Topic

Encrypting data at rest

Applicable to

Official, Protected

History

Priority

must

Mar 2022

Cryptographic equipment or software that has completed a Common Criteria evaluation against a Protection Profile is used when encrypting media that contains OFFICIAL: Sensitive or PROTECTED data.

Miscellaneous changes were made to rationale and recommendations throughout the publication to clarify content without changing intent. This included a review from the Guidelines for System Hardening chapter through to the Guidelines for Data Transfers chapter.

Dec 2021

Encryption software that has completed a Common Criteria evaluation against a Protection Profile is used when encrypting media that contains OFFICIAL: Sensitive or PROTECTED data.

The recommendation that cryptographic products have completed an ASD Cryptographic Evaluation before being used for the protection of data at rest or in transit has been replaced with a recommendation for the use of cryptographic products that have been evaluated and certified under the Common Criteria against a Protection Profile.

2015

Agencies must use a Common Criteria–evaluated encryption product that has completed anACE if they wish to reduce the storage or physical transfer requirements for ICT equipment ormedia that contains classified information to an unclassified level.

2010

Agencies must use an EAL2 encryption product from DSD’s EPL that has completed a DCE if they wish toreduce the storage or physical transfer requirements for ICT equipment or media that contains classifiedinformation to an unclassified level.

2008

If an agency wishes to use encryption to reduce the storage and/or physical transfer requirements, as outlined in the PSM, for equipment or media that contains classified information, they must use an encryption product that meets the minimum level of assurance as shown in the following table.