UCF STIG Viewer Logo

ECCR-2 Encryption for Confidentiality (Data at Rest)


If required by the information owner, NIST-certified cryptography is used to encrypt stored classified non-SAMI information.

MAC / CONF Impact Subject Area
CLASSIFIED Medium Enclave Computing Environment


Without proper cryptography methods being used, it would affect the confidentiality, integrity, and availability of classified non-SAMI information.  This implementation guide is aimed to help information owners implement proper cryptography to protect all classified non-SAMI information stored within the enclave.

1. The information owner shall determine whether non-SAMI in the classified enclave requires encryption-at-rest to protect privacy and need-to-know.
2. If the classified enclave contains non-SAMI, the system engineering team (e.g., project manager, system engineers, and IA personnel) shall perform the following:
  a. Identify a list of NIST-certified cryptography algorithms and keys (e.g., 3DES, AES) that can encrypt stored classified non-SAMI information
  b. Research vendors products that have been certified based on NIST-certified cryptography
  c. Perform an analysis of advantages and disadvantages of individual cryptography products based on system’s operational requirements and available fund
  d. Select a product that is the most suitable to the system’s environment to encrypt classified non-SAMI information
  e. Test the encryption capability in a lab environment
  f. Implement the NIST-approved cryptography into the system in the operational environment


  • FIPS 197, Advanced Encryption Standard. 26 November 2001
  • FIPS 140-2, Security Requirements for Cryptographic Modules, 25 May 2001
  • NIST SP 800-21, Guideline for Implementing Cryptography in the Federal Government, November 1999
  • NIST SP 800-67, Recommendation for the Triple Data Encryption Algorithm (TDEA) Block Cipher, May 1004
  • NIST SP 800-36, Guide to Selecting Information Security Products, October 2003