Include offsite backups of cryptographic keys in the cryptographic key management procedures., CC ID: 13127
Change cryptographic keys in accordance with organizational standards., CC ID: 01302
Destroy cryptographic keys promptly after the retention period., CC ID: 01303
Control cryptographic keys with split knowledge and dual control., CC ID: 01304
Prevent the unauthorized substitution of cryptographic keys., CC ID: 01305
Manage outdated cryptographic keys, compromised cryptographic keys, or revoked cryptographic keys., CC ID: 06852
Require key custodians to sign the cryptographic key management policy., CC ID: 01308
Require key custodians to sign the key custodian's roles and responsibilities., CC ID: 11820
Test cryptographic key management applications, as necessary., CC ID: 04829
Manage the digital signature cryptographic key pair., CC ID: 06576
Establish, implement, and maintain requirements for Personal Identity Verification authentication certificates., CC ID: 06587
Establish, implement, and maintain Public Key certificate application procedures., CC ID: 07079
Establish a Root Certification Authority to support the Public Key Infrastructure., CC ID: 07084
SELECTED AUTHORITY DOCUMENTS COMPLIED WITH
An authorized person to whom a key was disclosed must use the key only in the manner and for the purposes stated in the disclosure notice. (§ 11(7)(a), South African Interception of Communications Act, No 6/2007)
A law enforcement officer to whom an encryption key is released shall use it in the way and the purpose and duration stated in the court order and shall not exceed the duration of the Electronic Surveillance for which the key was released. (§ 87(4), The Electronic Communications and Transactions Act, 2002)
AIs should adopt secure and internationally-recognised strong encryption algorithms to protect the confidentiality of customers' information transmitted over external networks including the Internet, and highly sensitive information (e.g. this refers mainly to customers' login credentials such as e-… (§ 5.1.1, Hong Kong Monetary Authority Supervisory Policy Manual TM-E-1 Risk Management of E-Banking, v.2)
AIs should adopt secure and internationally-recognised strong encryption algorithms to protect the confidentiality of customers' information transmitted over external networks including the Internet, and highly sensitive information (e.g. this refers mainly to customers' login credentials such as e-… (§ 5.1.1, Hong Kong Monetary Authority Supervisory Policy Manual TM-E-1 Risk Management of E-Banking, V.3)
If cryptographic technology is used to protect the confidentiality and integrity of AIsâ information, AIs should adopt industry-accepted cryptographic solutions and implement sound key management practices to safeguard the associated cryptographic keys. Sound practices of key management generally … (3.1.4, Hong Kong Monetary Authority: TM-G-1: General Principles for Technology Risk Management, V.1 â 24.06.03)
The licensed corporation should implement a comprehensive information security policy to prevent any unauthorised disclosure. This policy should include an appropriate data classification framework, descriptions of the various data classification levels, a list of roles and responsibilities for iden… (14., Circular to Licensed Corporations - Use of external electronic data storage)
O43: The organization shall establish procedures for generating, distributing, using, and storing cryptographic keys. The procedure management documents should be controlled by the officer in charge.
O43.2: For financial institutions, the organization shall establish working procedures for processin… (O43, O43.2, O53-1.2(3).2, O53-1.2(4).3, T42, FISC Security Guidelines on Computer Systems for Banking and Related Financial Institutions, 7th Edition)
When storing common keys or private keys on the terminal devices, such as a personal computer, it is necessary to take measures to prevent the keys from being decrypted by others. (P13.2., FISC Security Guidelines on Computer Systems for Financial Institutions, Ninth Edition, Revised March 2020)
Furthermore, for access to the locations where sensitive servers are installed in the head offices and branch offices, proper access authorization and key management should be implemented. (P56.1. ¶ 3, FISC Security Guidelines on Computer Systems for Financial Institutions, Ninth Edition, Revised March 2020)
Procedures for management of encryption keys in use should be established and properly operated. (P140.1.(3) 2) ¶ 2, FISC Security Guidelines on Computer Systems for Financial Institutions, Ninth Edition, Revised March 2020)
Procedures for management of encryption keys in use should be established and properly operated. (P140.1.(4) 3) ¶ 2, FISC Security Guidelines on Computer Systems for Financial Institutions, Ninth Edition, Revised March 2020)
Since security is primarily based on the encryption keys, effective key management is crucial. Effective key management systems are based on an agreed set of standards, procedures, and secure methods that address (Critical components of information security 14) (iii), Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds)
Make sure that keys with a long life are sparsely used. The more a key is used, the greater the opportunity for an attacker to discover the key (Critical components of information security 14) (iv) h., Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds)
Ensuring key management is fully automated (e.g., personnel do not have the opportunity to expose a key or influence the key creation) (Critical components of information security 14) (iv) d., Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds)
Logging the auditing of key management-related activities (Critical components of information security 14) (iii) g., Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds)
Cryptographic key management policy, standards and procedures covering key generation, distribution, installation, renewal, revocation, recovery and expiry should be established. (§ 10.2.1, Technology Risk Management Guidelines, January 2021)
The FI should ensure cryptographic keys are securely generated and protected from unauthorised disclosure. Any cryptographic key or sensitive data used to generate or derive the keys should be also be protected or securely destroyed after the key is generated. (§ 10.2.2, Technology Risk Management Guidelines, January 2021)
PFS is used for IPsec connections. (Security Control: 1000; Revision: 4, Australian Government Information Security Manual, March 2021)
ACSI 53 E, ACSI 103 A, ACSI 105 B, ACSI 107 B, ACSI 173 A and the latest equipment-specific doctrine is complied with when using HACE. (Security Control: 0499; Revision: 8, Australian Government Information Security Manual, March 2021)
Certificates are generated using an evaluated certificate authority solution or hardware security module. (Security Control: 1324; Revision: 3, Australian Government Information Security Manual, March 2021)
The PMK caching period is not set to greater than 1440 minutes (24 hours). (Security Control: 1330; Revision: 1, Australian Government Information Security Manual, March 2021)
When SSH-agent or other similar key caching programs are used, it is only on workstations and servers with screen locks, key caches are set to expire within four hours of inactivity, and agent credential forwarding is enabled only when SSH traversal is required. (Security Control: 0489; Revision: 4, Australian Government Information Security Manual, March 2021)
Cryptographic key management processes, and supporting cryptographic key management procedures, are developed, implemented and maintained. (Control: ISM-0507; Revision: 5, Australian Government Information Security Manual, June 2023)
Cryptographic key management processes, and supporting cryptographic key management procedures, are developed, implemented and maintained. (Control: ISM-0507; Revision: 5, Australian Government Information Security Manual, September 2023)
The organization must ensure the public keys that are used to pass encrypted session keys are different than the keys that are used for digital signatures, if the organization is using Rivest Shamir Adleman for digital signatures and passing encryption session keys. (Control: 0477, Australian Government Information Security Manual: Controls)
The organization should ensure the key cache expires inside of 4 hours of inactivity, if the organization uses Secure Shell agent software or other similar key caching programs. (Control: 0489 Bullet 2, Australian Government Information Security Manual: Controls)
The organization must not use manual keying for key exchange, when it is establishing an Internet Protocol Security connection. (Control: 1233, Australian Government Information Security Manual: Controls)
The organization must comply with Australian Communications - Electronic Security Instruction 53 and Australian Communications - Electronic Security Instruction 105 when it uses High Grade Cryptographic Equipment. (Control: 0499, Australian Government Information Security Manual: Controls)
The organization should establish and maintain a Key Management Plan when it uses commercial grade cryptographic equipment to implement a cryptographic system. (Control: 0507, Australian Government Information Security Manual: Controls)
The organization must establish and maintain a Key Management Plan when it uses High Grade Cryptographic Equipment to implement a cryptographic system. (Control: 0509, Australian Government Information Security Manual: Controls)
The Key Management Plan should document how the accounting will be accomplished for the cryptographic system. (Control: 0510 Table Row "Accounting", Australian Government Information Security Manual: Controls)
The Key Management Plan should document what records will be maintained. (Control: 0510 Table Row "Accounting", Australian Government Information Security Manual: Controls)
The Key Management Plan should include how the records will be audited. (Control: 0510 Table Row "Accounting", Australian Government Information Security Manual: Controls)
