Embedded Files
This page is classified as INTERNAL.
NIST 800-53 (r4) Control:
The organization produces, controls, and distributes asymmetric cryptographic keys using [Selection: NSA-approved key management technology and processes; approved PKI Class 3 certificates or prepositioned keying material; approved PKI Class 3 or Class 4 certificates and hardware security tokens that protect the user’s private key].
NIST 800-53 (r4) Supplemental Guidance:
None
NIST 800-53 (r5) Discussion:
[SP 800-56A], [SP 800-56B], and [SP 800-56C] provide guidance on cryptographic key establishment schemes and key derivation methods. [SP 800-57-1], [SP 800-57-2], and [SP 800-57-3] provide guidance on cryptographic key management.
38North Guidance:
Meets Minimum Requirement:
Document all use cases of asymmetric cryptographic keys (e.g., encryption/key exchange during TLS handshake, user/server identification and authentication via PKI certificates/SSH keys, digital signatures, etc.) within the authorization boundary. For each use case, describe how keys are produced, controlled, and distributed, and which technologies (e.g., DigiCert, OpenSSL, etc.) facilitate these activities.
Only use FIPS 140-2 validated cryptographic modules for producing, controlling, and distributing asymmetric cryptographic keys.
Utilize Class 3 PKI certificates for servers and software signing rather than for identifying individuals.
Utilize Class 4 PKI certificates for business-to-business transactions.
Best Practice:
Rotate SSH keys at least annually.
Unofficial FedRAMP Guidance:
None
Assessment Evidence:
Configuration showing where asymmetric cryptographic keys are generated and stored.
List of FIPS 140-2 validated cryptographic modules used for asymmetric key encryption in the environment (include CMVP certificate # - Cryptographic Module Validation Program (CMVP)).
CSP Implementation Tips:
Amazon Web Services (AWS): TBD
Microsoft Azure: TBD
Google Cloud Platform: TBD
Page updated
Report abuse