SC-12-727 Cryptographic Key Establishment and Management

Cryptographic Key Establishment and Management

Control ID

SC-12-727

Control Name

Cryptographic Key Establishment and Management

Control Category

System and Communications Protection

Functional Areas

Protect

Sub-Areas

Cryptography, System Communications Protection

NIST Baseline Level(s)

LOW, MOD, HIGH

NIST Priority

State Implementation Required

Yes

Agency Last Implemented Date

October 27, 2015

Agency Implementation

All private keys used by or with Agency-owned or operated systems must be of at least 2048-bit RSA or 256-bit ECDSA key size. The private key shall be generated by the information resource owner or custodian on an Agency-owned or controlled system, and stored only on an Agency-owned or controlled system, in such a fashion that only authorized users may access the private key. It is recommended that the private key be generated on the actual system where it will be used, when possible, in order to minimize transport of the private key. Private keys may not be stored in plaintext without compensating controls to ensure their confidentiality. Systems shall be configured to only accept private keys meeting this standard, where possible.

All Agency-owned or operated systems must be capable of establishing a trust chain with Agency designated certificate authorities. For TTI domain-joined systems, this is accomplished automatically via group policy. For other systems, information resource owners or custodians may be required to manually install root CA certificates. Owners and custodians are responsible for ensuring any certificates installed on an information system under their control establish a successful trust chain up to an authorized CA.

Risk Statement

Cryptographic keys are modified, lost, destroyed or disclosed to unauthorized parties.

Control Description

The organization establishes and manages cryptographic keys for required cryptography employed within the information system in accordance with [Assignment: organization-defined requirements for key generation, distribution, storage, access, and destruction].

Control Example

The organization appropriately secures public and private keys.

State Implementation

When cryptography is required and employed within the information system, the organization establishes and manages cryptographic keys using automated mechanisms with supporting procedures or manual procedures.

Testing Procedures

Obtain system and communications protection policy; procedures addressing cryptographic key management and establishment; NIST Special Publications 800-56 and 800-57; information system design documentation; information system configuration settings and associated documentation; other relevant documents or records and ascertain if: (I)the organization establishes and manages cryptographic keys using automated mechanisms with supporting procedures or manual procedures, when cryptography is required and employed within the information system.