SC-12

  • Requirement

    Establish and manage cryptographic keys when cryptography is employed within the system in accordance with the following key management requirements: [Assignment: organization-defined requirements for key generation, distribution, storage, access, and destruction].

  • Discussion

    Cryptographic key management and establishment can be performed using manual procedures or automated mechanisms with supporting manual procedures. Organizations define key management requirements in accordance with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines and specify appropriate options, parameters, and levels. Organizations manage trust stores to ensure that only approved trust anchors are part of such trust stores. This includes certificates with visibility external to organizational systems and certificates related to the internal operations of systems. NIST CMVP and NIST CAVP provide additional information on validated cryptographic modules and algorithms that can be used in cryptographic key management and establishment.

More Info

  • Title

    Cryptographic Key Establishment and Management
  • Family

    System and Communications Protection
  • NIST 800-53B Baseline(s)

    • Low
    • Moderate
    • High
  • Related NIST 800-53 ID

    AC-17;AU-9;AU-10;CM-3;IA-3;IA-7;SA-4;SA-8;SA-9;SC-8;SC-11;SC-12;SC-13;SC-17;SC-20;SC-37;SC-40;SI-3;SI-7

NIST 800-53A Assessment Guidance

CMMC Training

Our CMMC Overview Course simplifies CMMC. Enroll so you can make informed decisions!