Skip to main content
NetStable
Level 2 SC.L2-3.13.10

Establish and manage cryptographic keys for cryptography

What It Means Why It Matters How to Implement Evidence SSP Guidance Assessment Common Mistakes

📖 What This Means

This practice means that your organization needs to create and maintain cryptographic keys used for encrypting and decrypting data securely. Cryptographic keys are like digital locks and keys that protect sensitive information from unauthorized access. Proper management ensures that these keys are generated securely, stored safely, and rotated or replaced when necessary. For example, if you encrypt customer data stored in your database, you need to ensure the keys used for encryption are not easily guessable and are stored separately from the encrypted data. Another example is managing SSL/TLS certificates for secure web communications, ensuring they are valid and renewed on time.

🎯 Why It Matters

Poor cryptographic key management can lead to data breaches, unauthorized access, and compliance failures. For instance, if cryptographic keys are weak or stored improperly, attackers can decrypt sensitive information, exposing customer data or intellectual property. A real-world example is the 2017 Equifax breach, where attackers exploited weak encryption practices to access sensitive data of 147 million people. From a DoD/CMMC perspective, this control ensures that Controlled Unclassified Information (CUI) remains protected from adversaries. The potential impact includes financial losses, reputational damage, and loss of contracts due to non-compliance.

How to Implement

  1. Use cloud-native key management services (KMS) like AWS KMS, Azure Key Vault, or Google Cloud KMS.
  2. Configure key policies to restrict access to authorized users and applications only.
  3. Enable automatic key rotation (e.g., AWS KMS supports automatic annual rotation).
  4. Use hardware security modules (HSMs) for added security where available (e.g., AWS CloudHSM).
  5. Log all key usage and access attempts for audit purposes.
  6. Ensure keys are stored separately from encrypted data.
  7. Test key recovery processes to ensure availability during outages.
⏱️
Estimated Effort
Implementation typically takes 1-2 weeks for small to medium organizations, requiring intermediate expertise in cryptography and key management.

📋 Evidence Examples

Key Management Policy

Format: PDF/DOC
Frequency: Update annually or when policies change.
Contents: Document outlining key generation, storage, rotation, and access controls.
Collection: Export from document management system.

Key Inventory

Format: CSV/XLSX
Frequency: Update quarterly.
Contents: List of all cryptographic keys, their purpose, and lifecycle status.
Collection: Export from KMS or manually maintained.

Access Logs

Format: LOG/CSV
Frequency: Retain for 1 year.
Contents: Logs showing who accessed keys and when.
Collection: Export from KMS or logging system.

Key Rotation Schedule

Format: PDF/DOC
Frequency: Update annually.
Contents: Document detailing key rotation intervals and procedures.
Collection: Export from document management system.

Audit Report

Format: PDF/DOC
Frequency: Annually.
Contents: Report verifying key management compliance.
Collection: Generate during internal or external audits.

📝 SSP Guidance

Use this guidance when writing the System Security Plan (SSP) narrative for this control.

How to Write the SSP Narrative

For SC.L2-3.13.10 ("Establish and manage cryptographic keys for cryptography"), your SSP narrative should specifically describe: (1) the tools and technologies you use to implement this control, (2) the configuration or process that enforces it, (3) who is responsible for maintaining it, and (4) what evidence proves it's working. Describe your network security architecture, including segmentation, encryption standards, VPN configuration, session management, key management, and monitoring capabilities. Be specific -- name your actual products, settings, and responsible personnel.

Example SSP Narratives

Cloud (Azure/AWS)

"SC.L2-3.13.10 is implemented using cloud-native controls. [Organization] uses [specific cloud service/feature] to establish and manage cryptographic keys for cryptography. The configuration is managed through [Azure Policy/AWS Config/Terraform] and monitored via [SIEM tool]. Responsible party: [IT Security Manager]. Evidence: [specific artifact, e.g., 'Azure AD Conditional Access policy screenshot, CloudTrail logs']."

