03.13.10: Cryptographic Key Establishment and Management

Control Familly: System and Communications Protection

SPRS: N/A

Top Ten Failed Requirement: N/A

Supporting Publications:

  • FIPS 140-3 [38]

  • SP 800-56A [73]

  • SP 800-56B [74]

  • SP 800-56C [75]

  • SP 800-57-1 [15]

  • SP 800-57-2 [16]

  • SP 800-57-3 [17]

  • SP 800-63-3 [27]

Referenced in: N/A

Control Type: N/A

CPCSC Level 2: 03.13.10

CMMC Level(s): N/A

Derived From: NIST SP 800-53r5

  • SC-12

Establish and manage cryptographic keys in the system in accordance with the following key management requirements: [Assignment: organization-defined requirements for key generation, distribution, storage, access, and destruction].

Discussion:

Cryptographic keys can be established and managed using either manual procedures or automated mechanisms supported by manual procedures. Organizations satisfy key establishment and management requirements in accordance with applicable federal laws, Executive Orders, policies, directives, regulations, and standards that specify appropriate options, levels, and parameters. This requirement is related to 03.13.11.

Assessment Methods and Objectives

Examine [SELECT FROM: system and communications protection policy and procedures; procedures for cryptographic key establishment and management; system design documentation; system configuration settings; cryptographic mechanisms; system audit records; system security plan; other relevant documents or records]

Interview [SELECT FROM: personnel with responsibilities for cryptographic key establishment or management; personnel with information security responsibilities; system administrators]

Test [SELECT FROM: mechanisms for supporting or implementing cryptographic key establishment and management]

NIST SP 800-171A r3 Determining Statements Determine if:

A.03.13.10.ODP[01]: requirements for key generation, distribution, storage, access, and destruction are defined.

A.03.13.10[01]: cryptographic keys are established in the system in accordance with the following key management requirements: <A.03.13.10.ODP[01]: requirements>.

A.03.13.10[02]: cryptographic keys are managed in the system in accordance with the following key management requirements: <A.03.13.10.ODP[01]: requirements>.