The following tables define baseline encryption and key management controls for protecting Institutional Data.
Encryption
| Area | ID | Control | Public | Confidential | Restricted |
| EN | 1 | Institutional Data transmitted over a network connection is encrypted | Optional | Recommended | Required |
| EN | 2 | Institutional Data stored on Electronic Media is encrypted | Optional | Recommended | Recommended |
| EN | 3 | Data stored on removable Electronic Media is encrypted | Optional | Recommended | Required |
| EN | 4 | Data stored on a mobile computing device is encrypted | Optional | Recommended | Required |
| EN | 5 | Remote administration of an Information System is performed over an encrypted network connection | Required | Required | Required |
Key Management
| Area | ID | Control | Public | Confidential | Restricted |
| EN | 6 | Industry accepted algorithms are used where encryption and/or digital signing are employed | Recommended | Required | Required |
| EN | 7 | Key sizes of 128-bits or greater are used where symmetric key encryption is employed * | Recommended | Required | Required |
| EN | 8 | Key sizes of 1024-bit or greater are used where asymmetric key encryption is employed * | Recommended | Required | Required |
| EN | 9 | Keys are changed periodically where encryption is employed | Recommended | Required | Required |
| EN | 10 | Keys are revoked and/or deleted when they are no longer needed to perform a business function | Recommended | Required | Required |
Supplemental Guidance
ES-7 and ES-8: These controls establish baseline key sizes for symmetric key encryption (e.g. AES and 3DES) and asymmetric encryption (e.g. RSA and Diffie-Hellman). However industry trends illustrate a gradual movement toward larger key sizes. For example, the National Institute of Standards and Technology now requires 256-bit and 2048-bit keys for certain aspects of personal identity verification when dealing with federal information systems (see Special Publication 800-78). Data Custodians should evaluate any contractual obligations that might exist when selecting an appropriate key size.