The Key Management Plan should include a description of when to declare that key material was compromised. (Control: 0510 Table Row "Cyber security incidents", Australian Government Information Security Manual: Controls)
The Key Management Plan should include the procedures to follow for reporting and dealing with cyber security incidents. (Control: 0510 Table Row "Cyber security incidents", Australian Government Information Security Manual: Controls)
The Key Management Plan should include who generates the keys. (Control: 0510 Table Row "Key management", Australian Government Information Security Manual: Controls)
The Key Management Plan should include how the cryptographic keys are delivered. (Control: 0510 Table Row "Key management", Australian Government Information Security Manual: Controls)
The Key Management Plan should include how cryptographic keys are received. (Control: 0510 Table Row "Key management", Australian Government Information Security Manual: Controls)
The Key Management Plan should include local, remote, and central cryptographic key distribution. (Control: 0510 Table Row "Key management", Australian Government Information Security Manual: Controls)
The Key Management Plan should include how cryptographic keys are installed. (Control: 0510 Table Row "Key management", Australian Government Information Security Manual: Controls)
The Key Management Plan should include how cryptographic keys are transferred. (Control: 0510 Table Row "Key management", Australian Government Information Security Manual: Controls)
The Key Management Plan should include how cryptographic keys are stored. (Control: 0510 Table Row "Key management", Australian Government Information Security Manual: Controls)
The Key Management Plan should include how cryptographic keys are recovered. (Control: 0510 Table Row "Key management", Australian Government Information Security Manual: Controls)
The Key Management Plan should include how cryptographic keys are revoked. (Control: 0510 Table Row "Key management", Australian Government Information Security Manual: Controls)
The Key Management Plan should include how cryptographic keys are destroyed. (Control: 0510 Table Row "Key management", Australian Government Information Security Manual: Controls)
The Key Management Plan should include procedures for maintaining the cryptographic hardware and cryptographic software. (Control: 0510 Table Row "Maintenance", Australian Government Information Security Manual: Controls)
The Key Management Plan should include the destruction of cryptographic equipment and cryptographic media. (Control: 0510 Table Row "Maintenance", Australian Government Information Security Manual: Controls)
The Key Management Plan should include the cryptographic system objectives and the Key Management Plan objectives, including the organizational aims. (Control: 0510 Table Row "Objectives", Australian Government Information Security Manual: Controls)
The Key Management Plan should include the relevant Australian Communications - Electronic Security Instruction, related policies, and vendor documentation. (Control: 0510 Table Row "References", Australian Government Information Security Manual: Controls)
The Key Management Plan should include the classification or sensitivity of the cryptographic system hardware. (Control: 0510 Table Row "Sensitivity or classification", Australian Government Information Security Manual: Controls)
The Key Management Plan should include the classification or sensitivity of the cryptographic system software. (Control: 0510 Table Row "Sensitivity or classification", Australian Government Information Security Manual: Controls)
The Key Management Plan should include the classification or sensitivity of the cryptographic system documentation. (Control: 0510 Table Row "Sensitivity or classification", Australian Government Information Security Manual: Controls)
The Key Management Plan should include the classification or sensitivity of the information being protected. (Control: 0510 Table Row "System description", Australian Government Information Security Manual: Controls)
The Key Management Plan should include the use of the cryptographic keys. (Control: 0510 Table Row "System description", Australian Government Information Security Manual: Controls)
The Key Management Plan should include a description of the cryptographic environment. (Control: 0510 Table Row "System description", Australian Government Information Security Manual: Controls)
The Key Management Plan should include a description of the administrative responsibilities for the cryptographic system. (Control: 0510 Table Row "System description", Australian Government Information Security Manual: Controls)
The Key Management Plan should include the cryptographic key algorithms. (Control: 0510 Table Row "System description", Australian Government Information Security Manual: Controls)
The Key Management Plan should include the cryptographic key lengths. (Control: 0510 Table Row "System description", Australian Government Information Security Manual: Controls)
The Key Management Plan should include the cryptographic key lifetime. (Control: 0510 Table Row "System description", Australian Government Information Security Manual: Controls)
The Key Management Plan should include diagrams and descriptions of the cryptographic system topology, that includes the data flows. (Control: 0510 Table Row "Topology", Australian Government Information Security Manual: Controls)
The Key Management Plan must have a level of detail that is consistent with the classification or sensitivity of the information being protected. (Control: 0511, Australian Government Information Security Manual: Controls)
The Pairwise Master Key caching period should not be set to greater than 1440 minutes (24 hours). (Control: 1330, Australian Government Information Security Manual: Controls)
predefined activation and deactivation dates for cryptographic keys, limiting the period of time they remain valid for use. The period of time a cryptographic key remains valid would be commensurate with the risk; (Attachment E 5(d)., APRA Prudential Practice Guide CPG 234 Information Security, June 2019)
Cryptographic key management refers to the generation, distribution, storage, renewal, revocation, recovery, archiving and destruction of encryption keys. Effective cryptographic key management ensures that controls are in place to reduce the risk of compromise of their security. Any compromise to t… (Attachment F ¶ 5, APRA Prudential Practice Guide 234: Management of security risk in information and information technology, May 2013)
implement policies and protocols for strong authentication mechanisms, based on relevant standards and dedicated control systems, and protection measures of cryptographic keys whereby data is encrypted based on results of approved data classification and ICT risk assessment processes; (Art. 9.4. ¶ 1(d), Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014 and (EU) 2016/1011 (Text with EEA relevance))
Changing or updating cryptographic keys including policies defining under which conditions and in which manner the changes and/or updates are to be realised (Section 5.8 KRY-04 Basic requirement ¶ 1 Bullet 5, Cloud Computing Compliance Controls Catalogue (C5))
Policies and instructions with technical and organisational safeguards for encryption procedures and key management are documented, communicated and provided according to SA-01, in which the following aspects are described: (Section 5.8 KRY-01 Basic requirement ¶ 1, Cloud Computing Compliance Controls Catalogue (C5))
Cryptographic procedures, (5.1.1 Requirements (should) Bullet 2 Sub-Bullet 1, Information Security Assessment, Version 5.1)
Key sovereignty requirements (particularly in case of external processing) are determined and fulfilled. (C, I) (5.1.1 Additional requirements for high protection needs Bullet 1, Information Security Assessment, Version 5.1)
Procedures for the complete lifecycle of cryptographic keys, including generation, storage, archiving, retrieval, distribution, deactivation, renewal and deletion. (5.1.1 Requirements (should) Bullet 2 Sub-Bullet 3, Information Security Assessment, Version 5.1)
encryption and key management; (§ 7.11 Bullet 2, SS2/21 Outsourcing and third party risk management, March 2021)
(§ 4.2, OGC ITIL: Security Management)
The entity uses data encryption to supplement other measures to protect data in transit and at rest when such protections are deemed appropriate based on the assessed level of risk. The entity administrates, maintains and manages its encryption key management systems and regularly backs up its key s… (S7.1 Uses encryption to protect data, Privacy Management Framework, Updated March 1, 2020)
The entity uses a combination of controls to restrict access to its information assets including data classification. The entity enforces logical separations of data structures and the segregation of incompatible duties applies device security hardening and security configuration policies, including… (S7.1 Restricts access to information assets, Privacy Management Framework, Updated March 1, 2020)
Processes are in place to protect public and private encryption keys during generation, storage, use, deactivation and destruction. (S7.1 Protects encryption keys, Privacy Management Framework, Updated March 1, 2020)
(§ IX.4, § IX.8, OECD / World Bank Technology Risk Checklist, Version 7.3)
Is there an established policy regarding the sharing of your public key with others and how they share theirs with you? (Table Row IX.2, OECD / World Bank Technology Risk Checklist, Version 7.3)
Is there adequate protection for encryption keys against theft, disclosure, and alteration? (Table Row IX.4, OECD / World Bank Technology Risk Checklist, Version 7.3)
Are secret keys unlocked securely? (Table Row IX.6, OECD / World Bank Technology Risk Checklist, Version 7.3)
