Meeting IRS requirements for encrypted transmission of FTI

Does anyone have previous experience meeting IRS requirements for the encrypted transmission of FTI across a LAN and WAN, specifically the requirements called for in IRS Publication 1075?
The IRS tests for the following:
All FTI data in transit is encrypted when moving across a Wide Area Network (WAN) and within the agency's Local Area Network (LAN). If FTI is transmitted over a LAN or WAN it is encrypted with FIPS 140-2 validated encryption, using at least a 128-bit encryption key.

MACsec is what we are looking at right now. I'm wondering if anyone who has been through such an implementation could share lessons learned, gotchas, etc.

Any input is appreciated?


Macsec use cases are valid when working with hop by hop encryption needs between closets / buildings where structured wiring is not within control of agency personnel, in the case of other states we provide consulting services to, think multi tenant building with shared closet from other state agencies or building leases with outsourced cabling. Router / firewall based Vpn is an option as well if transiting a consolidated state network or sp based public or private network. The physical sec control to mitigate true end to end helps reign back some of the costed options. Transmission Confidentiality and Integrity (SC-8)

Information systems that receive, process, store, or transmit FTI, must:

a. Protecttheconfidentialityandintegrityoftransmittedinformation.
b. Implement cryptographic mechanisms to prevent unauthorized disclosure of FTI

and detect changes to information during transmission across the wide area network (WAN) and within the local area network (LAN). (CE1)

If encryption is not used, to reduce the risk of unauthorized access to FTI, the agency must use physical means (e.g., by employing protected physical distribution systems) to ensure that FTI is not accessible to unauthorized users. The agency must ensure that all network infrastructure, access points, wiring, conduits, and cabling are within the control of authorized agency personnel. Network monitoring capabilities must be implemented to detect and monitor for suspicious network traffic. For physical security protections of transmission medium, see Section, Access Control for Transmission Medium (PE-4).

This control applies to both internal and external networks and all types of information system components from which information can be transmitted (e.g., servers, mobile devices, notebook computers, printers, copiers, scanners, fax machines).

Dumb question. So this is essentially physical or link layer encryption. That’s fine out on the wire, but is decrypted in memory (if I understand what you said), and requires point to point connectivity to be any better than that. Are you aware of anyone at NIST or other places suggesting end to end encryption?