Back

Establish, implement, and maintain documentation for the delivery and operation of cryptographic modules.


CONTROL ID
06547
CONTROL TYPE
Establish/Maintain Documentation
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Define the cryptographic module security functions and the cryptographic module operational modes., CC ID: 06542

This Control has the following implementation support Control(s):
  • Document the operation of the cryptographic module., CC ID: 06546


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • Cryptographic key management policy, standards and procedures covering key generation, distribution, installation, renewal, revocation, recovery and expiry should be established. (§ 10.2.1, Technology Risk Management Guidelines, January 2021)
  • Assess whether management restricts the use of bankcard encoding equipment to authorized personnel only. (App A Tier 2 Objectives and Procedures D.5, FFIEC IT Examination Handbook - Retail Payment Systems, April 2016)
  • Transfer of secret to secondary channel: The verifier SHALL display a random authentication secret to the claimant via the primary channel. It SHALL then wait for the secret to be returned on the secondary channel from the claimant's out-of-band authenticator. (5.1.3.2 ¶ 3 Bullet 2, Digital Identity Guidelines: Authentication and Lifecycle Management, NIST SP 800-63B)
  • The authenticator SHALL present a secret received via the secondary channel from the verifier and prompt the claimant to verify the consistency of that secret with the primary channel, prior to accepting a yes/no response from the claimant. It SHALL then send that response to the verifier. (5.1.3.1 ¶ 5 Bullet 2, Digital Identity Guidelines: Authentication and Lifecycle Management, NIST SP 800-63B)
  • For security level 1, the procedures for the secure installation, initialization, and startup of a cryptographic module shall be documented. For security levels 2, 3, and 4, in addition to the security level 1 requirements, the procedures required to maintain security while the module is being distr… (§ 4.10.2, FIPS Pub 140-2, Security Requirements for Cryptographic Modules, 2)
  • The organization should require, if no united states government Protection Profile exists but a commercially provided product relies on cryptographic functionality, that the cryptographic module is Federal Information Processing Standard-validated. (App F § SA-4(7)(b), Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • The organization requires, if no NIAP-approved Protection Profile exists for a specific technology type but a commercially provided information technology product relies on cryptographic functionality to enforce its security policy, that the cryptographic module is FIPS-validated. (SA-4(7)(b), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)