Highlights of IS.008 Cryptographic Management Standard
The IS.008 Cryptographic Management Standard establishes requirements for cryptography and encryption techniques for the Commonwealth of Massachusetts. Cryptographic controls shall be used to protect the confidentiality (e.g., encryption), authenticity and integrity (e.g., digital signatures or message authentication codes).
The purpose of this standard is to establish requirements for cryptography and encryption techniques for the Commonwealth. Cryptographic controls shall be used to protect the confidentiality (e.g., encryption), authenticity and integrity (e.g., digital signatures or message authentication codes). Controls include:
- Encryption keys follow identified protocols for generation, distribution, storage, backups, archives, use, renewals, revocation, recovery, suspension and disposal.
- End-to-end encryption Confidential data transmissions over the Internet
- Encryption techniques are reviewed on a semiannual basis
See the Enterprise Information Security Standards Self-Assessment Questionnaire [Excel] that can be used to track compliance with implementing these internal controls. Departments should expect to be audited on compliance with these internal controls.
The Executive Office of Technology Services and Security (EOTSS) publishes Enterprise Information Security Policies and Standards which must be included in a Department’s Internal Control Plan, implemented, tested, and included in staff training. These standards apply to all Executive Department offices and agencies and are the default standard for non-Executive Departments who have not adopted comparable cyber and data security standards as part of their Internal Control Plan.