PS-08-024 Use of Cryptography

Issue Date: 3/20/2008

Effective Date: 3/20/2008

Review Date: 12/1/2020


Cryptography is a discipline that embodies principles, means and methods for providing several security services: confidentiality, data integrity, authentication and non-repudiation.

This policy establishes the requirement to use cryptographic controls on State information systems as necessary.


Agencies shall use cryptographic controls where the confidentiality, authenticity, non-repudiation or integrity of data is categorized MODERATE or higher or when the risk of compromise or exposure is higher than acceptable or when required by policy, law, or regulation, and other compensating controls are insufficient to meet the required security levels.


Cryptographic Controls (SS-08-040)


NIST SP 800-12 (chapter 19) Introduction to Computer Security NIST Handbook to Introduction to Computer Security NIST Handbook (Cryptography)…)

SP 800-175B Rev. 1: Guideline for Using Cryptographic Standards in the Federal Government: Cryptographic Mechanisms

NIST Cryptographic Key Tool Kit

FIPS 140-3: Security Requirements for Cryptographic Modules


Cryptography is a branch of applied mathematics concerned with encrypting and decrypting data such that the sender’s identity (authentication and non-repudiation), data confidentiality or integrity can be assured.

  • Encryption is the process of converting ordinary information (plaintext) into unintelligible character strings (i.e., ciphertext).
  • Decryption is the reverse, moving from unintelligible ciphertext to plaintext.
  • cipher (or cypher) is a pair of algorithms which perform this encryption and the reversing decryption.

Non-Repudiation is a service that is used to provide proof of the integrity and origin of data in such a way that the integrity and origin can be verified by a third party.

Authentication is a process that establishes origin of information or determines an entity’s identity.