HHS Encryption Standard for Mobile Devices and Portable Media
HHS Standard 2007-0001.001S
August 21, 2007The following is effective immediately.
(1) All HHS laptop computers must be secured using a Federal Information Processing Standard (FIPS) 140-2 compliant whole-disk encryption solution.
(2) All mobile devices (including non-HHS laptops) and portable media that contain sensitive agency data shall be encrypted using a FIPS 140-2 compliant product, effective 180 days from approval of this standard.
(3) A key recovery mechanism shall be used so that encrypted information can be decrypted and accessed by authorized personnel. Use of encryption keys which are not recoverable by authorized personnel is prohibited. OPDIVs/STAFFDIVs shall implement a process which requires senior management approval to authorize recovery of keys by other than the key owner.
(4) Encryption keys shall comply with all HHS and OPDIV/STAFFDIV policies and shall provide adequate protection to prevent unauthorized decryption of the information.
(5) HHS-approved language shall be included in contracts to ensure that sensitive HHS data is appropriately encrypted, effective upon approval of such language.
System owners shall obtain written authorization from the Operating Division (OPDIV) Chief Information Officer (CIO) if compliance with this standard is not feasible or technically possible, or if deviation from this standard is necessary to support a mission or business function. Waiver consideration shall be a risk-based determination by the OPDIV CIO. To obtain a waiver, compensating controls must be identified and documented in the waiver form. Waivers shall be recorded and maintained by the OPDIV and provided to the HHS Chief Information Security Officer (CISO) upon approval.
APPROVED BY & EFFECTIVE ON:
___________/s/________________________ ___August 21, 2007____________
Michael W. Carleton Date
HHS Chief Information Officer
 The cryptographic module used by an encryption or other cryptographic product must be tested and validated under the Cryptographic Module Validation Program to confirm compliance with the requirements of FIPS PUB 140-2 (as amended). For additional information, refer to http://csrc.nist.gov/cryptval.
 Mobile device: Any computer or other apparatus that can store and process data and is designed to be mobile. Examples include laptop computers, iPODs, Blackberries, Treos, Palm Pilots and other Personal Digital Assistants (PDAs).
 Portable Media: Any device that can store data electronically and is portable, such as portable hard drives, Universal Serial Bus (USB) drives, CD-ROMs, and DVDs.
 The HHS definition of sensitive data is available at http://intranet.hhs.gov/infosec/policies_memos.html.
 Key recovery is required by “OMB Guidance to Federal Agencies on Data Availability and Encryption”, November 26, 2001, http://csrc.nist.gov/drivers/documents/ombencryption-guidance.pdf.
 HHS-approved contract language is available at http://intranet.hhs.gov/infosec/policies_memos.html.
 The HHS information security waiver form and process is available at http://intranet.hhs.gov/infosec/policies_memos.html.