Page:FACT SHEET - CNSS Policy No. 15, Fact Sheet No. 1.pdf/2

CNSS Policy No. 15, FS-1 June 2003 :- The uniqueness of the classified information to be protected; and/or
 * - Requirements for interoperability both domestically and internationally.

(3) The above realities dictate the adoption of a flexible and adaptable strategy that encourages the use of a mix of appropriately implemented NSA-developed algorithms, and those available within the public domain.

Scope

(4) This policy is applicable to all U.S. Government Departments or Agencies that are considering the acquisition or use of products incorporating the Advanced Encryption Standard (AES) to satisfy Information Assurance (IA) requirements associated with the protection of national security systems and /or national security information.

Policy

(5) NSA-approved cryptography is required to protect (i.e., to provide confidentiality, authentication, non-repudiation, integrity, or to ensure system availability) national security systems and national security information at all classification levels.

(6) The design and strength of all key lengths of the AES algorithm (i.e., 128, 192 and 256) are sufficient to protect classified information up to the SECRET level. TOP SECRET information will require use of either the 192 or 256 key lengths. The implementation of AES in products intended to protect national security systems and/or information must be reviewed and certified by NSA prior to their acquisition and use.

(7) Subject to policy and guidance for non-national security systems and information (e.g., FIPS 140-2), U.S. Government Departments and Agencies may wish to consider the use of security products that implement AES for IA applications where the protection of systems or information, although not classified, nevertheless, may be critical to the conduct of organizational missions. This would include critical infrastructure protection and homeland security activities as addressed in Executive Order 13231, Subject: Critical Infrastructure Protection in the Information Age (dated 16 October 2001), and Executive Order 13228, Subject: Homeland Security (dated 8 October 2001), respectively. Evaluations of products employing AES for these types of applications are subject to review and approval by the National Institute of Standards and Technology (NIST) in accordance with the requirements of Federal Information Processing Standard (FIPS) 140-2.