Encryption

All NIH laptops and tablet computers must be encrypted with a FIPS 140-2 or 140-3* compliant encryption software package.

If you include personally identifiable information (PII) or sensitive data in an e-mail message, that message must be encrypted!

PII and sensitive data must NOT be stored on personally owned equipment. If transported, it must be stored on an encrypted government-owned (or authorized encrypted contractor owned) laptop or portable storage device.

See HHS Standard for Encryption of Computing Devices and Information for additional details.

Background Information

Encryption is the process of encoding messages (or information) in such a way that eavesdroppers or hackers cannot read it, but that authorized parties can. In an encryption scheme, the message or information (referred to as plaintext) is encrypted using an encryption algorithm, turning it into an unreadable cipher text (ibid.). This is usually done with the use of an encryption key, which specifies how the message is to be encoded. Any adversary that can see the ciphertext, should not be able to determine anything about the original message. An authorized party, however, is able to decode the ciphertext using a decryption algorithm, that usually requires a secret decryption key, that adversaries do not have access to. For technical reasons, an encryption scheme usually needs a key-generation algorithm, to randomly produce keys. (Source: Wikipedia)

A Federal Information Processing Standard (FIPS) is a publicly announced standardization developed by the United States federal government for use in computer systems by all non-military government agencies and by government contractors, when properly invoked and tailored on a contract. 
(Source: Wikipedia)

The Federal Information Processing Standard (FIPS) Publication 140-2, FIPS PUB 140-2, is a federal government computer security standard. This standard specifies the security requirements that will be satisfied by a cryptographic module utilized within a security system protecting sensitive but unclassified information. The standard provides four increasing, qualitative levels of security: Level 1, Level 2, Level 3, and Level 4. These levels are intended to cover the wide range of potential applications and environments in which cryptographic modules may be employed. The security requirements cover areas related to the secure design and implementation of a cryptographic module. 
(Ref: )

*On March 22, 2019, the Secretary of Commerce approved FIPS 140-3, Security Requirements for Cryptographic Modules, which supersedes FIPS 140-2. The new standard introduces some significant changes. Rather than encompassing the module requirements directly, FIPS 140-3 references ISO/IEC 19790:2012. The testing for these requirements will be in accordance with ISO/IEC 24759:2017. While there are few major technical requirement changes, the use of the ISO documents requires several procedural changes in the management and execution of the validation program and process.

FIPS 140-2 modules can remain active for 5 years after validation or until September 21, 2026, when the FIPS 140-2 validations will be moved to the historical list.  Even on the historical list, CMVP supports the purchase and use of these modules for existing systems.