Skip over global navigation links

Encryption FAQ

Q1. What does encryption involve and why encrypt?

A1. By HHS policy, all HHS laptop/tablet computers must be encrypted with an approved encryption software package. Encryption requires using a "Federal Information Processing Standard 140-2 compliant" whole-disk encryption package. NIH has Pointsec software licenses for this purpose. 

Encryption is mandatory as per the following requirement. 


        http://intranet.hhs.gov/infosec/docs/guidance/hhs_standard_2007.pdf
        http://irm.cit.nih.gov/security/message_from_director.html

 

Q2. What is PII and/or Sensitive Information?

A2. See the Guide for Identifying Sensitive Information, including Personally Identifiable Information (PII), at the NIH

All PII or sensitive data included in e-mail must be encrypted.  To set-up secure mail, contact the NIH Help Desk, NIH Helpdesk (301-496-4357).

The NIH VPN should be used to securely connect to NIHnet and NIH applications and resources protected by it, including PII or sensitive information. PII or sensitive information transmitted via the NIH VPN is encrypted during transmission. Government–owned laptops must use whole-disk encryption.


Sensitive information should never be accessed from public computers or kiosks found in hotel business centers or airports. Government information should never be downloaded to personally owned equipment or any equipment that does not meet NIH IT security requirements.

 

Any NIH employee or contractor who loses an NIH-issued, or contractor on behalf of the government, laptop/tablet computer must report the loss within one hour to the NIH Helpdesk (301-496-4357).

Any other suspected or confirmed loss of personally identifiable information (PII) must also be reported to the NIH Helpdesk within one hour.

 

Q3. What equipment must be encrypted?

A3. The following NIH-owned IT equipment used to process or store official NIH information listed below:

1.     Laptops and Tablet PCs – see Q.9 for information specific to laptops/tablets connected to scientific devices.

2.     Desktop computers – if the desktop is considered to be “high risk” for theft or other compromise.  HHS is purchasing additional Pointsec (encryption software) is being purchased for desktops that ICs deem to be at “high risk”

3.     Portable electronic media – if they contain PII and or sensitive data.  This would include for example, USB flash drives, thumb drives, external hard drives, and PDA's that contain PII or sensitive information.

4.     Vendor-owned laptops/tablets used for government business - Federal contractors are subject to the same information security requirements as federal employees. Laptops/tablets used by a contractor to access or store federal information and/or federal information systems on behalf of the federal government shall be encrypted using a FIPS 140-2 certified product, and the contractor shall ensure that an encryption key recovery process has been implemented. This equipment shall also comply with the Federal Desktop Core Configuration (FDCC) settings and other security policies and requirements. Acquisition/contract language shall clearly state the contractor is responsible with complying with all federal security requirements.

 

NOTE:   HHS policy requires that a key recovery mechanism is required for all encrypted government data.

 

Q4. What must be done for laptop/tablet platforms and operating systems (OS) that are not supported by FIPS 140-2 certified encryption (Win98, XP Home, etc)?

A4. All laptops/tablets must be encrypted. Whenever possible, platforms should be changed to one supported by a 140-2 certified whole-disk encryption package. If the platform cannot be changed, the laptop/tablet must be secured with compensating controls and a waiver (see Q10.) must be completed and approved.

A list of the platforms supported by PointSec is available on the NIH Pointsec FAQ .

Pointsec Media Encryption (PME) software can also be used to individually encrypt files. PME permits the sending of encrypted files via email to non-PKI recipients. The USB capability is useful as well. Both functions are free with the Pointsec Full-Disk Encryption (FDE) license.

 

Q5. What IT equipment DOES NOT require encryption OR CANNOT BE encrypted now?

A5.  The following IT equipment does not require encryption or cannot be encrypted at this time.

1.  Blackberrys – these devices must be configured with an access password and must be registered and managed by the NIH BlackBerry Server (BES). Anyone who loses a BlackBerry must report the loss immediately to the NIH Helpdesk (301-496-4357 or http://ithelpdesk.nih.gov); The NIH Helpdesk can erase its data remotely. Although the current configuration is very secure, encryption on these devices will be enabled in the near future.

2.  Portable electronic media – that which does not meet the criteria in Q3 above, can be used for non-sensitive information only. 

3.  Macintosh laptops - cannot be encrypted at this time (see Q6. below) 

 

Q6.  What should Mac laptop users do to safeguard their data?

A6.  Because there is currently no FIPS 140-2 certified whole-disk encryption solution for Macintosh laptop computers, storage of personally identifiable information (PII) or sensitive data on Macintosh laptops is not allowed.

