Reference: CMMC 2.0
Family: SC
Level Introduced: 2
Title: Key Management
Practice:
Establish and manage cryptographic keys for cryptography employed in organizational systems.
CMMC Clarification:
The organization develops processes and technical mechanisms to protect the cryptographic key's confidentiality, authenticity and authorized use in accordance to industry standards and regulations. Key management systems provide oversight, assurance, and the capability to demonstrate the cryptographic keys are created in a secure manner and protected from loss or misuse throughout their lifecycle, e.g., active, expired, revoked. For a small number of keys, this can be accomplished with manual procedures and mechanisms. As the number of keys and cryptographic units increase, automation and tool support will be required.
Key establishment best practices are identified in NIST SP 800-56A, B and C. Key management best practices are identified in NIST SP 800-57 Parts 1, 2 and 3.
Example
You are an IT administrator at your organization responsible for providing key management. You have generated a public-private key pair to exchange CUI. You require all system administrators to read the company's policy on Key Management before you allow them to install the private key on their machines. No one else in the company is allowed to know or have a copy of the private key per the policy. You provide the public key to the other parties who will be sending you CUI and test the PKI to ensure the encryption is working.
Implementation Strategies
This is for registered users only. Please sign up for a free account, or Login, to see complete cross references to other standards and frameworks.
NIST 800-171 Requirements (1)
This is for registered users only. Please sign up for a free account, or Login, to see complete cross references to other standards and frameworks.
NIST 800-53 Controls (1)
This is for registered users only. Please sign up for a free account, or Login, to see complete cross references to other standards and frameworks.