3.13.10

Requirement

Establish and manage cryptographic keys in the system in accordance with the following key management requirements: [Assignment: organization-defined requirements for key generation, distribution, storage, access, and destruction].

Discussion

Cryptographic keys can be established and managed using either manual procedures or automated mechanisms supported by manual procedures. Organizations satisfy key establishment and management requirements in accordance with applicable federal laws, Executive Orders, policies, directives, regulations, and standards that specify appropriate options, levels, and parameters. This requirement is related to 03.13.11.

NIST 800-171A r3 Assessment Guidance

Examine

[SELECT FROM: system and communications protection policy and procedures; procedures for cryptographic key establishment and management; system design documentation; system configuration settings; cryptographic mechanisms; system audit records; system security plan; other relevant documents or records]
Interview

[SELECT FROM: mechanisms for supporting or implementing cryptographic key establishment and management]
Test

[SELECT FROM: personnel with responsibilities for cryptographic key establishment or management; personnel with information security responsibilities; system administrators]

ID	Assessment Objectives
A.03.13.10.ODP[01]	requirements for key generation, distribution, storage, access, and destruction are defined.
A.03.13.10[01]	cryptographic keys are established in the system in accordance with the following key management requirements: .
A.03.13.10[02]	cryptographic keys are managed in the system in accordance with the following key management requirements: .

Our CMMC Overview Course simplifies CMMC. Enroll so you can make informed decisions!