This page is classified as INTERNAL.
NIST 800-53 (r4) Control:
The organization maintains availability of information in the event of the loss of cryptographic keys by users.
NIST 800-53 (r4) Supplemental Guidance:
Escrowing of encryption keys is a common practice for ensuring availability in the event of loss of keys (e.g., due to forgotten passphrase).
NIST 800-53 (r5) Discussion:
Escrowing of encryption keys is a common practice for ensuring availability in the event of key loss. A forgotten passphrase is an example of losing a cryptographic key.
38North Guidance:
Meets Minimum Requirement:
Utilize an encryption key management tool (e.g., AWS CloudHSM, AWS KMS, HashiCorp Vault, Google Cloud Key Management, Azure Key Vault, etc.) rather than manually managing cryptographic keys. For cloud-based tools, the tool must possess a FedRAMP authorization at an impact level commensurate with the Cloud Service Offering (CSO). Deploy non cloud-based tools within the authorization boundary.
Implement RBAC within the encryption key management tool (if available) or integrate with a directory service (e.g., AWS IAM, Active Directory, etc.)
Best Practice:
None
Unofficial FedRAMP Guidance:
Few system designs provide key escrow, and thus, do not strictly meet this requirement. However, utilization of an encryption key management tool coupled with access controls will usually suffice.
Assessment Evidence:
Evidence that the encryption key management tool has a key recovery capability.
Evidence that the HSM has a key recovery capability to maintain the availability of information in the event of the loss of cryptographic keys by users.
CSP Implementation Tips:
Amazon Web Services (AWS):
Useful Links:
Microsoft Azure:
Google Cloud Platform: TBD