HHS Encryption Standard for Mobile Devices and Portable Media

HHS Standard 2007-0001.001S

August 21, 2007

(1)  All HHS laptop computers must be secured using a Federal Information Processing Standard (FIPS) 140-2 compliant[1] whole-disk encryption solution. 

(2)  All mobile devices[2] (including non-HHS laptops) and portable media[3] that contain sensitive agency data[4] shall be encrypted using a FIPS 140-2 compliant product, effective 180 days from approval of this standard.

(3)  A key recovery mechanism shall be used so that encrypted information can be decrypted and accessed by authorized personnel.  Use of encryption keys which are not recoverable by authorized personnel is prohibited[5].  OPDIVs/STAFFDIVs shall implement a process which requires senior management approval to authorize recovery of keys by other than the key owner.

(4)  Encryption keys shall comply with all HHS and OPDIV/STAFFDIV policies and shall provide adequate protection to prevent unauthorized decryption of the information.

(5)  HHS-approved language shall be included in contracts to ensure that sensitive HHS data is appropriately encrypted[6], effective upon approval of such language.

System owners shall obtain written authorization from the Operating Division (OPDIV) Chief Information Officer (CIO) if compliance with this standard is not feasible or technically possible, or if deviation from this standard is necessary to support a mission or business function.  Waiver consideration shall be a risk-based determination by the OPDIV CIO.  To obtain a waiver, compensating controls must be identified and documented in the waiver form[7]. Waivers shall be recorded and maintained by the OPDIV and provided to the HHS Chief Information Security Officer (CISO) upon approval. 

APPROVED BY & EFFECTIVE ON:

___________/s/________________________       ___August 21, 2007____________

Michael W. Carleton                                                                   Date

HHS Chief Information Officer