SC-13 Cryptographic Protection
Description
Cryptography can be employed to support a variety of security solutions including, for example:
- the protection of classified and Controlled Unclassified Information,
- the provision of digital signatures, and
- the enforcement of information separation when authorized individuals have the necessary clearances for such information but lack the necessary formal access approvals.
Cryptography can also be used to support random number generation and hash generation.
Generally applicable cryptographic standards include FIPS-validated cryptography and NSA-approved cryptography.
This Control does not impose any requirements on organizations to use cryptography. However, if cryptography is required based on the selection of other security controls, organizations define each type of cryptographic use and the type of cryptography required (e.g., protection of classified information: NSA-approved cryptography; provision of digital signatures: FIPS-validated cryptography).
Applicability
The owner of an information resource, or designee, is responsible for implementing this Control.
Implementation
The information system ensures that information systems owned or operated by the university implement FIPS-validated cryptography [FIPS 140-2] in accordance with applicable federal laws, executive orders, directives, policies, regulations, and standards.
- Encryption requirements for information storage devices and data transmissions, as well as specific requirements for portable devices, removable media, and encryption key standards and management, shall be based on documented TAMU-CC University risk management decisions.
- Confidential information that is transmitted over a public network (e.g., the Internet) must be encrypted.
- Confidential information and protected data types stored in a public location that is directly accessible without compensating controls in place (e.g., FTP without access control) must be encrypted.
- Storing confidential information on portable devices is discouraged. Confidential information must be encrypted if copied to, or stored on, a portable computing device, removable media, or a non-TAMU-CC owned computing device.
- The minimum algorithm strength for protecting confidential information is a 128-bit encryption algorithm, subject to state organization risk management decisions justified and documented in accordance with Texas Administrative Code, Chapter 202, Responsibilities of the Information Security Officer [TAC 202.71(c)] and Managing Security Risks [TAC 202.75].
- A TAMU-CC may also choose to implement additional protections, such as, but not limited to, stronger encryption algorithms or key lengths, based upon risk management decisions.
Revision History
Last Updated: February 21, 2025
Previous Versions:
- June 29, 2023
- May 31, 2022
- March 25, 2021
- September 16, 2019