Exploring the EO’s Encryption Requirement

In past encryption requirements, government agencies were told to utilize encryption for at-rest data that was deemed high value.  Due to the discretionary nature of determining high value data, many agencies have resisted encrypting all data and workloads at rest.  There have been many internal battles about whether a file share or database should be encrypted, most often from application owners concerned with the performance penalty of encrypting “everything.”

One impact of the new Executive Order is that it further extends the at-rest encryption for almost all data and adds a new requirement for data in transit.  This means that agencies will no longer have the wiggle room on encryption of data at rest.  Additionally, the requirements to encrypt data in transit does not specify whether this applies only to application workload access utilizing TLS or between systems internal to a network, implying east-west traffic, which would require new encryption solutions.  Initial conversations with agencies have confirmed that most are waiting for clarifications and assuming that their current TLS encryption for application workloads meets the requirement.

If clarifications come that indicate the in-transit requirements will go beyond TLS deployments and do apply to internal network traffic, new technologies will need to be considered that can achieve compliance, without impacting performance.  The good news is that this can be done! Some of the better solutions for this do not require an invasive redesign of systems and networks — instead “living off the land” provided by open systems’ inherent functionality.