How are encryption keys managed, including key retirement or key replacement when someone who has access leaves the organization? (Table Row IX.8, OECD / World Bank Technology Risk Checklist, Version 7.3)
Do encrypted keys contain expiration dates? (Table Row IX.9, OECD / World Bank Technology Risk Checklist, Version 7.3)
Is there a secure means for replacing encryption keys? (Table Row IX.10, OECD / World Bank Technology Risk Checklist, Version 7.3)
Is there a policy in place to retrieve archived keys, if needed in the future? (Table Row IX.16, OECD / World Bank Technology Risk Checklist, Version 7.3)
Determine that policies and procedures are in place to organise the generation, change, revocation, destruction, distribution, certification, storage, entry, use and archiving of cryptographic keys to ensure the protection of keys against modification and unauthorised disclosure. (DS5.8 Cryptographic Key Management, CobiT, Version 4.1)
establish user (human, software process or device) control of the corresponding private key; and (5.11.1 ¶ 1(d), IEC 62443-3-3: Industrial communication networks â Network and system security â Part 3-3: System security requirements and security levels, Edition 1)
establish the mutual trust using the symmetric key; (5.16.1 ¶ 1 a), IEC 62443-4-2: Security for industrial automation and control systems â Part 4-2: Technical security requirements for IACS components, Edition 1.0)
establish user (human, software process or device) control of the corresponding private key; (5.11.1 ¶ 1 d), IEC 62443-4-2: Security for industrial automation and control systems â Part 4-2: Technical security requirements for IACS components, Edition 1.0)
ensure that the algorithms and keys used for the public key authentication conform to 8.5. (5.11.1 ¶ 1 f), IEC 62443-4-2: Security for industrial automation and control systems â Part 4-2: Technical security requirements for IACS components, Edition 1.0)
provide the capability to provision and protect the confidentiality, integrity, and authenticity of asset owner keys and data to be used as "roots of trust"; and (15.10.1 ¶ 1 a), IEC 62443-4-2: Security for industrial automation and control systems â Part 4-2: Technical security requirements for IACS components, Edition 1.0)
Ensure encryption keys cannot be stolen. A tamper proof hardware device is a good practice for secure storage of keys. (§ 3-10, MasterCard Electronic Commerce Security Architecture Best Practices, April 2003)
Verify the existence of key-management procedures for keys used for encryption of cardholder data. (§ 3.6.a, Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire D and Attestation of Compliance All other Merchants and all SAQ-Eligible Service Providers, Version 2.0)
Examine the key management policies and procedures to verify there are processes to protect the encryption keys against misuse and disclosure and the Key-Encrypting Keys are at least as strong as the Data-Encrypting Keys. (Testing Procedures § 3.5 Bullet 2, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures - Testing Procedures, 3)
Examine the key management documentation a service provider furnishes their customers, when they share keys for the transmission or storage of cardholder data, to verify the documentation includes guidance on how to securely store, transmit, and update customers' keys. (Testing Procedures § 3.6.a, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures - Testing Procedures, 3)
Cryptographic keys used for encryption of cardholder data will be protected against both disclosure and misuse. (§ 3.5, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 2.0)
Verify the existence of key-management procedures for keys used for encryption of cardholder data. (§ 3.6.a Testing Procedures, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 2.0)
Document and implement procedures to protect the encryption keys that are used for securing the stored cardholder data against misuse and disclosure. (PCI DSS Requirements § 3.5, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 3.0)
The key management processes and procedures used for encrypting cardholder data must be fully documented and implemented. (PCI DSS Requirements § 3.6, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 3.0)
Fully document and implement all key-management processes and procedures for cryptographic keys used for encryption of cardholder data, including the following: (3.6, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 3.1 April 2015)
Document and implement procedures to protect keys used to secure stored cardholder data against disclosure and misuse. (3.5, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 3.1 April 2015)
Document and implement procedures to protect keys used to secure stored cardholder data against disclosure and misuse. (3.5, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, v3.2.1)
Fully document and implement all key-management processes and procedures for cryptographic keys used for encryption of cardholder data, including the following: (3.6, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, v3.2.1)
Document and implement procedures to protect keys used to secure stored cardholder data against disclosure and misuse. (3.5, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, Version 3.2)
Fully document and implement all key-management processes and procedures for cryptographic keys used for encryption of cardholder data, including the following: (3.6, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, Version 3.2)
For the technology in use, is strong cryptography implemented according to industry best practice and/or vendor recommendations? (2.3 (d), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire C-VT and Attestation of Compliance, Version 3.1)
Are all key-management processes and procedures fully documented and implemented for cryptographic keys used for encryption of cardholder data? (3.6 (a), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.1)
Are all key-management processes and procedures fully documented and implemented for cryptographic keys used for encryption of cardholder data? (3.6(a), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.2)
Are key-management processes and procedures implemented to require the following: (3.6(c), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.2)
Are keys used to secure stored cardholder data protected against disclosure and misuse as follows: (3.5, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.2)
Are all key-management processes and procedures fully documented and implemented for cryptographic keys used for encryption of cardholder data? (3.6 (a), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.1)
Are all key-management processes and procedures fully documented and implemented for cryptographic keys used for encryption of cardholder data? (3.6(a), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.2)
Are key-management processes and procedures implemented to require the following: (3.6(c), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.2)
Are keys used to secure stored cardholder data protected against disclosure and misuse as follows: (3.5, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.2)
Examine key-management policies and procedures to verify processes are specified to protect keys used for encryption of cardholder data against disclosure and misuse and include at least the following:
- Access to keys is restricted to the fewest number of custodians necessary.
- Key-encrypting keys… (3.5, Payment Card Industry (PCI) Data Security Standard, Testing Procedures, Version 3.2)
Additional testing procedure for service provider assessments only: If the service provider shares keys with their customers for transmission or storage of cardholder data, examine the documentation that the service provider provides to their customers to verify that it includes guidance on how to s… (3.6.a, Payment Card Industry (PCI) Data Security Standard, Testing Procedures, Version 3.2)
Examine the key-management procedures and processes for keys used for encryption of cardholder data and perform the following: (3.6.b, Payment Card Industry (PCI) Data Security Standard, Testing Procedures, Version 3.2)
Keys used for the decryption of data should be tied to user accounts. Encryption keys should be appropriately protected by implementing a key management procedure to prevent disclosure or misuse. (§ 2.4 thru § 2.6, Payment Card Industry (PCI) Payment Application Data Security Standard, Version 1.1)
A user-available security policy from the vendor addresses the proper use of the HSM in a secure fashion, including information on key-management responsibilities, administrative responsibilities, device functionality, identification, and environmental requirements. The security policy must define t… (C1, Payment Card Industry (PCI), PIN Transaction Security (PTS) Hardware Security Module (HSM) - Security Requirements, Version 2.0)
The key-management techniques implemented in the device conform to ISO 11568 and/or ANSI X9.24. Key-management techniques must support ANSI TR-31 key-derivation methodology or an equivalent methodology for maintaining the TDEA key bundle. (B11, Payment Card Industry (PCI), PIN Transaction Security (PTS) Hardware Security Module (HSM) - Security Requirements, Version 3.0)
A user-available security policy from the vendor addresses the proper use of the device in a secure fashion, including information on key-management responsibilities, administrative responsibilities, device functionality, identification, and environmental requirements. The security policy must defin… (C1, Payment Card Industry (PCI), PIN Transaction Security (PTS) Hardware Security Module (HSM) - Security Requirements, Version 3.0)
Mechanisms for the control of the use of the private key are provided. (H1 Bullet 3, Payment Card Industry (PCI), PIN Transaction Security (PTS) Hardware Security Module (HSM) - Security Requirements, Version 3.0)
Procedures are defined and implemented to protect cryptographic keys used to protect stored account data against disclosure and misuse that include: (3.6.1, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Requirements, Version 4.0)
