Level 5 CMMC - CMMC Practices

SC.3.187  

Reference: CMMC 1.02

Family: SC

Level Introduced: 3

Practice:
Establish and manage cryptographic keys for cryptography employed in organizational systems.

CMMC Clarification:
The organization develops processes and technical mechanisms to protect the cryptographic key’s confidentiality, authenticity and authorized use in accordance to industry standards and regulations. Key management systems provide oversight, assurance, and the capability to demonstrate the cryptographic keys are created in a secure manner and protected from loss or misuse throughout their lifecycle, e.g., active, expired, revoked. For a small number of keys, this can be accomplished with manual procedures and mechanisms. As the number of keys and cryptographic units increase, automation and tool support will be required.

Key establishment best practices are identified in NIST SP 800-56A, B and C. Key management best practices are identified in NIST SP 800-57 Parts 1, 2 and 3.

Example
You are an IT administrator at your organization responsible for providing key management. You have generated a public-private key pair to exchange CUI. You require all system administrators to read the company’s policy on Key Management before you allow them to install the private key on their machines. No one else in the company is allowed to know or have a copy of the private key per the policy. You provide the public key to the other parties who will be sending you CUI and test the PKI to ensure the encryption is working.

3.13.10

Establish and manage cryptographic keys for cryptography employed in organizational systems.

Discussion:
Cryptographic key management and establishment can be performed using manual procedures or mechanisms supported by manual procedures. Organizations define key management requirements in accordance with applicable federal laws, Executive Orders, policies, directives, regulations, and standards specifying appropriate options, levels, and parameters.

[SP 800-56A] and [SP 800-57-1] provide guidance on cryptographic key management and key establishment.

Source: NIST Special Publication 800-171 Rev. 2

SC-12

CRYPTOGRAPHIC KEY ESTABLISHMENT AND MANAGEMENT

Description:
The organization establishes and manages cryptographic keys for required cryptography employed within the information system in accordance with [Assignment: organization-defined requirements for key generation, distribution, storage, access, and destruction].

Supplemental Guidance:
Cryptographic key management and establishment can be performed using manual procedures or automated mechanisms with supporting manual procedures. Organizations define key management requirements in accordance with applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance, specifying appropriate options, levels, and parameters. Organizations manage trust stores to ensure that only approved trust anchors are in such trust stores. This includes certificates with visibility external to organizational information systems and certificates related to the internal operations of systems. Related controls: SC-13, SC-17.

Source: NIST Special Publication 800-53 Rev. 4

Source: CMMC v1.02