Overview:
Establish and manage cryptographic keys for cryptography employed in the information system;
Action Items:
3.13.10[a]
Determine if: cryptographic keys are established whenever cryptography is employed.
3.13.10[b]
Determine if: cryptographic keys are managed whenever cryptography is employed.
POTENTIAL ASSESSMENT METHODS AND OBJECTS
1
Examine: System and communications protection policy; procedures addressing cryptographic key establishment and management; system security plan; system design documentation; cryptographic mechanisms; system configuration settings and associated documentation; system audit logs and records; other relevant documents or records].
2
Interview: System or network administrators; personnel with information security responsibilities; personnel with responsibilities for cryptographic key establishment and management].
3
Test: Mechanisms supporting or implementing cryptographic key establishment and management].
Related Documents (document name and content will vary by organization):
1) System and communications protection policy
2) procedures addressing cryptographic key establishment and management
3) system security plan
4) system design documentation
5) cryptographic mechanisms
6) system configuration settings and associated documentation
7) system audit logs and records
8) other relevant documents or records
Additional Guidance:
Cryptographic key management and establishment can be performed using manual procedures or mechanisms supported by manual procedures. Organizations define key management requirements in accordance with applicable federal laws, Executive Orders, directives, regulations, policies, and standards, specifying appropriate options, levels, and parameters. Organizations manage trust stores to ensure that only approved trust anchors are in such trust stores. This includes certificates with visibility external to organizational systems and certificates related to the internal operations of systems. NIST Special Publications 800-56 and 800-57 provide guidance on cryptographic key maintenance.
Article ID: 202
Created: September 26, 2022
Last Updated: September 26, 2022
Author: Matthew Burdick
Online URL: http://www.compliancewiki.org/article/nist-800-171-cryptographic-key-management-3-13-10-202.html