DoD Instruction 8500.2 - Common Access Card (CAC)
DoD Instruction 8500.2 - Common Access Card (CAC)
DoD Instruction 8500.2 - Common Access Card (CAC)
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
DODI <strong>8500.2</strong>, February 6, 2003<br />
E3.2.4.3.1. Robustness describes the strength of mechanism (e.g., the<br />
strength of a cryptographic algorithm) and assurance properties (i.e., confidence<br />
measures taken to ensure proper mechanism implementation) for an IA solution. The<br />
more robust a particular component is, the greater the level of confidence in the<br />
protection provided to the security services it supports. The three levels of robustness<br />
are discussed in detail in Chapter 4 in the IATF, reference (k). It is also possible to use<br />
non-technical measures to achieve the equivalent of a level of robustness. For<br />
example, physical isolation and protection of a network can be used to provide<br />
confidentiality. In these cases, the technical solution requirement may be reduced or<br />
eliminated.<br />
E3.2.4.3.2. High robustness security services and mechanisms provide,<br />
through rigorous analysis, the most confidence in those security mechanisms.<br />
Generally, high robustness technical solutions require NSA-certified high robustness<br />
solutions for cryptography, access control and key management and high assurance<br />
security design as specified in NSA-endorsed high robustness protection profiles, where<br />
available.<br />
E3.2.4.3.3. Medium robustness security services and mechanisms provide<br />
for additional safeguards above Basic. Medium robustness technical solutions require,<br />
at a minimum, strong (e.g., crypto-based) authenticated access control, NSA-approved<br />
key management, NIST FIPS-validated cryptography, and the assurance properties as<br />
specified in NSA-endorsed medium robustness protection profiles or the Protection<br />
Profile Consistency Guidance for Medium Robustness.<br />
E3.2.4.3.4. Basic robustness security services and mechanisms are<br />
usually represented by good commercial practice. Basic robustness technical solutions<br />
require, at a minimum, authenticated access control, NIST-approved key management<br />
algorithms, NIST FIPS-validated cryptography, and the assurance properties specified in<br />
NSA-endorsed basic robustness protection profiles or the Protection Profile<br />
Consistency Guidance for Basic Robustness.<br />
E3.2.4.3.5. The graded IA controls in attachments 1 through 6 to<br />
enclosure 4 account for robustness and also provide for the use of more robust security<br />
solutions as they become available through evolution of such things as the <strong>DoD</strong> PKI<br />
program and development of additional U.S. protection profiles.<br />
E3.2.4.4. Integrated technical and non-technical defenses. Achieving an<br />
acceptable level of information assurance is dependent upon a synergy among people,<br />
operations and technology.<br />
33 ENCLOSURE 3