The university uses public and private keys, along with other cryptographic mechanisms according to applicable federal laws, executive orders, directives, policies, regulations, and standards.


  • The owner of an information resource, or designee, is responsible for implementing this control.


  • 1

    Encryption requirements for information storage devices and data transmissions, as well as specific requirements for portable devices, removable media, and encryption key standards and management, shall be based on documented risk management decisions.

  • 2

    Confidential and Critical information must be protected with appropriate encryption at all times, both at rest and in transit (see RA-2).

    • 2.1

      Confidential and Critical information must be encrypted if copied to, or stored on, a portable computing device, or removable media (see MP-7).

  • 3

    University-Internal information that is transmitted over a public network (e.g., the Internet) should be encrypted where feasible (see SC-8).

  • 4

    The minimum algorithm strength for protecting confidential and restricted information is a 128-bit encryption algorithm.