Federal Data at Rest Encryption Policies

DODI 8320.02: Sharing Data, Information, and Information Technology (IT) Services in the Department of Defense

DoD Components must ensure all DoD information programs, applications, and computer networks will protect data in transit and data at rest according to their confidentiality level, mission assurance category, and level of exposure in accordance with References (8500.2). Learn more at fas.org

DODI 8500.2: Information Assurance (IA) Implementation

Encryption for Confidentiality (Data at Rest): If a classified enclave contains SAMI (sources and methods intelligence) and is accessed by individuals lacking an appropriate clearance for SAMI, then NSA-approved cryptography is used to encrypt all SAMI stored within the enclave. Learn more at fas.org

DODI 8420.01: Commercial Wireless Local-Area Network (WLAN) Devices, Systems, And Technologies

Classified WLAN-enabled Portable Electronic Devices (PEDs) must use NSA-approved encryption to protect classified data-in-transit and data-at-rest on PEDs in accordance with Paragraph 3.8. of this issuance. Learn more at esd.whs.mil

CJCSI 6510.01F: Information Assurance (IA) and Support to Computer Network

Protection of Information in Transmission or Data at Rest: Classified national security information shall be protected using NSA-approved cryptographic and key management systems offering high protection levels and approved for protecting classified information. Learn more at jcs.mil

NIST Special Publication 800-53 (Rev. 4): SC-28 Protection Of Information At Rest

Selection of cryptographic mechanisms is based on the need to protect the confidentiality and integrity of organizational information. The strength of mechanism is commensurate with the security category and/or classification of the information. Learn more at nvd.nist.gov

Air Force Manual 17-1301: Computer Security (COMPUSEC)

4.7.5. Classified Data at Rest. Protect classified national security information at rest according to Chairman of the Joint Chiefs of Staff Instruction 6510.01F using National Security Agency-approved cryptographic and key management systems offering appropriate protection levels and approved for protecting classified data at rest… Learn more at af.mil

National Security Directive 42: National Policy for the Security of National Security Telecommunications and Information Systems

U.S. Government national security systems shall be secured by such means as are necessary to prevent compromise, denial, or exploitation…Such protection results from the application of security measures (including cryptosecurity…)..to systems which generate, store, process, transfer or communicate information of use to an adversary... Learn more at fas.org

U.S. Code, Title 44, Chapter 35, Subchapter II, § 3557: National Security Systems

The head of each agency shall provide information security protections commensurate with the risk resulting from unauthorized access, use, disclosure, disruption, modification, or destruction of—‘‘ (i) information collected or maintained by the agency or by a contractor of an agency or other organization on behalf of an agency; and ‘‘ (ii) information systems used or operated by an agency or by a contractor of an agency or other organization on behalf of an agency. Learn more at uscode.house.gov

Pamphlet 25-2-16: Communications Security

(3) Only NSA/Central Security Services-approved COMSEC products and services (to include Commercial Solutions for Classified (CSfC) and cryptographic high value property (CHVP)) will be used to secure Nation Security Information (NSI) and systems; (4) Only NSA-approved cryptographic products and solutions that have been endorsed by the Chief Information Officer (CIO)/G–6, Cybersecurity Directorate (SAIS–CB) and listed in the Army Information Systems Security Program Application (ISSPA) will be used for the protection of classified information. Learn more at army.mil

Army Regulation 25-2: Information Management - Army Cyber Security Data Security

On behalf of the AO, AODRs, and ISSMs will....7)Safeguard information and records (data) in accordance with applicable NIST, DOD, and Army issuances. Required activities include....d) Leverage protective processes and tools to secure data at conception, in transit, at rest, and throughout the entire life cycle.
(e) 1) For IT that processes classified information, use only COMSEC, CHVP, or Commercial Solutions for Classified products and services approved by the National Security Agency/Central Security Service (NSA/CSS). Learn more at army.mil

CNSSP No. 28: Cybersecurity Of Unmanned National Security Systems

National Security Agency (NSA)-approved cryptographic algorithms and techniques, implementations, keying material, digital certificates, and associated security architectures must be used wherever cryptography or cryptographic techniques are needed in unmanned systems per CNSSP No. 15, Use of Public Standards for Secure Information Sharing (Reference g), and, in the case of commercial solutions implementation, CNSSP No. 7, Policy on the Use of Commercial Solutions to Protect National Security Systems (Reference h). Learn more at cnss.gov