Re: Meeting IRS requirements for encrypted transmission of FTI

["Fred Baker (fred)" <fred () cisco com>]

Dumb question. So this is essentially physical or link layer encryption. That’s fine out on the wire, but is decrypted 
in memory (if I understand what you said), and requires point to point connectivity to be any better than that. Are you 
aware of anyone at NIST or other places suggesting end to end encryption?

> On Apr 2, 2015, at 3:13 PM, Watson, Bob <Bob.Watson () wwt com> wrote:
>
>
> Macsec use cases are valid when working with hop by hop encryption needs between closets / buildings where structured 
> wiring is not within control of agency personnel,  in the case of other states we provide consulting services to,  
> think multi tenant building with shared closet from other state agencies or building leases with outsourced cabling.  
> Router / firewall based Vpn is an option as well if transiting a consolidated state network or sp based public or 
> private network.  The physical sec control to mitigate true end to end helps reign back some of the costed options.
>
>
> 9.3.16.6 Transmission Confidentiality and Integrity (SC-8)
>
> Information systems that receive, process, store, or transmit FTI, must:
>
> a. Protecttheconfidentialityandintegrityoftransmittedinformation.
> b. Implement cryptographic mechanisms to prevent unauthorized disclosure of FTI
>
> and detect changes to information during transmission across the wide area network (WAN) and within the local area 
> network (LAN). (CE1)
>
> If encryption is not used, to reduce the risk of unauthorized access to FTI, the agency must use physical means 
> (e.g., by employing protected physical distribution systems) to ensure that FTI is not accessible to unauthorized 
> users. The agency must ensure that all network infrastructure, access points, wiring, conduits, and cabling are 
> within the control of authorized agency personnel. Network monitoring capabilities must be implemented to detect and 
> monitor for suspicious network traffic. For physical security protections of transmission medium, see Section 
> 9.3.11.4, Access Control for Transmission Medium (PE-4).
>
> This control applies to both internal and external networks and all types of information system components from which 
> information can be transmitted (e.g., servers, mobile devices, notebook computers, printers, copiers, scanners, fax 
> machines).
>
> Sent from my iPad
>
> On Apr 2, 2015, at 2:15 PM, Hunt, Fred - DCF <Fred.Hunt () wisconsin gov<mailto:Fred.Hunt () wisconsin gov>> wrote:
>
> Does anyone have previous experience meeting IRS requirements for the encrypted transmission of FTI across a LAN and 
> WAN, specifically the requirements called for in IRS Publication 1075?
> The IRS tests for the following:
> All FTI data in transit is encrypted when moving across a Wide Area Network (WAN) and within the agency's Local Area 
> Network (LAN).   If FTI is transmitted over a LAN or WAN it is encrypted with FIPS 140-2 validated encryption, using 
> at least a 128-bit encryption key.
>
> MACsec is what we are looking at right now.  I'm wondering if anyone who has been through such an implementation 
> could share lessons learned, gotchas, etc.
>
> Any input is appreciated?
>
> Fred

Attachment: signature.asc
Description: Message signed with OpenPGP using GPGMail