Key-management policies and procedures are implemented to include generation of strong cryptographic keys used to protect stored account data. (3.7.1, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Requirements, Version 4.0)
Where manual cleartext cryptographic key-management operations are performed by personnel, key-management policies and procedures are implemented include managing these operations using split knowledge and dual control. (3.7.6, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Requirements, Version 4.0)
Key management policies procedures are implemented to include the retirement, replacement, or destruction of keys used to protect stored account data, as deemed necessary when: (3.7.5, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Requirements, Version 4.0)
Key management policies and procedures are implemented to include that cryptographic key custodians formally acknowledge (in writing or electronically) that they understand and accept their key-custodian responsibilities. (3.7.8, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Requirements, Version 4.0)
Key management policies and procedures are implemented to include the prevention of unauthorized substitution of cryptographic keys. (3.7.7, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Requirements, Version 4.0)
Key-management policies and procedures are implemented to include secure storage of cryptographic keys used to protect stored account data. (3.7.3, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Requirements, Version 4.0)
Key-management policies and procedures are implemented to include secure distribution of cryptographic keys used to protect stored account data. (3.7.2, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Requirements, Version 4.0)
Preventing the use of the same cryptographic keys in production and test environments. This bullet is a best practice until its effective date; refer to Applicability Notes below for details. (3.6.1.1 Bullet 2, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Requirements, Version 4.0)
Examine documentation about the key management procedures and processes associated with the keyed cryptographic hashes to verify keys are managed in accordance with Requirements 3.6 and 3.7. (3.5.1.1.b, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Testing Procedures, Version 4.0)
Examine documented key-management policies and procedures to verify that processes to protect cryptographic keys used to protect stored account data against disclosure and misuse are defined to include all elements specified in this requirement. (3.6.1, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Testing Procedures, Version 4.0)
Interview personnel to verify that processes are implemented in accordance with all elements specified in this requirement. (3.7.5.b, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Testing Procedures, Version 4.0)
Are all key management processes and procedures fully documented and implemented for cryptographic keys used for encryption of cardholder data? (PCI DSS Question 3.6(a), PCI DSS Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.0)
Are all key management processes and procedures fully documented and implemented for cryptographic keys used for encryption of cardholder data? (PCI DSS Question 3.6(a), PCI DSS Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.0)
Key management policies procedures are implemented to include the retirement, replacement, or destruction of keys used to protect stored account data, as deemed necessary when: (3.7.5, Self-Assessment Questionnaire D for Merchants and Attestation of Compliance for use with PCI DSS Version 4.0)
Key management policies and procedures are implemented to include that cryptographic key custodians formally acknowledge (in writing or electronically) that they understand and accept their key-custodian responsibilities. (3.7.8, Self-Assessment Questionnaire D for Merchants and Attestation of Compliance for use with PCI DSS Version 4.0)
Procedures are defined and implemented to protect cryptographic keys used to protect stored account data against disclosure and misuse that include: (3.6.1, Self-Assessment Questionnaire D for Merchants and Attestation of Compliance for use with PCI DSS Version 4.0)
Key-management policies and procedures are implemented to include secure storage of cryptographic keys used to protect stored account data. (3.7.3, Self-Assessment Questionnaire D for Merchants and Attestation of Compliance for use with PCI DSS Version 4.0)
Where manual cleartext cryptographic key-management operations are performed by personnel, key-management policies and procedures are implemented include managing these operations using split knowledge and dual control. (3.7.6, Self-Assessment Questionnaire D for Merchants and Attestation of Compliance for use with PCI DSS Version 4.0)
Key management policies and procedures are implemented to include the prevention of unauthorized substitution of cryptographic keys. (3.7.7, Self-Assessment Questionnaire D for Merchants and Attestation of Compliance for use with PCI DSS Version 4.0)
Key-management policies and procedures are implemented to include generation of strong cryptographic keys used to protect stored account data. (3.7.1, Self-Assessment Questionnaire D for Merchants and Attestation of Compliance for use with PCI DSS Version 4.0)
Key-management policies and procedures are implemented to include secure distribution of cryptographic keys used to protect stored account data. (3.7.2, Self-Assessment Questionnaire D for Merchants and Attestation of Compliance for use with PCI DSS Version 4.0)
Key-management policies and procedures are implemented to include secure distribution of cryptographic keys used to protect stored account data. (3.7.2, Self-Assessment Questionnaire D for Service Providers and Attestation of Compliance for use with PCI DSS Version 4.0)
Key-management policies and procedures are implemented to include secure storage of cryptographic keys used to protect stored account data. (3.7.3, Self-Assessment Questionnaire D for Service Providers and Attestation of Compliance for use with PCI DSS Version 4.0)
Key-management policies and procedures are implemented to include generation of strong cryptographic keys used to protect stored account data. (3.7.1, Self-Assessment Questionnaire D for Service Providers and Attestation of Compliance for use with PCI DSS Version 4.0)
Procedures are defined and implemented to protect cryptographic keys used to protect stored account data against disclosure and misuse that include: (3.6.1, Self-Assessment Questionnaire D for Service Providers and Attestation of Compliance for use with PCI DSS Version 4.0)
Where manual cleartext cryptographic key-management operations are performed by personnel, key-management policies and procedures are implemented include managing these operations using split knowledge and dual control. (3.7.6, Self-Assessment Questionnaire D for Service Providers and Attestation of Compliance for use with PCI DSS Version 4.0)
Key management policies and procedures are implemented to include that cryptographic key custodians formally acknowledge (in writing or electronically) that they understand and accept their key-custodian responsibilities. (3.7.8, Self-Assessment Questionnaire D for Service Providers and Attestation of Compliance for use with PCI DSS Version 4.0)
Key management policies procedures are implemented to include the retirement, replacement, or destruction of keys used to protect stored account data, as deemed necessary when: (3.7.5, Self-Assessment Questionnaire D for Service Providers and Attestation of Compliance for use with PCI DSS Version 4.0)
Key management policies and procedures are implemented to include the prevention of unauthorized substitution of cryptographic keys. (3.7.7, Self-Assessment Questionnaire D for Service Providers and Attestation of Compliance for use with PCI DSS Version 4.0)
Preventing the use of the same cryptographic keys in production and test environments. This bullet is a best practice until its effective date; refer to Applicability Notes below for details. (3.6.1.1 Bullet 2, Self-Assessment Questionnaire D for Service Providers and Attestation of Compliance for use with PCI DSS Version 4.0)
Keys shall be managed per ANSI X9.24 (all parts) /ISO 11568 (all parts) or its equivalent within Secure Cryptographic Devices (SCD) such as a PED, HSM, etc., as defined in ANSI X9.97 (all parts) /ISO 13491 (all parts) or its equivalent. (¶ 5, Visa Data Field Encryption, Version 1.0)
All encryption systems should have the capability to recover encryption keys. (Pg 12-II-19, Pg 12-II-46, Pg 12-IV-17, Protection of Assets Manual, ASIS International)
A Public Key Infrastructure should be supported by documented standards / procedures, which covers the establishment of a Root Certification Authority and one or more subsidiary certification authorities. (CF.08.06.01a, The Standard of Good Practice for Information Security)
A Public Key Infrastructure should be supported by documented standards / procedures, which covers the methods of protecting important internal certification authorities (and related sub-certification authorities). (CF.08.06.01b, The Standard of Good Practice for Information Security)
A Public Key Infrastructure should be supported by documented standards / procedures, which covers the integration of the Public Key Infrastructure with business applications and technical infrastructure that will use it. (CF.08.06.01c, The Standard of Good Practice for Information Security)
There should be documented standards / procedures for managing cryptographic keys, which cover the lifecycle of cryptographic keys. (CF.08.05.01a, The Standard of Good Practice for Information Security)
There should be documented standards / procedures for managing cryptographic keys, which cover mandatory key disclosure. (CF.08.05.01d, The Standard of Good Practice for Information Security)
