Policy Manual

Encryption Technologies, Use Of

Purpose

The purpose of this policy is to provide guidance that limits the use of encryption to those algorithms that have received substantial public review and have been proven to work effectively. Additionally, this policy provides direction to ensure that Federal regulations are followed and legal authority is granted for the dissemination and use of encryption technologies outside of the United States.

Policy

Proven, standard algorithms, as approved by the Chief Information Officer (CIO), should be used as the basis for encryption technologies. These algorithms represent the actual cipher used for an approved application. Asymmetric crypto-system keys must be of a length that yields equivalent strength.

The use of proprietary encryption algorithms is not allowed for any purpose, unless reviewed by qualified experts outside of the vendor in question and approved by the CIO. Be aware that the export of encryption technologies is restricted by the U.S. Government. Residents of countries other than the United States should make themselves aware of the encryption technology laws of the country in which they reside.