The university uses public and private keys, along with other cryptographic mechanisms according to applicable federal laws, executive orders, directives, policies, regulations, and standards.


  • The owner of an information resource, or designee, is responsible for implementing this control.


  • 1

    Encryption requirements for information storage devices and data transmissions, as well as specific requirements for portable devices, removable media, and encryption key standards and management, shall be based on documented risk management decisions.

  • 2

    Critical and Confidential data must be protected with appropriate encryption at all times, both at rest and in transit (see RA-2).

    • 2.1

      Critical and Confidential data must be encrypted if copied to, or stored on, a portable computing device, or removable media (see MP-7).

  • 3

    University-Internal information that is transmitted over a public network (e.g., the Internet) should be encrypted where feasible (see SC-8).

  • 4

    The minimum algorithm strength for protecting Critical and Confidential data is a 128-bit encryption algorithm.