| 1. The information owner shall determine whether sensitive information stored needs to be protected using encryption. |
2. The system engineering team (e.g., project manager, system engineers, and IA personnel) shall perform the following:
a. Identify a list of NIST-certified cryptography algorithms and keys (e.g., 3DES, AES) that can encrypt stored sensitive information
b. Research vendors products that have been certified based on NIST-certified cryptography
c. Perform an analysis of advantages and disadvantages of individual products based on system’s operational requirements and available fund.
d. Select a product that is the most suitable to the system’s environment to encrypt sensitive information
e. Install and test the encryption capability in a lab environment
f. Implement the product into the system in the operational environment