SC-12 Cryptographic Key Establishment and Management
Establish and manage cryptographic keys when cryptography is employed within the system in accordance with the following key management requirements: sc-12_odp.
| Parameter ID | Definition |
|---|---|
| sc-12_odp | requirements |
Baselines
- L
- M
- H
- P
Guidance
Cryptographic key management and establishment can be performed using manual procedures or automated mechanisms with supporting manual procedures. Organizations define key management requirements in accordance with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines and specify appropriate options, parameters, and levels. Organizations manage trust stores to ensure that only approved trust anchors are part of such trust stores. This includes certificates with visibility external to organizational systems and certificates related to the internal operations of systems. [NIST CMVP](#1acdc775-aafb-4d11-9341-dc6a822e9d38) and [NIST CAVP](#84dc1b0c-acb7-4269-84c4-00dbabacd78c) provide additional information on validated cryptographic modules and algorithms that can be used in cryptographic key management and establishment.
References 10
- FIPS 140-3 National Institute of Standards and Technology (2019) Security Requirements for Cryptographic Modules. (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 140-3.
- SP 800-56A Barker EB, Chen L, Roginsky A, Vassilev A, Davis R (2018) Recommendation for Pair-Wise Key-Establishment Schemes Using Discrete Logarithm Cryptography. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-56A, Rev. 3.
- SP 800-56B Barker EB, Chen L, Roginsky A, Vassilev A, Davis R, Simon S (2019) Recommendation for Pair-Wise Key-Establishment Using Integer Factorization Cryptography. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-56B, Rev. 2.
- SP 800-56C Barker EB, Chen L, Davis R (2020) Recommendation for Key-Derivation Methods in Key-Establishment Schemes. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-56C, Rev. 2.
- SP 800-57-1 Barker EB (2020) Recommendation for Key Management: Part 1 – General. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-57 Part 1, Rev. 5.
- SP 800-57-2 Barker EB, Barker WC (2019) Recommendation for Key Management: Part 2 – Best Practices for Key Management Organizations. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-57 Part 2, Rev. 1.
- SP 800-57-3 Barker EB, Dang QH (2015) Recommendation for Key Management, Part 3: Application-Specific Key Management Guidance. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-57 Part 3, Rev. 1.
- SP 800-63-3 Grassi PA, Garcia ME, Fenton JL (2017) Digital Identity Guidelines. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-63-3, Includes updates as of March 2, 2020.
- IR 7956 Chandramouli R, Iorga M, Chokhani S (2013) Cryptographic Key Management Issues & Challenges in Cloud Services. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7956.
- IR 7966 Ylonen T, Turner P, Scarfone KA, Souppaya MP (2015) Security of Interactive and Automated Access Management Using Secure Shell (SSH). (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7966.
Control Enhancements 6
- SC-12(01) Availability L M H P
- SC-12(02) Symmetric Keys L M H P
- SC-12(03) Asymmetric Keys L M H P
- SC-12(04) PKI Certificates
- SC-12(05) PKI Certificates / Hardware Tokens
- SC-12(06) Physical Control of Keys L M H P
Related controls 19
- AC-17 Remote Access L M H P
- AU-09 Protection of Audit Information L M H P
- AU-10 Non-repudiation L M H P
- CM-03 Configuration Change Control L M H P
- IA-03 Device Identification and Authentication L M H P
- IA-07 Cryptographic Module Authentication L M H P
- IA-13 Identity Providers and Authorization Servers L M H P
- SA-04 Acquisition Process L M H P
- SA-08 Security and Privacy Engineering Principles L M H P
- SA-09 External System Services L M H P
- SC-08 Transmission Confidentiality and Integrity L M H P
- SC-11 Trusted Path L M H P
- SC-13 Cryptographic Protection L M H P
- SC-17 Public Key Infrastructure Certificates L M H P
- SC-20 Secure Name/Address Resolution Service (Authoritative Source) L M H P
- SC-37 Out-of-band Channels L M H P
- SC-40 Wireless Link Protection L M H P
- SI-03 Malicious Code Protection L M H P
- SI-07 Software, Firmware, and Information Integrity L M H P