A documented Process for managing cryptographic keys should be established, which covers secure distribution, activation and storage, recovery and replacement / update of cryptographic keys. (CF.08.05.02b, The Standard of Good Practice for Information Security)
Ownership of cryptographic keys should be assigned to individuals, who are made aware of their responsibilities for using and protecting keys (and where necessary disclosing keys) assigned to them. (CF.08.05.03a, The Standard of Good Practice for Information Security)
A method of handling 'mandatory cryptographic key disclosure' should be established, which includes managing cryptographic keys centrally and at an enterprise-wide level (e.g., so that a corporate copy of a user's cryptographic key can be disclosed). (CF.08.05.05a, The Standard of Good Practice for Information Security)
A method of handling 'mandatory cryptographic key disclosure' should be established, which includes establishing a cryptographic key escrow scheme (i.e., where copies of cryptographic keys are held by an authorized external party, such as a legal representative, lawyer, or equivalent). (CF.08.05.05b, The Standard of Good Practice for Information Security)
A method of handling 'mandatory cryptographic key disclosure' should be established, which includes providing users, that might cross international borders with computer equipment, with advice on disclosing cryptographic keys to the authorities (e.g., at international border control). (CF.08.05.05c, The Standard of Good Practice for Information Security)
A method of handling 'mandatory cryptographic key disclosure' should be established, which includes maintaining procedures for responding to e-discovery orders that relate to encrypted information. (CF.08.05.05d, The Standard of Good Practice for Information Security)
Digital Rights Management should be built upon a robust, recoverable technical infrastructure that is supported by cryptography (using approved cryptographic algorithms and keys). (CF.08.08.03d, The Standard of Good Practice for Information Security)
A Public Key Infrastructure should be supported by documented standards / procedures, which covers the establishment of a Root Certification Authority and one or more subsidiary certification authorities. (CF.08.06.01a, The Standard of Good Practice for Information Security, 2013)
A Public Key Infrastructure should be supported by documented standards / procedures, which covers the methods of protecting important internal certification authorities (and related sub-certification authorities). (CF.08.06.01b, The Standard of Good Practice for Information Security, 2013)
A Public Key Infrastructure should be supported by documented standards / procedures, which covers the integration of the Public Key Infrastructure with business applications and technical infrastructure that will use it. (CF.08.06.01c, The Standard of Good Practice for Information Security, 2013)
There should be documented standards / procedures for managing cryptographic keys, which cover the lifecycle of cryptographic keys. (CF.08.05.01a, The Standard of Good Practice for Information Security, 2013)
There should be documented standards / procedures for managing cryptographic keys, which cover mandatory key disclosure. (CF.08.05.01d, The Standard of Good Practice for Information Security, 2013)
A documented Process for managing cryptographic keys should be established, which covers secure distribution, activation and storage, recovery and replacement / update of cryptographic keys. (CF.08.05.02b, The Standard of Good Practice for Information Security, 2013)
Ownership of cryptographic keys should be assigned to individuals, who are made aware of their responsibilities for using and protecting keys (and where necessary disclosing keys) assigned to them. (CF.08.05.03a, The Standard of Good Practice for Information Security, 2013)
A method of handling 'mandatory cryptographic key disclosure' should be established, which includes managing cryptographic keys centrally and at an enterprise-wide level (e.g., so that a corporate copy of a user's cryptographic key can be disclosed). (CF.08.05.05a, The Standard of Good Practice for Information Security, 2013)
A method of handling 'mandatory cryptographic key disclosure' should be established, which includes establishing a cryptographic key escrow scheme (i.e., where copies of cryptographic keys are held by an authorized external party, such as a legal representative, lawyer, or equivalent). (CF.08.05.05b, The Standard of Good Practice for Information Security, 2013)
A method of handling 'mandatory cryptographic key disclosure' should be established, which includes providing users, that might cross international borders with computer equipment, with advice on disclosing cryptographic keys to the authorities (e.g., at international border control). (CF.08.05.05c, The Standard of Good Practice for Information Security, 2013)
A method of handling 'mandatory cryptographic key disclosure' should be established, which includes maintaining procedures for responding to e-discovery orders that relate to encrypted information. (CF.08.05.05d, The Standard of Good Practice for Information Security, 2013)
Digital Rights Management should be built upon a robust, recoverable technical infrastructure that is supported by cryptography (using approved cryptographic algorithms and keys). (CF.08.08.03d, The Standard of Good Practice for Information Security, 2013)
Verify that there is an explicit policy for management of cryptographic keys and that a cryptographic key lifecycle follows a key management standard such as NIST SP 800-57. (1.6.1, Application Security Verification Standard 4.0.3, 4.0.3)
Verify that nonces, initialization vectors, and other single use numbers must not be used more than once with a given encryption key. The method of generation must be appropriate for the algorithm being used. (6.2.6, Application Security Verification Standard 4.0.3, 4.0.3)
Verify that a secrets management solution such as a key vault is used to securely create, store, control access to and destroy secrets. (6.4.1, Application Security Verification Standard 4.0.3, 4.0.3)
All entitlement decisions shall be derived from the identities of the entities involved. These shall be managed in a corporate identity management system. Keys must have identifiable owners (binding keys to identities) and there shall be key management policies. (EKM-01, Cloud Controls Matrix, v3.0)
Policies and procedures shall be established, and supporting business processes and technical measures implemented, for the management of cryptographic keys in the service's cryptosystem (e.g., lifecycle management from key generation to revocation and replacement, public key infrastructure, cryptog… (EKM-02, Cloud Controls Matrix, v3.0)
CSPs must provide the capability for CSCs to manage their own data encryption keys. (CEK-08, Cloud Controls Matrix, v4.0)
Manage cryptographic secret and private keys that are provisioned for a unique purpose. (CEK-11, Cloud Controls Matrix, v4.0)
Define, implement and evaluate processes, procedures and technical measures to monitor, review and approve key transitions from any state to/from suspension, which include provisions for legal and regulatory requirements. (CEK-16, Cloud Controls Matrix, v4.0)
Define, implement and evaluate processes, procedures and technical measures in order for the key management system to track and report all cryptographic materials and changes in status, which include provisions for legal and regulatory requirements. (CEK-21, Cloud Controls Matrix, v4.0)
Policies and procedures shall be established and mechanisms implemented for effective key management to support encryption of data in storage and in transmission. (IS-19, The Cloud Security Alliance Controls Matrix, Version 1.3)
¶ 8.2.5(5) Cryptography. An organization should implement safeguards to assure cryptography procedures are in place. Cryptography is a mathematical means of transforming data to provide security. It can be used for many different purposes in IT security, for example, cryptography can help to provid… (¶ 8.2.5(5), ¶ 9.2 Table Row "Key Management", ¶ 10.2.9, ISO 13335-4 Information technology - Guidelines for the management of IT Security - Part 4: Selection of safeguards, 2000)
Cryptographic keys should be properly managed through their entire lifecycle (generation, distribution, access, and destruction). (§ 10.1, § E.1, ISO 15408-2 Common Criteria for Information Technology Security Evaluation Part 2, 2008)
Key-management techniques should be in place. All keys should be protected against modification, loss, destruction, and unauthorized disclosure. The equipment that generates the keys should be physically protected. The key-management system should contain methods for generating keys; generating publ… (§ 12.3.2, ISO 27002 Code of practice for information security management, 2005)
Rules for the effective use of cryptography, including cryptographic key management, should be defined and implemented. (§ 8.24 Control, ISO/IEC 27002:2022, Information security, cybersecurity and privacy protection â Information security controls, Third Edition)
The cloud service customer should identify the cryptographic keys for each cloud service, and implement procedures for key management.
Where the cloud service provides key management functionality for use by the cloud service customer, the cloud service customer should request the following informat… (§ 10.1.2 Table: Cloud service customer, ISO/IEC 27017:2015, Information technology â Security techniques â Code of practice for information security controls based on ISO/IEC 27002 for cloud services, First edition 2015-12-15)
The entity protects cryptographic keys during generation, storage, use, and destruction. Cryptographic modules, algorithms, key lengths, and architectures are appropriate based on the entity's risk mitigation strategy. (CC6.1 ¶ 3 Bullet 11 Protects Cryptographic Keys, 2017 Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy (with Revised Points of Focus â 2022))