On-Premise

"SC.L2-3.13.10 is implemented through on-premise infrastructure controls. [Organization] uses [Active Directory/Group Policy/specific tool] to establish and manage cryptographic keys for cryptography. Configuration is documented in [location] and audited [frequency]. Responsible party: [System Administrator]. Evidence: [specific artifact, e.g., 'Group Policy export, Windows Event logs']."

Hybrid

"SC.L2-3.13.10 is implemented across both cloud and on-premise environments. [Organization] uses [Azure AD Connect/hybrid tool] to ensure consistent enforcement. Cloud resources are managed via [cloud tool] and on-premise systems via [on-prem tool]. Both environments report to [centralized SIEM]. Responsible party: [IT Director]. Evidence: [artifacts from both environments]."

System Boundary Considerations

  • Document network architecture with CUI boundary clearly marked
  • Identify all encryption mechanisms (at rest and in transit)
  • Specify network monitoring and IDS/IPS deployment
  • Ensure this control covers all systems within your defined CUI boundary where establish and manage cryptographic keys for cryptography applies
  • Document any systems where this control is not applicable and explain why

Key Documentation to Reference in SSP

  • 📄 System and Communications Protection Policy
  • 📄 Network architecture diagram
  • 📄 Firewall rule documentation
  • 📄 Encryption configuration documentation
  • 📄 Evidence artifacts specific to SC.L2-3.13.10
  • 📄 POA&M entry if control is not fully implemented

What the Assessor Looks For

The assessor will review network diagrams for proper segmentation, test encryption settings, verify VPN split tunneling is disabled, and check FIPS 140-2 validation of cryptographic modules.

💬 Self-Assessment Questions

Use these questions to assess your compliance. Each "NO" answer provides specific remediation guidance.

Question 1: Do you have a documented key management policy?

✅ YES → Proceed to Q2.
❌ NO → GAP: Develop a key management policy within 2 weeks.
Remediation:
Refer to NIST SP 800-57 for guidance on key management.

Question 2: Are cryptographic keys stored securely using FIPS 140-2 validated modules?

✅ YES → Proceed to Q3.
❌ NO → GAP: Migrate to FIPS 140-2 validated modules within 1 month.
Remediation:
Use cloud KMS services or HSMs for compliance.

Question 3: Is there a key rotation policy in place?

✅ YES → Proceed to Q4.
❌ NO → GAP: Implement a key rotation policy within 1 month.
Remediation:
Set rotation intervals (e.g., every 90 days).

Question 4: Are key access logs maintained and reviewed regularly?

✅ YES → Proceed to Q5.
❌ NO → GAP: Enable logging and schedule monthly reviews.
Remediation:
Configure logging in your KMS or HSM.

Question 5: Have you tested key recovery processes?

✅ YES → Compliance confirmed.
❌ NO → GAP: Test key recovery processes within 2 weeks.
Remediation:
Simulate a key loss scenario and verify recovery.

⚠️ Common Mistakes (What Auditors Flag)

1. Storing keys with encrypted data.

Why this happens: Lack of separation of duties or oversight.
How to avoid: Use dedicated key management systems and enforce access controls.

2. Using weak cryptographic algorithms.

Why this happens: Outdated practices or lack of awareness.
How to avoid: Adhere to NIST or FIPS standards for cryptographic algorithms.

3. Not rotating keys regularly.

Why this happens: Neglect or lack of automation.
How to avoid: Implement automated key rotation policies.

4. Failing to audit key usage.

Why this happens: Limited resources or oversight.
How to avoid: Schedule regular audits and review access logs.

5. Insufficient documentation.

Why this happens: Focusing only on technical implementation.
How to avoid: Maintain detailed policies, inventories, and schedules.

📚 Parent Policy

This practice is governed by the System and Communications Protection Policy

View SC Policy →

📚 Related Controls

SC.L2-3.13.11 - Use FIPS-validated cryptography SC.L2-3.13.12 - Protect the confidentiality of CUI at rest SC.L2-3.13.13 - Protect the confidentiality of CUI in transit
Previous
SC.L1-3.13.3
Back to SC
Next
SC.L2-3.13.11