Level 2
Description:
Cryptographic key management and establishment can be performed using manual procedures or mechanisms supported by manual procedures. Organizations define key management requirements in accordance with applicable federal laws, Executive Orders, policies, directives, regulations, and standards specifying appropriate options, levels, and parameters. [SP 800-56A] and [SP 800-57-1] provide guidance on cryptographic key management and key establishment.
Priority: High
Domain: SYSTEM AND COMMUNICATIONS PROTECTION (SC)
Category: Encryption
Services Associated with AWS:
- AWS Key Management Service (KMS)
- AWS Secrets Manager
Services Associated with Azure:
- Azure Key Vault
- Azure Certificate Manager
- Azure Key Vault for HSM
Objective Evidence:
- Administrative: documented policies, standards & procedures
- Administrative: supporting documentation to demonstrate the "secure practices" used to build technology platform-specific secure baseline configurations
- Administrative: supporting documentation to demonstrate cryptographic key management practices
- Technical: screen shot of configuration settings
- Technical: screen shot of cryptography in use
Possible Technology Considerations :
- Certificate Management Solution
- Cryptographic Solution (key management)
What needs to be answered?
Are processes and automated mechanisms used to provide key management within the information system?
Checks for AWS
- Cryptographic Key Management Check
Description: This check ensures that cryptographic keys are properly managed, including generation, distribution, rotation, storage, recovery, and retirement. The check verifies that keys are generated in a secure manner and are distributed securely, stored in a secure manner, rotated regularly, and are recoverable in the event of loss, and retired when no longer needed.
Cryptographic Key Establishment Check
Description: This check ensures that cryptographic keys are properly established in accordance with organizational policies and guidelines. It ensures that keys are securely distributed and that secure key exchange protocols are used.
Checks for Azure
- Cryptographic Key Management Check:
Description: This policy check ensures that cryptographic keys used in the Azure environment are properly managed throughout their lifecycle. It verifies that keys are generated securely, distributed only to authorized entities, stored in a secure manner, and regularly rotated to minimize the impact of potential compromise. The policy also ensures that keys are recoverable in case of accidental loss or deletion, and that they are retired when they are no longer needed to reduce the attack surface. - Cryptographic Key Establishment Check:
Description: The cryptographic key establishment policy check ensures that cryptographic keys are established in accordance with organizational policies and industry best practices. This policy verifies that secure key exchange protocols and algorithms are used to establish trust between parties and enable secure communication. It also ensures that keys are distributed securely to relevant entities, and appropriate access controls are implemented to prevent unauthorized access to the keys
More Details:
Cryptographic keys for all systems managed by IT administration in secure environment.