establish user (human, software process or device) control of the corresponding private key; (5.11.1 ¶ 1 (d), Security for Industrial Automation and Control Systems, Part 4-2: Technical Security Requirements for IACS components)
ensure that the algorithms and keys used for the public key authentication comply with 8.5 CR 4.3 â Use of cryptography. (5.11.1 ¶ 1 (f), Security for Industrial Automation and Control Systems, Part 4-2: Technical Security Requirements for IACS components)
Means should be defined for installing the keys into the component. This may include installing and managing the component key using out-of-band methods. This is necessary since a compromise of any symmetric keys that are stored within the component could lead to a full compromise of the system usin… (5.16.2 ¶ 1, Security for Industrial Automation and Control Systems, Part 4-2: Technical Security Requirements for IACS components)
establish the mutual trust using the symmetric key; (5.16.1 ¶ 1 (a), Security for Industrial Automation and Control Systems, Part 4-2: Technical Security Requirements for IACS components)
The selection of cryptographic protection should be based on a threat and risk analysis which covers the value of the information being protected, the consequences of the confidentiality and integrity of the information being breached, the time period during which the information is confidential and… (8.5.2 ¶ 1, Security for Industrial Automation and Control Systems, Part 4-2: Technical Security Requirements for IACS components)
provide the capability to provision and protect the confidentiality, integrity, and authenticity of asset owner keys and data to be used as "roots of trust"; and (15.10.1 ¶ 1 (a), Security for Industrial Automation and Control Systems, Part 4-2: Technical Security Requirements for IACS components)
The organization establishes and manages cryptographic keys for required cryptography employed within the information system in accordance with [Assignment: organization-defined requirements for key generation, distribution, storage, access, and destruction]. (SC-12 Control, StateRAMP Security Controls Baseline Summary Category 1, Version 1.1)
The organization establishes and manages cryptographic keys for required cryptography employed within the information system in accordance with [Assignment: organization-defined requirements for key generation, distribution, storage, access, and destruction]. (SC-12 Control, StateRAMP Security Controls Baseline Summary Category 2, Version 1.1)
The organization establishes and manages cryptographic keys for required cryptography employed within the information system in accordance with [Assignment: organization-defined requirements for key generation, distribution, storage, access, and destruction]. (SC-12 Control, StateRAMP Security Controls Baseline Summary Category 3, Version 1.1)
The organization produces, controls, and distributes symmetric cryptographic keys using [Selection: NIST FIPS-compliant; NSA-approved] key management technology and processes. (SC-12(2) ¶ 1, StateRAMP Security Controls Baseline Summary Category 3, Version 1.1)
The organization establishes and manages cryptographic keys for required cryptography employed within the information system in accordance with [Assignment: organization-defined requirements for key generation, distribution, storage, access, and destruction]. (SC-12 Control, StateRAMP Security Controls Baseline Summary High Sensitivity Level, Version 1.1)
The organization produces, controls, and distributes symmetric cryptographic keys using [Selection: NIST FIPS-compliant; NSA-approved] key management technology and processes. (SC-12(2) ¶ 1, StateRAMP Security Controls Baseline Summary High Sensitivity Level, Version 1.1)
Processes are in place to protect encryption keys during generation, storage, use, and destruction. (CC6.1 Protects Encryption Keys, Trust Services Criteria)
Processes are in place to protect encryption keys during generation, storage, use, and destruction. (CC6.1 ¶ 2 Bullet 10 Protects Encryption Keys, Trust Services Criteria, (includes March 2020 updates))
When encryption tools are managed and maintained for scoped data, is there a centralized key management system? (§ I.6.4, Shared Assessments Standardized Information Gathering Questionnaire - I. Information Systems Acquisition Development & Maintenance, 7.0)
When encryption tools are managed and maintained for scoped data, is there key/certificate sharing between production and non-production? (§ I.6.7, Shared Assessments Standardized Information Gathering Questionnaire - I. Information Systems Acquisition Development & Maintenance, 7.0)
For cloud computing services, are staff able to access the client's encryption key? (§ V.1.45, Shared Assessments Standardized Information Gathering Questionnaire - V. Cloud, 7.0)
Keying crypto systems that protect classified or unclassified-sensitive systems should only use keys that are produced by NSA or generated by an NSA-approved key generator. The organization should use remote electronic keying or rekeying to the maximum extent possible. (§ 4-1.g, § 4-1.h, Army Regulation 380-19: Information Systems Security, February 27, 1998)
Self-authentication, as in internal control of symmetric "private" keys, is acceptable. (ACCEPTABLE AUTHENTICATION APPROACHES 3., HIPAA HCFA Internet Security Policy, November 1998)
CSR 10.4.2: Encryption must meet federal standards and controls for key distribution, use, storage, generation, and destruction and the organization must implement archiving. To authenticate a cryptographic module, a FIPS-approved encryption method must be used that is, at a minimum, a Triple Data E… (CSR 10.4.2, CSR 10.4.6, CSR 10.4.8, Pub 100-17 Medicare Business Partners Systems Security, Transmittal 7, Appendix A: CMS Core Security Requirements CSR, March 17, 2006)
The security administrator must ensure that the relevant shared or private secret key is able to be read only from the process that is running the biometric software. (§ 4.6 ¶ BIO2020, DISA Access Control STIG, Version 2, Release 3)
§ 2.2 (WIR2250) All required wireless e-mail server and device configuration should be implemented.
App B.3 Row "Removable Media Encryption Key", located under System Management/Organization Settings/Policy, should be set per-device or per user. (§ 2.2 (WIR2250), App B.3 Row "Removable Media Encryption Key", DISA Wireless STIG Windows Mobile Messaging Wireless EChecklist Version 5, Release 2.4, Version 5 Release 2.4)
Establish and manage cryptographic keys for cryptography employed in organizational systems. (SC.3.187, Cybersecurity Maturity Model Certification, Version 1.0, Level 3)
Establish and manage cryptographic keys for cryptography employed in organizational systems. (SC.3.187, Cybersecurity Maturity Model Certification, Version 1.0, Level 4)
Establish and manage cryptographic keys for cryptography employed in organizational systems. (SC.3.187, Cybersecurity Maturity Model Certification, Version 1.0, Level 5)
Establish and manage cryptographic keys for cryptography employed in organizational systems. (SC.L2-3.13.10 Key Management, Cybersecurity Maturity Model Certification, Version 2.0, Level 2)
CSP Customer / Mission Owner (MO) maintains control of the keys, from creation through storage and use to destruction (Section 5.11 ¶ 3 Bullet 3, Department of Defense Cloud Computing Security Requirements Guide, Version 1, Release 3)
Impact Level 6: Whenever an on-premises CSO is responsible for authentication of DoD entities and/or identifying a hosted DoD information system, the CSP will use NSS PKI certificates in compliance with DoDI 8520.03 and CNSSP-25. CSPs will enforce the use of a physical token referred to as the CNSS … (Section 5.4 ¶ 5, Department of Defense Cloud Computing Security Requirements Guide, Version 1, Release 3)
Impact Levels 4/5: Whenever a CSP is responsible for authentication of entities and/or identifying a hosted DoD information system, the CSP will use DoD PKI certificates in compliance with DoDI 8520.03. CSPs will enforce the use of a physical token referred to as the "Common Access Card (CAC)" or "A… (Section 5.4 ¶ 4, Department of Defense Cloud Computing Security Requirements Guide, Version 1, Release 3)
Impact Level 2: Whenever a CSP is responsible for authentication of entities and/or identifying a hosted DoD information system, the CSP will use DoD PKI certificates in compliance with DoDI 8520.03. CSPs will enforce the use of a physical token referred to as the "Common Access Card (CAC)" or "Alt … (Section 5.4 ¶ 3, Department of Defense Cloud Computing Security Requirements Guide, Version 1, Release 3)
All encryption services for data-at-rest must be implemented such that the Mission Owner has sole control over key management and use. (Section 5.10.6 ¶ 1 Bullet 11, Department of Defense Cloud Computing Security Requirements Guide, Version 1, Release 3)
National Security Agency-approved key management technology and processes must be used to produce, control, and distribute symmetric keys. (IAKM-3, DoD Instruction 8500.2 Information Assurance (IA) Implementation)
National Security Agency-approved key management technology and processes must be used to produce, control, and distribute asymmetric keys. (IAKM-3, DoD Instruction 8500.2 Information Assurance (IA) Implementation)
The agency shall verify that default shared keys are replaced with unique keys. (§ 5.5.7.1(10), Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.2, Version 5.2)
The agency shall verify that default shared encryption keys are replaced by more secure unique encryption keys. (§ 5.5.7.2 ¶ 2(3), Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.2, Version 5.2)
The agency shall enable the utilization of key-mapping encryption keys instead of default encryption keys when Wired Equivalent Privacy is used for wireless implementations and when Wired Equivalent Privacy and Wi-Fi Protected Access security features are used for wireless security in conjunction wi… (§ 5.5.7.2 ¶ 2(4), Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.2, Version 5.2)
