The Department of Homeland Security (DHS) Science and Technology Directorate (S&T) Office for Interoperability and Compatibility (OIC) released a draft Project 25 (P25) Compliance Assessment Bulletin (CAB) to “to stop the practice of manufacturers providing subscriber units with a non-P25 standard encryption without also including P25 standard AES 256 encryption.”NGA Policy Academy Works with States on Governance, Interoperability
NTIA Seeks Candidates for 5 FirstNet Board Positions
CCW 2017 Expected to Draw 3,000 Mission-Critical Professionals
The document said the P25 Compliance Assessment Program (CAP) advisory panel (AP) deliberated for many months concerning the widespread use and continued shipment of P25 subscriber unit equipment that includes non-P25 standard encryption without also including P25 advanced encryption standard (AES) 256 encryption.
P25 equipment with only non-P25 standard encryption has caused interoperability challenges in the field. When multiple agencies need to communicate securely as a group, every subscriber unit in the group must use the same encryption algorithm and key. Matching keys can be loaded into the subscriber units in a straightforward manner, but the same encryption algorithm must be present in each subscriber unit before keys can be loaded.
Most equipment submitted to the P25 CAP includes the AES 256 encryption algorithm as an optional feature. The P25 CAP suppliers’ declaration of compliance (SDoC) and summary test report (STR) documents indicate that encryption was an option when the approved equipment was tested, but public-safety agencies can use grant funds to purchase P25 CAP-approved equipment with or without the optional AES 256 encryption. P25 CAP AP has no intention of requiring AES 256 equipment for public safety. A problem occurs, however, when the P25 equipment manufacturer provides a non-P25 standard encryption algorithm with the equipment when the optional AES 256 encryption is not ordered.
The P25 CAP AP wants to stop the practice of manufacturers providing subscriber units with non-P25 standard encryption without also including P25 standard AES 256 encryption. The P25 CAP AP recommends that OIC consider the following acceptable — if a vendor ships a radio with no encryption, standard AES 256 encryption, or standard and nonstandard encryption.
The P25 CAP AP created a resolution recommending DHS OIC take clear actions to stop this practice and to ask that manufacturers provide a path for public-safety users to add AES 256 to fielded P25 subscriber units that are now only equipped with non-P25 standard encryption. Specifically, this action should be taken for equipment bought with federal grants and those equipment purchases intended to be P25 CAP Approved equipment.
The full CAB is here.
The draft P25 CAP CAB on encryption requirements is available for public comment. Submit comments to firstname.lastname@example.org by Jan. 22.
Would you like to comment on this story? Find our comments system below.