All PII data currently stored on Macintosh laptops must be removed and stored on either an NIH-provided and managed server or on a FIPS 140-2 certified USB flash drive or other FIPS 140-2 certified storage device.  A list of FIPS 140-2 certified USB drives can be found at the PointSec FAQ.

Approved encryption software for Macintosh laptops should be available within the next few months. Once it is available, all Macintosh laptops must be encrypted for NIH to be in compliance with the HHS policy that requires all laptops to be encrypted.

Q7. Can PII or government owned sensitive information be stored on personally owned equipment (laptops/tablets/desktops/portable storage devices)?

A7. No. Government data must NOT be stored on personally owned equipment. To transport PII or sensitive information, data must be stored on an encrypted government owned laptop or portable storage device or on an authorized encrypted contractor owned laptop or portable storage device.

 

Q8. Can PII or sensitive information be removed from a laptop/tablet, desktop, or other portable device?

A8. Yes, usually. Simply deleting a file is not the approved method. Please contact the NIH Help Desk at 301-496-4357 or http://ithelpdesk.nih.gov for assistance with removing PII or sensitive information. BCWIPE can be used to wipe the free space of Windows systems.

 

Q9. Does a non-portable laptop/tablet that is connected to a scientific device need to be encrypted?

A9. All laptops/tablets must be encrypted. However, if a laptop/tablet is connected to a scientific device and meets specific criteria it may be eligible for a waiver. These criteria include, but are not limited to, such compensating controls as being physically secured and labeled appropriately. Additionally, a detailed explanation of why the laptop cannot function with encryption software must be included. If a waiver is requested for a system containing PII or sensitive information, this must be identified on the waiver form along with the compensating controls (see the Policy Waiver Form).

 

Q10. What is the waiver process for exempting a laptop/tablet from using encryption software?

A10. The waiver process has three steps:

1. Fill out and sign the laptop encryption waiver form. The form is available here: http://irm.cit.nih.gov/security/HHS_Laptop_Policy_Waiver.doc. Note: Some ICs may have modified waiver request forms to require more information or additional internal approvals. Contact the NIH Help Desk at 301-496-4357 or http://ithelpdesk.nih.gov for assistance or your Institute ISSO to see if your IC has specific waiver requirements.

a. Describe why implementing the policy is not feasible or technically possible while supporting the scientific mission or business function.

b. Confirm the laptop/tablet does not, and will not, access or store PII or sensitive data. If it does store PII, additional compensating controls may be required.

c. Describe the technical, operational and management security controls which offset the risk of not implementing this policy, e.g. machine is not portable and is securely attached to an instrument or bench with a cable lock.

d. List the Machine Location, Serial Number, and NIH decal Number

2. Follow your IC internal waiver request process.

3. The waiver must be approved by the IC ISSO (Information Systems Security Officer), the NIH CISO (Chief Information Security Officer), and finally the HHS CISO.

 

Q11. Is Pointsec the mandatory encryption software?

A11. The Department has purchased Pointsec for use on Department equipment (Government owned). It is not required to use Pointsec as long as the chosen encryption solution is FIPS 140-2 certified, is whole-disk, and provides for key recovery.

FIPS is the family of Federal Information Processing Standards and includes many more standards than the FIPS 140-2 validated cryptographic modules required for this encryption. Each IC will determine if other encryption products can and will be supported.

 

Q12. Can Microsoft BitLocker be used to encrypt Windows Vista laptops?

A12. Yes. Although the latest version of Pointsec also supports Windows Vista, Microsoft BitLocker is FIPS 140-2 certified, and can be used in FIPS mode on Windows Vista machines in place of Pointsec.

 

Q13. Can Pointsec be exported to foreign countries for employees working abroad?

A13. Yes. According to the Bureau of Industry and Security, US Department of Commerce https://www.bis.doc.gov/, the Export Administration Regulations cover this very topic. Specifically, in Part 740 (License Exceptions) of the EAR, Section 740.9 (Temporary imports, exports, and re-exports) states that temporary exports of tools of the trade may be made to destinations other than Cuba or Sudan as long as they remain under the effective control of the employee. In the case of Cuba or Sudan, only non-governmental, humanitarian organizations are allowed under US law to temporarily export into those countries. Laptops containing whole disk encryption are considered part of the "tools of the trade" of an HHS employee. "Effective control" requires that the employee retain physical possession of the item, or secure the item in an environment such as a safe, at all times.

