The owner of an information resource, or designee, is responsible for implementing this control.

Encryption requirements for information storage devices and data transmissions, as well as specific requirements for portable devices, removable media, and encryption key standards and management, shall be based on documented risk management decisions.

Critical and Confidential data must be protected with appropriate encryption at all times, both at rest and in transit (see RA-2).

• 2.1

  Critical and Confidential data must be encrypted if copied to, or stored on, a portable computing device, or removable media (see MP-7).

University-Internal information that is transmitted over a public network (e.g., the Internet) should be encrypted where feasible (see SC-8).

The minimum algorithm strength for protecting Critical and Confidential data is a 128-bit encryption algorithm.

• 4.1

  Subject to documented risk management decisions, a unit may also choose to implement additional protections, including stronger encryption algorithms or key lengths.

  Related Resource

  Federal Information Processing Standards Publication 197