SC.L2-3.13.10 Key Management
Establish and manage cryptographic keys for cryptography employed in organizational systems.
Source: NIST SP 800-171 Rev 2 3.13.10
Discussion: Cryptographic key management and establishment can be performed using manual procedures or mechanisms supported by manual procedures. Organizations define key management requirements in accordance with applicable federal laws, Executive Orders, policies, directives, regulations, and standards specifying appropriate options, levels, and parameters. [SP 800-56A] and [SP 800-57-1] provide guidance on cryptographic key management and key establishment.
Assessment Objectives:
Determine if:
- [a] cryptographic keys are established whenever cryptography is employed; and
- [b] cryptographic keys are managed whenever cryptography is employed.
Examine: [SELECT FROM: System and communications protection policy; procedures addressing cryptographic key establishment and management; security plan; system design documentation; cryptographic mechanisms; system configuration settings and associated documentation; system audit logs and records; other relevant documents or records].
Interview: [SELECT FROM: System or network administrators; personnel with information security responsibilities; personnel with responsibilities for cryptographic key establishment and management].
Test: [SELECT FROM: Mechanisms supporting or implementing cryptographic key establishment and management].
SPRS Score: 1
POA&M Allowed: Yes