An agency shall establish a "minimum key size" for any negotiation process involving a Bluetooth device. (§ 5.5.7.4 ¶ 4(13), Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.2, Version 5.2)
Encryption. Encrypted information can only be decrypted, and therefore read, by those possessing the appropriate cryptographic key. While encryption can provide strong access control, it is accompanied by the need for strong key management. Follow the guidance in Section 5.10.1.2 for encryption requ… (§ 5.5.2.4 ¶ 1(3), Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.8, Version 5.8)
Encryption. Encrypted information can only be decrypted, and therefore read, by those possessing the appropriate cryptographic key. While encryption can provide strong access control, it is accompanied by the need for strong key management. Follow the guidance in Section 5.10.1.2 for encryption requ… (§ 5.5.2.4 ¶ 1 3., Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.9.1, Version 5.9.1)
For high-risk users, strong authentication, such as MFA solutions using hardware and cryptographic factors, can mitigate risks associated with unauthorized access to information systems. When cryptographic MFA solutions are used, cryptographic keys are stored securely and protected from attack, for … (Section 5 ¶ 5 Bullet 2, Authentication and Access to Financial Institution Services and Systems)
Determine how and where management uses encryption and if the type and strength are sufficient to protect information appropriately. Additionally, determine whether management has effective controls over encryption key management. (App A Objective 6.30, FFIEC Information Technology Examination Handbook - Information Security, September 2016)
Any person who uses an electronic signature that is based on the use of an identification code and password shall ensure the electronic signature's integrity and security by following loss management procedures for electronically deauthorizing lost, missing, stolen, or potentially compromised cards,… (§ 11.300(c), 21 CFR Part 11, Electronic Records; Electronic Signatures)
The organization establishes and manages cryptographic keys for required cryptography employed within the information system in accordance with [Assignment: organization-defined requirements for key generation, distribution, storage, access, and destruction]. (SC-12 High Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
The organization produces, controls, and distributes symmetric cryptographic keys using [FedRAMP Selection: NIST FIPS-compliant] key management technology and processes. (SC-12(2) High Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
The organization establishes and manages cryptographic keys for required cryptography employed within the information system in accordance with [Assignment: organization-defined requirements for key generation, distribution, storage, access, and destruction]. (SC-12 Moderate Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
The organization produces, controls, and distributes symmetric cryptographic keys using [FedRAMP Selection: NIST FIPS-compliant] key management technology and processes. (SC-12(2) Moderate Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
The organization establishes and manages cryptographic keys for required cryptography employed within the information system in accordance with [Assignment: organization-defined requirements for key generation, distribution, storage, access, and destruction]. (SC-12 Low Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
Establish and manage cryptographic keys when cryptography is employed within the system in accordance with the following key management requirements: [FedRAMP Assignment: In accordance with Federal requirements]. (SC-12 Control, FedRAMP Security Controls High Baseline, Version 5)
Establish and manage cryptographic keys when cryptography is employed within the system in accordance with the following key management requirements: [FedRAMP Assignment: In accordance with Federal requirements]. (SC-12 Control, FedRAMP Security Controls Low Baseline, Version 5)
Establish and manage cryptographic keys when cryptography is employed within the system in accordance with the following key management requirements: [FedRAMP Assignment: In accordance with Federal requirements]. (SC-12 Control, FedRAMP Security Controls Moderate Baseline, Version 5)
Cryptographic keys for Public Key Infrastructure (PKI) must be managed by automated mechanisms. (§ 5.6.15, Exhibit 4 SC-12, IRS Publication 1075: TAX INFORMATION SECURITY GUIDELINES FOR FEDERAL, STATE AND LOCAL AGENCIES AND ENTITIES; Safeguards for Protecting Federal Tax Returns and Return Information)
Are there policies and procedures in place describing how and when to use encryption for protecting the transmission and storage of key management information? (IT - Authentication Q 14a, Automated Integrated Regulatory Examination System (AIRES) IT Exam Questionnaires, version 073106A)
Establish and manage cryptographic keys when cryptography is employed within the system in accordance with the following key management requirements: [Assignment: organization-defined requirements for key generation, distribution, storage, access, and destruction]. (SC-12 Control, Control Baselines for Information Systems and Organizations, NIST SP 800-53B, High Impact Baseline, October 2020)
Establish and manage cryptographic keys when cryptography is employed within the system in accordance with the following key management requirements: [Assignment: organization-defined requirements for key generation, distribution, storage, access, and destruction]. (SC-12 Control, Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Low Impact Baseline, October 2020)
Establish and manage cryptographic keys when cryptography is employed within the system in accordance with the following key management requirements: [Assignment: organization-defined requirements for key generation, distribution, storage, access, and destruction]. (SC-12 Control, Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Moderate Impact Baseline, October 2020)
Single-factor software cryptographic authenticators encapsulate one or more secret keys unique to the authenticator. The key SHALL be stored in suitably secure storage available to the authenticator application (e.g., keychain storage, TPM, or TEE if available). The key SHALL be strongly protected a… (5.1.6.1 ¶ 1, Digital Identity Guidelines: Authentication and Lifecycle Management, NIST SP 800-63B)
The key MAY be a symmetric key or a public key that corresponds to a private key. (6.1.2 ¶ 4 6., Digital Identity Guidelines: Federation and Assertions, NIST SP 800-63C)
The RP MAY verify the claimant's possession of the key in conjunction with the IdP, for example, by requesting that the IdP verify a signature or MAC calculated by the claimant in response to a cryptographic challenge. (6.1.2 ¶ 4 7., Digital Identity Guidelines: Federation and Assertions, NIST SP 800-63C)
At any FAL, the IdP SHALL ensure that an RP is unable to impersonate the IdP at another RP by protecting the assertion with a signature and key using approved cryptography. If the assertion is protected by a digital signature using an asymmetric key, the IdP MAY use the same public and private key p… (4.1 ¶ 1, Digital Identity Guidelines: Federation and Assertions, NIST SP 800-63C)
The organization should use security requirements for cryptographic key management, including key generation, random number generation, key distribution, key establishment, key storage, key zeroization, and key entry and output, that encompasses the entire lifecycle. The cryptographic module shall p… (§ 4.7, FIPS Pub 140-2, Security Requirements for Cryptographic Modules, 2)
§ 4.1: For the SKIPJACK algorithm, at a minimum, the following functions shall be implemented:
1) Data encryption: an 80 bit session key to encrypt data in one or more of the following operation modes: ECB, CBC, OFB (64), CFB (1, 8, 16, 32, 64);
2) Data decryption: an 80 bit session key to encryp… (§ 4.1, § 5 ¶ 4, FIPS Pub 185, Escrowed Encryption Standard (EES))
§ 3 ¶ 8: The organization shall not use a key pair that is being used for digital signature generation and verification for any other purpose.
§ 3.1 ¶ 3: Intended signatories shall get a digital signature key pair for the appropriate digital signature algorithm by either generating the key pair … (§ 3 ¶ 8, § 3.1 ¶ 3, § 3.1 ¶ 4, § 4.4, § 5.1 ¶ 1, § 6 ¶ 2, § 6.1.2, § 6.2 ¶ 2, App C, FIPS Pub 186-3, Digital Signature Standard (DSS))
The organization will need to implement some form of cryptographic key management system to effectively manage the cryptographic keys. (§ 8.4 ¶ 2, FIPS Pub 190, Guideline for the use of Advanced Authentication Technology Alternatives)
Each public/private key pair shall be bound to a particular organization, whether or not public key certificates are used for the authentication implementation, and may be accomplished by a trusted third party or by a verifier. (§ 2.1.2 ¶ 3, FIPS Pub 196, Entity Authentication using Public Key Cryptography)
If the organization implements the advanced encryption standard (AES) algorithm, it shall support at least one of the three key lengths (128, 192, or 256 bits). To promote interoperability, the implementation may, as an option, support two or three key lengths. (§ 6.1, FIPS Pub 197, Advanced Encryption Standard (AES))
Calls for System and Communications Protection (SC): Organizations must: (i) monitor, control, and protect organizational communications (i.e., information transmitted or received by organizational information systems) at the external boundaries and key internal boundaries of the information systems… (§ 3, FIPS Pub 200, Minimum Security Requirements for Federal Information and Information Systems, March 2006)
§ 4.1.6.2: When cards are personalized, each personal identity verification (PIV) card shall contain a unique card management key. The keys shall meet the key size and algorithm requirements stated in Special Publication 800-78.
