HHS Standard for EncryptionDecember 23, 2008
HHS Standard 2008-0007.001S
The following is effective immediately and applies to all Department of Health and Human Services (HHS) employees, contractors, and others acting on behalf of HHS. Media is subject to this encryption standard until it is sanitized or destroyed in accordance with the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-88, Guidelines for Media Sanitization, and/or Department policy and procedures. This standard supersedes HHS Standard 2007-0001.001S, HHS Encryption Standard for Mobile Devices and Portable Media, issued August 21, 2007.
1) All HHS laptop computers shall be secured using a Federal Information Processing Standard (FIPS) 140-2 compliant(1) whole-disk encryption solution.
2) All sensitive information(2) stored on government-furnished desktops and non-government-furnished desktops used on behalf of the Department shall be secured either through a FIPS 140-2 compliant encryption solution or through adequate physical security and operational controls at the desktop’s residing location.
Informational: Whole-disk encryption solutions are acceptable as are solutions that protect individual files or folders containing sensitive information. The decision to employ physical protections over an encryption solution is a risk-based decision, as these protections cannot completely remove the risk of theft or loss of sensitive data at all offices. The risk-based decision to use any alternatives to encryption shall be formally documented and approved by the appropriate Designated Approval Authority (DAA).
3) All mobile devices(3) and portable media(4) that contain sensitive information shall be encrypted, as specified above.
4) A key recovery mechanism shall be used so encrypted information can be decrypted and accessed by authorized personnel. Use of encryption keys which are not recoverable by authorized personnel is prohibited.(5) OPDIVs/STAFFDIVs shall implement a process that requires approval by senior management or the Chief Information Security Officer to authorize recovery of keys by someone other than the key owner.
5) Encryption keys shall comply with all HHS and OPDIV/STAFFDIV policies and shall provide adequate protection to prevent unauthorized decryption of the information.(6)
6) Language shall be included in contracts to ensure that sensitive HHS data is appropriately encrypted, in accordance with the Federal Acquisition Regulation (FAR), the HHS Acquisition Regulation, and this standard.
Deviations from this standard shall be approved by the by the OPDIV/STAFFDIV Chief Information Officer (CIO) or by the OPDIV/STAFFDIV Chief Information Security Officer (CISO), if such authority is delegated by the CIO.
APPROVED BY & EFFECTIVE ON:
_________________/s/________________ December 23, 2008
Michael W. Carleton Date
HHS Chief Information Officer
(1) The cryptographic module used by an encryption or other cryptographic product must be tested and validated under the Cryptographic Module Validation Program to confirm compliance with the requirements of FIPS Publication 140-2 (as amended). For additional information, refer to http://csrc.nist.gov/cryptval.
(2) The HHS definition of sensitive data is available at http://intranet.hhs.gov/infosec/policies_memos.html. This encryption standard only applies to data which has a FIPS 199 security impact level of Moderate or High for the confidentiality security objective. Availability and integrity are not considered in determining if encryption is required under this standard.
(3) Mobile device: Any computer or other apparatus that can store and process data and is designed to be mobile. Examples include laptop computers, iPODs, Blackberries, Treos, Palm Pilots and other Personal Digital Assistants (PDAs).
(4) Portable Media: Any device that can store data electronically and is portable, such as portable hard drives, Universal Serial Bus (USB) drives, secure digital (SD) card media, CD-ROMs, and DVDs.
(5) Key recovery is required by OMB Guidance to Federal Agencies on Data Availability and Encryption, November 26, 2001.
(6) See NIST SP 800-56A, Recommendation for Pair-Wise Key Establishment Schemes Using Discrete Logarithm Cryptography, and SP 800-57, Recommendation for Key Management.