Establish, implement, and maintain documentation for the delivery and operation of cryptographic modules.
CONTROL ID 06547
CONTROL TYPE Establish/Maintain Documentation
CLASSIFICATION Preventive
SUPPORTING AND SUPPORTED CONTROLS
This Control directly supports the implied Control(s):
Define the cryptographic module security functions and the cryptographic module operational modes., CC ID: 06542
This Control has the following implementation support Control(s):
Document the operation of the cryptographic module., CC ID: 06546
SELECTED AUTHORITY DOCUMENTS COMPLIED WITH
Cryptographic key management policy, standards and procedures covering key generation, distribution, installation, renewal, revocation, recovery and expiry should be established. (§ 10.2.1, Technology Risk Management Guidelines, January 2021)
Assess whether management restricts the use of bankcard encoding equipment to authorized personnel only. (App A Tier 2 Objectives and Procedures D.5, FFIEC IT Examination Handbook - Retail Payment Systems, April 2016)
Transfer of secret to secondary channel: The verifier SHALL display a random authentication secret to the claimant via the primary channel. It SHALL then wait for the secret to be returned on the secondary channel from the claimant's out-of-band authenticator. (5.1.3.2 ¶ 3 Bullet 2, Digital Identity Guidelines: Authentication and Lifecycle Management, NIST SP 800-63B)
The authenticator SHALL present a secret received via the secondary channel from the verifier and prompt the claimant to verify the consistency of that secret with the primary channel, prior to accepting a yes/no response from the claimant. It SHALL then send that response to the verifier. (5.1.3.1 ¶ 5 Bullet 2, Digital Identity Guidelines: Authentication and Lifecycle Management, NIST SP 800-63B)
For security level 1, the procedures for the secure installation, initialization, and startup of a cryptographic module shall be documented. For security levels 2, 3, and 4, in addition to the security level 1 requirements, the procedures required to maintain security while the module is being distr… (§ 4.10.2, FIPS Pub 140-2, Security Requirements for Cryptographic Modules, 2)
The organization should require, if no united states government Protection Profile exists but a commercially provided product relies on cryptographic functionality, that the cryptographic module is Federal Information Processing Standard-validated. (App F § SA-4(7)(b), Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
The organization requires, if no NIAP-approved Protection Profile exists for a specific technology type but a commercially provided information technology product relies on cryptographic functionality to enforce its security policy, that the cryptographic module is FIPS-validated. (SA-4(7)(b), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)