 

Q14. Is Pointsec licensed for personal or contractor use?

A14. The Department has purchased Pointsec for use on Government-owned or vendor-owned machines used on behalf of the Government. Personally-owned machines are not covered and should never be used to store government information.

 

Q15. How do I know if my computer has been encrypted?

A15. You can contact the NIH Help Desk at 301-496-4357 or http://ithelpdesk.nih.gov for assistance. The Pointsec FAQ site has additional instructions on checking your computer for Pointsec encryption http://kiwi.nih.gov/pointsec/index.php/FAQ#NIH_Pointsec_FAQ

 

Q16. What is a portable device?

A16. Any portable or handheld device with an operating system (laptop, tablet, Blackberry, PDA, iPod, Flash Drives, USB keys, portable hard drives, etc).

 

Q17. What is portable media?

A17. Portable media includes floppy disks, CD, DVD, tapes, SD cards, CF cards, etc.
PII or sensitive data must be stored only on Encrypted portable media or devices.

 

Q18. Should backups of PII or sensitive information be encrypted?

A18. Back-ups are generally saved to government-owned and maintained servers. In this case, encryption is not required. Back-ups of sensitive data made to portable media or devices such as USB flash drives or DVD’s must be encrypted.

 

Q19. Is additional privacy (PII) training available or required?

A19. A NIH Privacy awareness course is available at http://irtsectraining.nih.gov/. It is not required at this time but contains a wealth of useful information on Privacy, including PII.

 

Q20. Are ICs required to track all encrypted USB drives like our laptops/tablets?

A20. There is currently no central tracking or reporting for USB drives but according to HHS policy a key recovery mechanism is required for all encrypted government data, so IC’s may wish to track and manage these devices.

 

Q21. Is sample contract language available?

A21. Yes. See below.

DATA ENCRYPTION

The following applies to all Contractor and subcontractor laptop computers and mobile devices containing HHS data at rest and in transit. The date by which the contractor shall be in compliance will be set by the Project Officer, however, encryption shall occur before any sensitive data is stored on the laptop computer/mobile device, or within 45 days of the start of the contract, whichever occurs first.

(1) All laptop computers used on behalf of the government shall be secured using a Federal Information Processing Standard (FIPS) 140-2 compliant whole-disk encryption solution. The cryptographic module used by an encryption or other cryptographic product must be tested and validated under the Cryptographic Module Validation Program to confirm compliance with the requirements of FIPS PUB 140-2 (as amended). For additional information, refer to http://csrc.nist.gov/cryptval.

(2) All mobile devices, including non-HHS laptops and portable media, that contain sensitive HHS information shall be encrypted using a FIPS 140-2 compliant product. Data at rest includes all HHS data regardless of where it is stored.

(3) A FIPS 140-2 compliant key recovery mechanism shall be used so that encrypted information can be decrypted and accessed by authorized personnel. Use of encryption keys which are not recoverable by authorized personnel is prohibited. Key recovery is required by “OMB Guidance to Federal Agencies on Data Availability and Encryption”, November 26, 2001, http://csrc.nist.gov/drivers/documents/ombencryption-guidance.pdf

Encryption key management shall comply with all HHS and NIH policies and shall provide adequate protection to prevent unauthorized decryption of the information.

All media used to store information shall be encrypted until it is sanitized or destroyed in accordance with HHS policy and NIH procedures.  

Example:  Our IC receives CDs/DVDs with sensitive information from other non HHS entities under contract. Patient sensitive information is housed on CDs/DVDs and mailed to the IC. How do you propose to resolve this issue since the research is done on behalf of the IC?

All CDs, DVDs or other media containing sensitive information for the government or by a contractor on behalf of the government must to be encrypted. HHS policy states “HHS-approved language shall be included in contracts to ensure that sensitive HHS data is appropriately encrypted...“ Procedures and practices must be changed and the contract should be modified to bring it into alignment with HHS policy.


Q22. If I have questions about encryption, whom can I contact?

A22. You can contact the NIH Help Desk at 301-496-4357 or http://ithelpdesk.nih.gov. The NIH Help Desk and your desktop support personnel have considerable experience with nearly 11,000 encrypted laptops already at NIH and will be able to install it and help troubleshoot any issues. Further information regarding HHS and OMB encryption policy can be found at the links below:

      HHS Laptop Encryption Policy

      M-06-16

      M-07-16

      Personally Identifiable Information (PII) Protection

 

Up to Top

This page last reviewed: September 12, 2008