Cryptographic key management and establishment can be performed using manual procedures or mechanisms supported by manual procedures. Organizations define key management requirements in accordance with applicable federal laws, Executive Orders, policies, directives, regulations, and standards specifying appropriate options, levels, and parameters.  [SP 800-56A] and [SP 800-57-1] provide guidance on cryptographic key management and key establishment.

Priority: High

Category: Encryption 

Services Associated with AWS:

  1. AWS Key Management Service (KMS)
  2. AWS Secrets Manager

Objective Evidence:  

  • Administrative: documented policies, standards & procedures
  • Administrative: supporting documentation to demonstrate the "secure practices" used to build technology platform-specific secure baseline configurations
  • Administrative: supporting documentation to demonstrate cryptographic key management practices
  • Technical: screen shot of configuration settings
  • Technical: screen shot of cryptography in use 

Possible Technology Considerations : 

  • Certificate Management Solution
  • Cryptographic Solution (key management) 

What needs to be answered?

Are processes and automated mechanisms used to provide key management within the information system?

  • Cryptographic Key Management Check

    Description: This check ensures that cryptographic keys are properly managed, including generation, distribution, rotation, storage, recovery, and retirement. The check verifies that keys are generated in a secure manner and are distributed securely, stored in a secure manner, rotated regularly, and are recoverable in the event of loss, and retired when no longer needed.

  • Cryptographic Key Establishment Check

    Description: This check ensures that cryptographic keys are properly established in accordance with organizational policies and guidelines. It ensures that keys are securely distributed and that secure key exchange protocols are used.

More Details:

Cryptographic keys for all systems managed by IT administration in secure environment.