SC-13: Cryptographic Protection

NIST Baseline: Low

Tarleton State University (Tarleton) encryption requirements for information storage devices and data transmissions, as well as specific requirements for portable devices, removable media, and encryption key standards and management, shall be based on documented risk management decisions.
Confidential data must be protected with appropriate encryption at all times, both at rest and in transit (see Control RA-2, Security Categorization).
- Confidential data must be encrypted if copied to, or stored on, a portable computing device, or removable media (see Control MP-7, Media Use).
Tarleton data that is transmitted over a public network (i.e. the Internet) should be encrypted where feasible, especially data that is classified as university-internal, unless the information is designated as public information (see Control SC-8, Transmission Confidentiality and Integrity).
The minimum algorithm strength for protecting confidential data is a 128-bit encryption algorithm in accordance with Texas Department of Information Resources (DIR) Security Control Catalog requirements, also subject to state organization risk management decisions justified and documented in accordance with 1 Texas Administrative Code §202.21(c) and §202.71(c) and 1 Texas Administrative Code §202.25 and §202.75.
- Subject to documented risk management decisions, a unit may also choose to implement additional protections, including stronger encryption algorithms or key lengths.