SA-9(6)

Requirement

Maintain exclusive control of cryptographic keys for encrypted material stored or transmitted through an external system.

Discussion

Maintaining exclusive control of cryptographic keys in an external system prevents decryption of organizational data by external system staff. Organizational control of cryptographic keys can be implemented by encrypting and decrypting data inside the organization as data is sent to and received from the external system or by employing a component that permits encryption and decryption functions to be local to the external system but allows exclusive organizational access to the encryption keys.

NIST 800-53A Assessment Guidance

Examine

[SELECT FROM: System and services acquisition policy; procedures addressing external system services; acquisition contracts for the system, system component, or system service; solicitation documentation; acquisition documentation; service level agreements; procedures addressing organization-controlled cryptographic key management; organizational security requirements or conditions for external providers; system security plan; supply chain risk management plan; other relevant documents or records].

Interview

[SELECT FROM: Organizational personnel with system and service acquisition responsibilities; organizational personnel with information security responsibilities; organization personnel with cryptographic key management responsibilities; external providers of system services; organizational personnel with supply chain risk management responsibilities].

Test

[SELECT FROM: Organizational processes for cryptographic key management; mechanisms for supporting and implementing the management of organization-controlled cryptographic keys].

ID	Assessment Objectives
SA-09(06)	exclusive control of cryptographic keys is maintained for encrypted material stored or transmitted through an external system.

Our CMMC Overview Course simplifies CMMC. Enroll so you can make informed decisions!