§ 4.3 ¶ 5: Each personal identity verification (PIV) card must have… (§ 4.1.6.2, § 4.3 ¶ 5, § 4.3 ¶ 7, FIPS Pub 201-1, Personal Identity Verification (PIV) of Federal Employees and Contractors, Change Notice 1)
When designing, implementing, and integrating cryptography in an IT system, an organization should take care to select design and implementation standards ahead of time. It should be decided whether a software or hardware implementation will be used, and management for cryptography key should be org… (§ 3.14, Generally Accepted Principles and Practices for Securing Information Technology Systems, NIST SP 800-14, September 1996)
Organizational records and documents should be examined to ensure procedures or automated mechanisms have been developed for the management and establishment of cryptographic keys, keys are managed continuously, and specific responsibilities and actions are defined for the implementation of the cryp… (SC-12, SC-12.2, Guide for Assessing the Security Controls in Federal Information Systems, NIST SP 800-53A)
Link keys should be based on combination keys, not unit keys, because successful man-in-the-middle attacks can occur when using shared unit keys. Unit keys are only available in versions earlier than v1.2. Version 1.2 devices that use Secure Simple Pairing should not use the Just Works model. If a d… (Table 4-2 Item 10, Table 4-2 Item 11, Table 4-2 Item 23, Table 4-3 Item 4, Table 4-4 Item 3, Guide to Bluetooth Security, NIST SP 800-121, September 2008)
The organization establishes and manages cryptographic keys for required cryptography employed within the information system in accordance with [Assignment: organization-defined requirements for key generation, distribution, storage, access, and destruction]. (SC-12 Control: Low Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
The organization establishes and manages cryptographic keys for required cryptography employed within the information system in accordance with [Assignment: organization-defined requirements for key generation, distribution, storage, access, and destruction]. (SC-12 Control: Moderate Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
The organization establishes and manages cryptographic keys for required cryptography employed within the information system in accordance with [Assignment: organization-defined requirements for key generation, distribution, storage, access, and destruction]. (SC-12 Control: High Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
For mesh networks, consider the use of broadcast key versus public key management implemented at OSI Layer 2 to maximize performance. Asymmetric cryptography should be used to perform administrative functions, and symmetric encryption should be used to secure each data stream as well as network cont… (§ 6.2.1.5 ICS-specific Recommendations and Guidance ¶ 2, Guide to Industrial Control Systems (ICS) Security, Revision 2)
Wireless device communications should be encrypted and integrity-protected. The encryption must not degrade the operational performance of the end device. Encryption at OSI Layer 2 should be considered, rather than at Layer 3 to reduce encryption latency. The use of hardware accelerators to perform … (§ 6.2.1.5 ICS-specific Recommendations and Guidance ¶ 1 Bullet 6, Guide to Industrial Control Systems (ICS) Security, Revision 2)
Cryptography also introduces key management issues. Sound security policies require periodic key changes. This process becomes more difficult as the geographic size of the ICS increases, with extensive SCADA systems being the most severe example. Because site visits to change keys can be costly and … (§ 6.2.16.1 ICS-specific Recommendations and Guidance ¶ 4, Guide to Industrial Control Systems (ICS) Security, Revision 2)
The use of pre-shared keys (PSK) should be avoided on WLANs requiring robust authentication methods. (§ 6.3.3.2 (Avoiding pre-shared keys), Guide to Securing Legacy IEEE 802.11 Wireless Networks, NIST SP 800-48, Revision 1)
Integrate key management functions as related to cyberspace. (T0557, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
Design and develop key management functions (as related to cybersecurity). (T0269, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
Program custom algorithms. (T0383, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
Enable applications with public keying by leveraging existing public key infrastructure (PKI) libraries and incorporating certificate management and encryption functionalities when appropriate. (T0416, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
Maintaining the integrity and security of system data and software is a key component in contingency planning. Data integrity involves keeping data safe and accurate on the system's primary storage devices. There are several methods available to maintain the integrity of stored data. These methods u… (§ 5.1.2 ¶ 1, NIST SP 800-34, Contingency Planning Guide for Federal Information Systems, Rev. 1 (Final))
If encrypted data is sent offsite for storage, there should be a cryptographic key management system in place to make sure the data is readable if it needs to be recovered onto a new or replaced system. The cryptographic key and the encryption software both need to be on the new system, along with t… (§ 5.2.2 ¶ 3, NIST SP 800-34, Contingency Planning Guide for Federal Information Systems, Rev. 1 (Final))
The organization must establish and manage a cryptographic key policy and includes items such as key distribution, key changes, and key destruction. (SG.SC-11 Requirement, NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, August 2010)
Establish and manage cryptographic keys for cryptography employed in the information system. (3.13.10, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations, NIST Special Publication 800-171)
Establish and manage cryptographic keys for cryptography employed in organizational systems. (3.13.10, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations, NIST Special Publication 800-171, Revision 1)
Establish and manage cryptographic keys for cryptography employed in organizational systems. (3.13.10, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations, NIST Special Publication 800-171, Revision 2)
The organization must establish and manage the cryptographic keys used for cryptography. (App F § SC-12, Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
The organization should utilize cryptographic security for information transmission unless protected with physical measures. (App F § SC-9(1), Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
The organization should produce, control, and distribute symmetric cryptographic keys with National Institute of Standards and Technology-approved or National Security Agency-approved key management technology and processes. (App F § SC-12(2), Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
The organization should produce, control, and distribute symmetric cryptographic keys and asymmetric cryptographic keys with National Security Agency-approved key management technology and processes. (App F § SC-12(3), Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
The organization should produce, control, and distribute asymmetric cryptographic keys with approved Public Key Infrastructure class 3 certificates or prepositioned keying material. (App F § SC-12(4), Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
The organization should produce, control, and distribute asymmetric cryptographic keys with approved Public Key Infrastructure class 3 or class 4 certificates and hardware security tokens to protect the user's private key. (App F § SC-12(5), Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
Cryptographic key management for the Industrial Control System should be used only to support internal nonpublic use. (App I § SC-12, Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
Enable applications with public keying by leveraging existing public key infrastructure (PKI) libraries and incorporating certificate management and encryption functionalities when appropriate. (T0416, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)â, July 7, 2020)
Design and develop key management functions (as related to cybersecurity). (T0269, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)â, July 7, 2020)
Integrate key management functions as related to cyberspace. (T0557, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)â, July 7, 2020)
The organization establishes and manages cryptographic keys for required cryptography employed within the information system in accordance with {organizationally documented requirements for key generation, distribution, storage, access, and destruction}. (SC-12 Control, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
The organization produces, controls, and distributes symmetric cryptographic keys using {NIST FIPS-compliant or NSA-approved} key management technology and processes. (SC-12(2), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
The organization produces, controls, and distributes asymmetric cryptographic keys using {one of the following: NSA-approved key management technology and processes; approved PKI Class 3 certificates or prepositioned keying material; approved PKI Class 3 or Class 4 certificates and hardware security… (SC-12(3), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
The organization establishes and manages cryptographic keys for required cryptography employed within the information system in accordance with {organizationally documented requirements for key generation, distribution, storage, access, and destruction}. (SC-12 Control, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Deprecated, Revision 4, Deprecated)
The organization establishes and manages cryptographic keys for required cryptography employed within the information system in accordance with {organizationally documented requirements for key generation, distribution, storage, access, and destruction}. (SC-12 Control, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Low Impact Baseline, Deprecated, Revision 4, Deprecated)
The organization establishes and manages cryptographic keys for required cryptography employed within the information system in accordance with {organizationally documented requirements for key generation, distribution, storage, access, and destruction}. (SC-12 Control, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Deprecated, Revision 4, Deprecated)
The organization establishes and manages cryptographic keys for required cryptography employed within the information system in accordance with [Assignment: organization-defined requirements for key generation, distribution, storage, access, and destruction]. (SC-12 Control, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Revision 4)
The organization establishes and manages cryptographic keys for required cryptography employed within the information system in accordance with [Assignment: organization-defined requirements for key generation, distribution, storage, access, and destruction]. (SC-12 Control, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Low Impact Baseline, Revision 4)
The organization establishes and manages cryptographic keys for required cryptography employed within the information system in accordance with [Assignment: organization-defined requirements for key generation, distribution, storage, access, and destruction]. (SC-12 Control, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Revision 4)
The organization establishes and manages cryptographic keys for required cryptography employed within the information system in accordance with [Assignment: organization-defined requirements for key generation, distribution, storage, access, and destruction]. (SC-12 Control, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
The organization produces, controls, and distributes symmetric cryptographic keys using [Selection: NIST FIPS-compliant; NSA-approved] key management technology and processes. (SC-12(2) ¶ 1, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
Maintain exclusive control of cryptographic keys for encrypted material stored or transmitted through an external system. (SA-9(6) ¶ 1, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
Establish and manage cryptographic keys when cryptography is employed within the system in accordance with the following key management requirements: [Assignment: organization-defined requirements for key generation, distribution, storage, access, and destruction]. (SC-12 Control, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
Maintain physical control of cryptographic keys when stored information is encrypted by external service providers. (SC-12(6) ¶ 1, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
Produce, control, and distribute symmetric cryptographic keys using [Selection: NIST FIPS-validated; NSA-approved] key management technology and processes. (SC-12(2) ¶ 1, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
Maintain exclusive control of cryptographic keys for encrypted material stored or transmitted through an external system. (SA-9(6) ¶ 1, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
Establish and manage cryptographic keys when cryptography is employed within the system in accordance with the following key management requirements: [Assignment: organization-defined requirements for key generation, distribution, storage, access, and destruction]. (SC-12 Control, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
Maintain physical control of cryptographic keys when stored information is encrypted by external service providers. (SC-12(6) ¶ 1, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
Produce, control, and distribute symmetric cryptographic keys using [Selection: NIST FIPS-validated; NSA-approved] key management technology and processes. (SC-12(2) ¶ 1, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
Cryptographic keys that protect access tokens are generated, managed, and protected from disclosure and misuse. (IA-13(1) ¶ 1, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
The organization establishes and manages cryptographic keys for required cryptography employed within the information system in accordance with [Assignment: organization-defined requirements for key generation, distribution, storage, access, and destruction]. (SC-12 Control, TX-RAMP Security Controls Baseline Level 2)
The organization produces, controls, and distributes symmetric cryptographic keys using [TX-RAMP Selection: NIST FIPS-compliant] key management technology and processes. (SC-12(2) ¶ 1, TX-RAMP Security Controls Baseline Level 2)
