Guidance

Rule 22: ICT shall be compliant with HMG Information Assurance Policy for the employment of Cryptographic Products

Updated 16 October 2023

The rules are under review and subject to change.

1. Rule requirement

1.1 Cryptographic Compliance

HMG Information Assurance Policy mandates that all Defence Projects & Programmes employing data at rest or data in transit whose Protective Marking is above UNCLASSIFIED, implement cryptography

• Data marked as OFFICIAL must employ recognised industry cryptographic best practice based on guidance from the NCSC

• Data marked as SECRET or ABOVE SECRET must employ High Assurance Cryptographic systems, known within HMG as Crypt-Key, these systems are independently assured by the NCSC

• Projects & Programmes acquiring Crypt-Key systems must engage with CyDR Crypt-Key and complete a Crypt-Key Management Plan (CMP) starting during the Concept Phase. Completion of the CMP provides the necessary Assurance of the implementation of the Crypt-Key system

• Validation and verification of the end to end Crypt-Key system is recommended and is the responsibility of the Delivery Team as part of the engineering assurance process

• Procurement of foreign Crypt-Key systems is not recommended by the NCSC and may encounter technical challenges. Such cases must be raised with CyDR C-K at the earliest opportunity