SC-12-727 Cryptographic Key Establishment and Management
Cryptographic Key Establishment and Management
SC-12-727
Cryptographic Key Establishment and Management
System and Communications Protection
Protect
Cryptography, System Communications Protection
LOW, MOD, HIGH
P1
Yes
October 27, 2015
All private keys used by or with Agency-owned or operated systems must be of at least 2048-bit RSA or 256-bit ECDSA key size. The private key shall be generated by the information resource owner or custodian on an Agency-owned or controlled system, and stored only on an Agency-owned or controlled system, in such a fashion that only authorized users may access the private key. It is recommended that the private key be generated on the actual system where it will be used, when possible, in order to minimize transport of the private key. Private keys may not be stored in plaintext without compensating controls to ensure their confidentiality. Systems shall be configured to only accept private keys meeting this standard, where possible.
All Agency-owned or operated systems must be capable of establishing a trust chain with Agency designated certificate authorities. For TTI domain-joined systems, this is accomplished automatically via group policy. For other systems, information resource owners or custodians may be required to manually install root CA certificates. Owners and custodians are responsible for ensuring any certificates installed on an information system under their control establish a successful trust chain up to an authorized CA.
Cryptographic keys are modified, lost, destroyed or disclosed to unauthorized parties.
The organization establishes and manages cryptographic keys for required cryptography employed within the information system in accordance with [Assignment: organization-defined requirements for key generation, distribution, storage, access, and destruction].
The organization appropriately secures public and private keys.
When cryptography is required and employed within the information system, the organization establishes and manages cryptographic keys using automated mechanisms with supporting procedures or manual procedures.
Obtain system and communications protection policy; procedures addressing cryptographic key management and establishment; NIST Special Publications 800-56 and 800-57; information system design documentation; information system configuration settings and associated documentation; other relevant documents or records and ascertain if:
(I)the organization establishes and manages cryptographic keys using automated mechanisms with supporting procedures or manual procedures, when cryptography is required and employed within the information system.