Cryptographic controls are implemented for data at rest and data in transit for selected data categories
Context and Guidance: This practice builds on ARCHITECTURE-5a, ARCHITECTURE-5b, and ARCHITECTURE-5c by introducing cryptographic controls. The cybersecurity architecture supports the establishment and maintenance of cryptographic controls for protection of data at rest or in transit. This includes the selection, retirement, and replacement of cryptographic controls to keep pace with changes in technology (such as quantum computing). It embodies design decisions and rationales about the desired level of encryption. For example, some cryptographic algorithms perform better than others, and so there are tradeoffs concerning strength of encryption versus system performance and ease of maintenance. There are also design considerations for data at rest, such as full disk encryption, file-based encryption, and container-based encryption. Data at rest may include data stored within dormant virtualised assets. The term "selected data categories" is used in this practice to signify that organisations should explicitly select the types of data that are required to be encrypted during transit. For example, the organisation may elect not to encrypt OT signals on an isolated network but may require encryption for all data in transit in a web-facing application.
Related Practices • Input From: Implementing ASSET-2c provides input that may be useful for implementing this practice. • Progression: This practice is part of a practice progression. Practice progressions are groups of related practices that represent increasingly complete or more advanced implementations of an activity. The practices in this progression include: ARCHITECTURE-5a, ARCHITECTURE-5b, ARCHITECTURE-5c, ARCHITECTURE-5d, ARCHITECTURE-5e, ARCHITECTURE-5f, ARCHITECTURE-5g, ARCHITECTURE-5h.