must be implemented based on their classification (but not limited to a screenshot showing the implementation of data in storage encryption based on its classification)
Quick & Simple
Discover Our Cybersecurity Compliance Solutions:
Whether you need to meet and maintain your compliance requirements, help your clients meet them, or verify supplier compliance we have the expertise and solution for you
CMMC Level 1 Compliance
Become compliant, provide compliance services, or verify partner compliance with CMMC Level 1 Basic Safeguarding of Covered Contractor Information Systems requirements.
NIST SP 800-171 & CMMC Level 2 Compliance
Become compliant, provide compliance services, or verify partner compliance with NIST SP 800-171 and CMMC Level 2 requirements.
HIPAA Compliance
Become compliant, provide compliance services, or verify partner compliance with HIPAA security rule requirements.
ISO 27001 Compliance
Become compliant, provide compliance services, or verify partner compliance with ISO 27001 requirements.
FAR 52.204-21 Compliance
Become compliant, provide compliance services, or verify partner compliance with FAR 52.204-21 Basic Safeguarding of Covered Contractor Information Systems requirements.