Standard for Encryption Sample Clauses
The Standard for Encryption clause establishes the minimum requirements for encrypting data within the scope of an agreement. It typically specifies the types of data that must be encrypted, such as personal information or confidential business records, and may reference specific encryption protocols or industry standards that must be followed. By setting clear expectations for data protection, this clause helps ensure that sensitive information is safeguarded against unauthorized access, thereby reducing the risk of data breaches and ensuring compliance with relevant regulations.
Standard for Encryption. The Contractor (and/or any subcontractor) shall:
a. Comply with the HHS Standard for Encryption of Computing Devices and Information to prevent unauthorized access to government information.
b. Encrypt all sensitive federal data and information (i.e., PII, protected health information [PHI], proprietary information, etc.) in transit (i.e., email, network connections, etc.) and at rest (i.e., servers, storage devices, mobile devices, backup media, etc.) with FIPS 140-2 validated encryption solution.
c. Secure all devices (i.e.: desktops, laptops, mobile devices, etc.) that store and process government information and ensure devices meet HHS and NIH-specific encryption standard requirements. Maintain a complete and current inventory of all laptop computers, desktop computers, and other mobile devices and portable media that store or process sensitive government information (including PII).
d. Verify that the encryption solutions in use have been validated under the Cryptographic Module Validation Program to confirm compliance with FIPS 140-2. The Contractor shall provide a written copy of the validation documentation to the Contracting Officer and the Contracting Officer's Technical Representative within 15 days of the validation.
e. Use the Key Management system on the HHS personal identification verification (PIV) card or establish and use a key recovery mechanism to ensure the ability for authorized personnel to encrypt/decrypt information and recover encryption keys. Encryption keys shall be provided to the COR upon request and at the conclusion of the contract.
Standard for Encryption. The Contractor (and/or any subcontractor) must:
i. Comply with the HHS Standard for Encryption of Computing Devices and Information to prevent unauthorized access to government information.
ii. Encrypt all sensitive federal data and information (i.e., PII, protected health information [PHI], proprietary information, etc.) in transit (i.e., email, network connections, etc.) and at rest (i.e., servers, storage devices, mobile devices, backup media, etc.) with encryption solution that is validated with current FIPS 140 validation certificate from the NIST CMVP.
iii. Secure all devices (i.e.: desktops, laptops, mobile devices, etc.) that store and process government information and ensure devices meet HHS and HHS/OASH-specific encryption standard requirements. Maintain a complete and current inventory of all laptop computers, desktop computers, and other mobile devices and portable media that store or process sensitive government information (including PII).
iv. Verify that the encryption solutions in use have been validated under the Cryptographic Module Validation Program to confirm compliance with current FIPS 140 validation certificate from the NIST CMVP. The Contractor must provide a written copy of the validation documentation to the COR within 5 business days of contract award.
v. Use the Key Management system on the HHS personal identification verification (PIV) card or establish and use a key recovery mechanism to ensure the ability for authorized personnel to encrypt/decrypt information and recover encryption keys ▇▇▇▇://▇▇▇▇.▇▇▇▇.▇▇▇/publications/. Encryption keys must be provided to the COR upon request and at the conclusion of the contract.
Standard for Encryption. The Contractor (and/or any subcontractor) shall:
a. Comply with the HHS Standard for Encryption of Computing Devices and Information to prevent unauthorized access to government information.
b. Encrypt all sensitive federal data and information (i.e., PII, protected health information [PHI], proprietary information, etc.) in transit (i.e., email, network connections, etc.) and at rest (i.e., servers, storage devices, mobile devices, backup media, etc.) with FIPS 140-2 validated encryption solution.
c. All devices (i.e.: desktops, laptops, mobile devices, etc.) that store, transmit, or process non-public FDA information should utilize FDA-provided or FDA information security authorized devices that meet HHS and FDA-specific encryption standard requirements. Maintain a complete and current inventory of all laptop computers, desktop computers, and other mobile devices and portable media that store or process sensitive government information (including PII).
d. Verify that the encryption solutions in use are compliant with FIPS 140-2. The Contractor shall provide a written copy of the validation documentation to the COR.
e. Use the Key Management system on the HHS Personal Identification Verification (PIV) card or establish and use a key recovery mechanism to ensure the ability for authorized personnel to encrypt/decrypt information and recover encryption keys. Encryption keys (PIV card) shall be provided to the COR upon request and at the conclusion of the contract. Upon completion of contract, contractor ensures that COR is able to access and read any encrypted data.