SC-13-727 Cryptographic Protection

Cryptographic Protection

Cryptographic Protection
System and Communications Protection
Cryptography, System Communications Protection
October 27, 2015

All traffic egressing from the Agency's protected network, or information residing on information systems outside the control of the Agency, that contains sensitive or confidential information shall be natively encrypted or traverse an Agency controlled encrypted point-to-point tunnel to its destination. Confidential information may not be stored on portable devices (including portable/laptop workstations) without chief information security officer approval.

All encryption methods shall utilize a FIPS 140-2 approved algorithm with a minimum cipher key size of 128 bits.

Encryption and other cryptographic controls are inconsistently used to protect information assets and deviate with policy.
The information system implements [Assignment: organization-defined cryptographic uses and type of cryptography required for each use] in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards.
The organization uses public and private keys, along with other cryptographic mechanisms according to applicable federal laws, Executive Orders, directives, policies, regulations, and standards.
Encryption requirements for information storage devices and data transmissions, as well as specific requirements for portable devices, removable media, and encryption key standards and management shall be based on documented state organization risk management decisions. Confidential information that is transmitted over a public network (e.g., the Internet) must be encrypted. Confidential information stored in a public location that is directly accessible without compensating controls in place (e.g., FTP without access control) must be encrypted.) Storing confidential information on portable devices is discouraged. Confidential information must be encrypted if copied to, or stored on, a portable computing device, removable media, or a non-state organization owned computing device. The minimum algorithm strength for protecting confidential information is a 128-bit encryption algorithm, subject to state organization risk management decisions justified and documented in accordance with TAC 202.21/71(c) and TAC 202.25/75. A state organization may also choose to implement additional protections, which may include encryption, for other data classifications.
Obtain system and communications protection policy; procedures addressing use of cryptography; FIPS 140-2 (as amended); NIST Special Publications 800-56 and 800-57; information system design documentation; information system configuration settings and associated documentation; cryptographic module validation certificates; other relevant documents or records and ascertain if ,for information requiring cryptographic protection, the information system implements cryptographic mechanisms that comply with applicable laws, Executive Orders, directives, policies, regulations, standards, and guidance.