Author: Joshua Black, Cybersecurity and Infrastructure Security Agency (CISA), FPIC Federal Encryption Lead
When public safety agencies make the decision to implement encryption for their land mobile radio systems, it is imperative that they exercise proper and secure encryption key management. Not doing so can make their encryption keys susceptible to compromise and jeopardize mission integrity, first responder safety, and leave personally identifiable information vulnerable. Just as important as encrypting these radio transmissions is safeguarding access to the encryption keys. This all-encompassing approach will ensure public safety agencies have safe and effective encrypted communications within their own agency, along with any partnering agencies.
The Federal Partnership for Interoperable Communications (FPIC) identified the need to address critical encryption issues, including encryption key change periods and the continued use of the data encryption standard (DES). These discussions formed the basis of the Operational Best Practices for Encryption Key Management document, as well as the accompanying Encryption Key Management Fact Sheet, which are posted on the CISA Encryption webpage. FPIC, in collaboration with SAFECOM and the National Council of Statewide Interoperability Coordinators, developed these documents to help agencies understand and effectively manage encryption keys. Public safety organizations can apply these best practices to help secure, manage, and distribute their encryption keys and improve overall encryption key management. Best practices for encryption keys include:
Eliminate the use of DES, instead using the more secure Advanced Encryption Standard
Obtain encryption keys from the U.S. Customs and Border Protection’s National Law Enforcement Communications Center
Establish key change periods and discontinue the use of static (unchanging) keys