UCF STIG Viewer Logo

ECCT-1 Encryption for Confidentiality (Data at Transmit)


Unclassified, sensitive data transmitted through a commercial or wireless network are encrypted using NIST-certified cryptography (See also DCSR-2).

MAC / CONF Impact Subject Area
SENSITIVE Medium Enclave Computing Environment


Without protecting unclassified, sensitive information using encryption methods, sensitive data transmitted through unprotected network could be disclosed, modified, or destroyed by unauthorized users.  This implementation guide is aimed to help system engineering teams implement proper cryptography to protect sensitive information transmitted through a commercial or wireless network.

The system engineering team (e.g., project manager, system engineers, security engineer, and IA personnel) shall perform the following:
1. Identify a list of NIST-certified cryptography (3DES, AES) to encrypt unclassified, sensitive information transmitted through a commercial or wireless network
2. Research vendor products (e.g., virtual private network [VPN], secure sockets layer [SSL], secure shell [SSH]) using NIST-certified cryptography
3. Perform an analysis of advantages and disadvantages of individual encryption products based on system’s operational requirements and available fund
4. Select an encryption product (with the latest version) that is the most suitable to the system’s environment to encrypt sensitive data transmitted
5. Install and test the encryption capability in a lab environment to ensure that sensitive data transmitted in encryption through a commercial or wireless network
6. Implement the device into the system in the operational environment


  • DISA Wireless STIG, 15 April 2004
  • FIPS 197, Advanced Encryption Standard. 26 November 2001
  • FIPS 140-2, Security Requirements for Cryptographic Modules, 25 May 2001
  • NIST SP 800-21, Guideline for Implementing Cryptography in the Federal Government, November 1999
  • NIST SP 800-67, Recommendation for the Tripe Data Encryption Algorithm (TDEA) Block Cipher, May 2004
  • NIST SP 800-36, Guide to Selecting Information Security Products, October 2003