This page is classified as INTERNAL.
NIST 800-53 (r4) Control:
The organization produces, controls, and distributes symmetric cryptographic keys using [FedRAMP Selection: (M)(H) NIST FIPS-compliant] key management technology and processes.
NIST 800-53 (r4) Supplemental Guidance:
None
NIST 800-53 (r5) Discussion:
[SP 800-56A], [SP 800-56B], and [SP 800-56C] provide guidance on cryptographic key establishment schemes and key derivation methods. [SP 800-57-1], [SP 800-57-2], and [SP 800-57-3] provide guidance on cryptographic key management.
38North Guidance:
Meets Minimum Requirement:
Document all use cases of symmetric cryptographic keys (e.g., encrypting data at rest such as object/block storage, files systems, databases using Transparent Data Encryption (TDE), etc.) within the authorization boundary. For each use case, describe how keys are produced, controlled, and distributed, and which technologies (e.g., AWS KMS, etc.) facilitate these activities.
Only use FIPS 140-2 validated cryptographic modules for producing, controlling, and distributing symmetric cryptographic keys.
Best Practice:
Rotate encryption keys at least annually.
Unofficial FedRAMP Guidance:
None
Assessment Evidence:
Configuration showing where symmetric cryptographic keys are generated and stored.
List of FIPS 140-2 validated cryptographic modules used for symmetric key encryption in the environment (include CMVP certificate # - Cryptographic Module Validation Program (CMVP)).
CSP Implementation Tips:
Amazon Web Services (AWS):
Useful Links:
Microsoft Azure: TBD
Google Cloud Platform: TBD