Policy 683: Encryption defines the minimum requirements for the selection, application, and management of encryption technologies. Policy 683-01 replaces legacy Policy 683-00: Encryption, moving most of the technical specifications from the policy and putting them into a standard.

Standard 683S1: Encryption Requirements establishes requirements for key management and encryption of sensitive or confidential data stored (data at rest) on state-owned information systems and mobile devices and defines acceptable methods of cryptographic protection to prevent unauthorized disclosure of sensitive or confidential information during transmission (data in motion). Topics addressed include email and file transfer encryption.

Risks that are addressed in these documents include:

  • Protecting the confidentiality and integrity of information transmitted over public networks
  • Encryption technologies used meet validated standards for security


These documents address NIST SP 800-53 security controls:

  • SC-8: Transmission Confidentiality and Integrity
  • AC-17 (CE2): Protection of Confidentiality and Integrity Using Encryption
  • AC-19 (CE5): Mobile Device – Container-based Encryption
  • SC-12: Cryptographic Key Management
  • SC-13: Cryptographic Protection
  • SC-17: Public Key Infrastructure (PKI) Certificates
  • SC-28: Protection of Information at Rest
  • SC-28 (CE1): Cryptographic Protection
  • MP-5 (CE4): Media Transport | Cryptographic Protection


View or Download:

DRAFT Policy 683: Encryption

DRAFT Standard 683S1: Encryption Requirements