This page is classified as INTERNAL.
NIST 800-53 (r4) Control:
The organization establishes and manages cryptographic keys for required cryptography employed within the information system in accordance with [Assignment: organization-defined requirements for key generation, distribution, storage, access, and destruction].
SC-12 Additional FedRAMP Requirements and Guidance:
Guidance: Federally approved and validated cryptography.
NIST 800-53 (r4) Supplemental Guidance:
Cryptographic key management and establishment can be performed using manual procedures or automated mechanisms with supporting manual procedures. Organizations define key management requirements in accordance with applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance, specifying appropriate options, levels, and parameters. Organizations manage trust stores to ensure that only approved trust anchors are in such trust stores. This includes certificates with visibility external to organizational information systems and certificates related to the internal operations of systems. Related controls: SC-13, SC-17.
NIST 800-53 (r5) Discussion:
Cryptographic key management and establishment can be performed using manual procedures or automated mechanisms with supporting manual procedures. Organizations define key management requirements in accordance with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines and specify appropriate options, parameters, and levels. Organizations manage trust stores to ensure that only approved trust anchors are part of such trust stores. This includes certificates with visibility external to organizational systems and certificates related to the internal operations of systems. [NIST CMVP] and [NIST CAVP] provide additional information on validated cryptographic modules and algorithms that can be used in cryptographic key management and establishment.
38North Guidance:
Meets Minimum Requirement:
Establish an organizational policy and/or procedure document that describe(s) the implementation of cryptographic key management and establishment activities including key generation, distribution, storage, access, and destruction.
Document all use cases of cryptographic keys within the authorization boundary.
Only use FIPS 140-2 validated cryptographic modules for cryptographic key management and establishment activities including key generation, distribution, storage, access, and destruction.
Best Practice:
Enforce Separation of Duties (SoD) via Role-Based Access Controls (RBAC) for key management (e.g., generation, access control, etc.) and utilization (e.g., encrypt, de-encrypt, re-encrypt) activities. For example, an individual who generates and controls access to encryption keys should not have permission to utilize those same encryption keys.
Rotate encryption keys at least annually.
Unofficial FedRAMP Guidance:
None
Assessment Evidence:
Configuration showing where cryptographic keys are generated and stored.
List of FIPS 140-2 validated cryptographic modules used for encryption in the environment (include CMVP certificate # - Cryptographic Module Validation Program (CMVP)). Encryption use cases include, but are not limited to:
Data at Rest (SC-28)
Data in transit (end user access / data flow) (SC-8(1))
Remote Access (administrator access) (AC-17(2))
Multifactor device/token (IA-2(11))
CSP Implementation Tips:
Amazon Web Services (AWS):
Useful Links:
Microsoft Azure:
Google Cloud Platform: TBD