Acceptable Encryption Policy

1.0 Purpose

The purpose of this policy is to ~~provide~~establish ~~guidance~~standards ~~that limits~~for the use of ~~encryption to those~~cryptographic algorithms ~~that have received substantial public review~~ and ~~have~~technologies ~~been~~within ~~proven~~the toorganization. ~~work effectively. Additionally, this~~This policy ~~provides direction~~aims to ensure that ~~Federal~~only ~~regulations~~strong, publicly vetted encryption algorithms are ~~followed,~~employed to protect the confidentiality and ~~legal~~integrity ~~authority~~of isorganizational ~~granted~~data. ~~for~~It also serves to provide guidance regarding compliance with applicable regulations, particularly concerning the ~~dissemination~~implementation and ~~use~~potential export of encryption ~~technologies outside of the United States.~~technologies.

2.0 Scope

This policy applies to all ~~<Company~~employees, ~~Name>~~contractors, ~~employees~~vendors, and ~~affiliates.~~affiliates of the organization involved in the selection, implementation, or management of systems or processes that utilize encryption for protecting organizational data.

~~Algorithm~~3.0 ~~Requirements~~Policy Statements

~~Ciphers~~The infollowing standards define the acceptable use of encryption algorithms within the organization:

3.1 Approved Encryption Algorithms

* Encryption algorithms used for protecting organizational data must be selected from internationally recognized, publicly reviewed, and currently accepted standards.
* Proprietary or non-standard encryption algorithms are prohibited unless explicitly reviewed, approved, and formally excepted by the designated IT authority (e.g., Precision Computer team) based on a thorough security assessment.

3.2 Symmetric Encryption

* For symmetric encryption (where the same key is used for encryption and decryption), ciphers must meet or exceed the ~~set~~security level defined as "AES-compatible" or "partially AES-compatible" ~~according~~by torelevant ~~the~~industry bodies (e.g., IETF/IRTF ~~Cipher Catalog,~~guidance) or ~~the~~be ~~set~~approved ~~defined~~under ~~for~~current ~~use in the United States~~U.S. National Institute of Standards and Technology (NIST) ~~publication~~standards, such as FIPS 140-2,2 (or ~~any~~its ~~superseding documents according to the date of implementation.~~successors).
* The use of the **Advanced Encryption Standard (AES)** with appropriate key lengths (e.g., 128 bits or higher, preferably 256 bits for new implementations) is ~~strongly~~the ~~recommended~~required standard for symmetric ~~encryption.~~encryption unless a specific, approved exception exists.

~~Algorithms~~3.3 inAsymmetric ~~use~~Encryption

* For asymmetric encryption (using public/private key pairs), algorithms must meet the standards defined ~~for use~~ in NIST ~~publication~~ FIPS 140-2 (or ~~any~~its ~~superseding document, according to date of implementation.~~successors).
* The use of ~~the~~**RSA** ~~RSA~~(with ~~and~~key lengths of 2048 bits or higher, 3072 bits recommended for new implementations) or **Elliptic Curve Cryptography (ECC)** ~~algorithms~~(using NIST-approved curves like P-256 or higher) is ~~strongly recommended~~required for asymmetric encryption. Secure padding schemes (e.g., OAEP for RSA) must be employed.

~~Signature~~3.4 ~~Algorithms~~Hash Functions

Cryptographic

~~Algorithm~~

hash

~~Key~~functions ~~Length~~

used

~~(min)~~

for

~~Additional~~integrity ~~Comment~~

checks,

~~ECDSA~~

digital

~~P-256~~

signatures,

~~Consider~~or ~~RFC6090~~other security functions must adhere to ~~avoid~~current ~~patent~~NIST ~~infringement.~~guidance

~~RSA~~

~~2048~~

~~Must use a secure padding scheme. PKCS#7 padding scheme is recommended. Message hashing required.~~

~~LDWM~~

~~SHA256~~

~~Refer to LDWM Hash-based Signatures Draft~~

~~In general, <Company Name> adheres to~~(e.g., the NIST Policy on Hash ~~Functions.~~Functions).
* Algorithms such as SHA-256, SHA-384, SHA-512, or newer SHA-3 family algorithms are required. The use of deprecated algorithms like MD5 or SHA-1 for security purposes is prohibited.

3.5 Digital Signature Algorithms

* Algorithms used for digital signatures must provide an appropriate level of security, corresponding to the requirements for asymmetric encryption and hash functions. Approved algorithms include:
* **ECDSA** (Elliptic Curve Digital Signature Algorithm) using approved curves (e.g., P-256 or higher). Implementation should consider relevant standards (e.g., RFC6090) to address potential issues.
* **RSA** (using key lengths specified in section 3.3) with secure padding schemes (e.g., PSS) and appropriate message hashing (as per section 3.4).
* Other NIST-approved hash-based signature schemes may be considered where appropriate.

3.6 Key Management

* Cryptographic keys must be generated, stored, distributed, rotated, and destroyed securely in accordance with established cryptographic best practices and organizational key management procedures (which may be detailed in a separate Key Management Policy or Standard).

4.0 Compliance

4.1 Compliance Measurement

The designated IT authority (e.g., Precision Computer ~~team~~team) will verify compliance towith this policy through various methods, including but not limited to, ~~business~~configuration ~~tool~~audits ~~reports,~~of systems, review of security architecture designs, internal and external ~~audits,~~security assessments, and ~~feedback~~analysis of reports from security tools. Feedback will be provided to the policy ~~owner.~~owner and relevant management.

4.2 Exceptions

Any exception to ~~the~~this policy requires formal, documented justification detailing the business need and compensating controls, and must bereceive ~~approved~~advance byapproval from the designated IT authority (e.g., Precision Computer ~~team~~team). inApproved ~~advance.~~exceptions will be reviewed periodically.

An4.3 ~~employee~~Enforcement

~~found~~

Failure to ~~have~~comply ~~violated~~with this policy may beresult ~~subject~~in the disabling of non-compliant systems or applications, and may lead to disciplinary ~~action,~~action for responsible personnel, up to and including termination of ~~employment.~~employment or contract, consistent with organizational procedures.

~~National~~5.0 ~~Institute of~~Referenced Standards and ~~Technology~~Definitions

~~(NIST)~~

* ~~publication~~**NIST FIPS 140-2,

(and successors):** U.S. government standard for cryptographic modules.
* **NIST Policy on Hash ~~Functions~~Functions:** Guidance on acceptable cryptographic hash algorithms.
* **AES (Advanced Encryption Standard):** The standard symmetric encryption algorithm.
* **RSA (Rivest–Shamir–Adleman):** A widely used public-key (asymmetric) algorithm.
* **ECC (Elliptic Curve Cryptography):** An approach to public-key cryptography based on elliptic curves.
* **ECDSA (Elliptic Curve Digital Signature Algorithm):** A digital signature algorithm using ECC.
* **SHA (Secure Hash Algorithm):** A family of cryptographic hash functions (e.g., SHA-256, SHA-512).
* **Proprietary Encryption:** Encryption algorithms developed privately without public review, generally discouraged due to lack of vetting.

~~The~~*(Further ~~following definition and terms~~definitions can be found in established industry security glossaries like the SANS ~~Glossary located at:~~Glossary.)*

~~https://www.sans.org/security-resources/glossary-of-terms/~~

~~Proprietary Encryption~~