SC-12

SC-12 CRYPTOGRAPHIC KEY ESTABLISHMENT AND MANAGEMENT

Overview

Number	Title	Impact	Priority	Subject Area
SC-12	Cryptographic Key Establishment And Management	LOW	P1	System And Communications Protection

Instructions
The organization establishes and manages cryptographic keys for required cryptography employed within the information system in accordance with Assignment: organization-defined requirements for key generation, distribution, storage, access, and destruction.

Guidance
Cryptographic key management and establishment can be performed using manual procedures or automated mechanisms with supporting manual procedures. Organizations define key management requirements in accordance with applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance, specifying appropriate options, levels, and parameters. Organizations manage trust stores to ensure that only approved trust anchors are in such trust stores. This includes certificates with visibility external to organizational information systems and certificates related to the internal operations of systems.

Guidance

Cryptographic key management and establishment can be performed using manual procedures or automated mechanisms with supporting manual procedures. Organizations define key management requirements in accordance with applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance, specifying appropriate options, levels, and parameters. Organizations manage trust stores to ensure that only approved trust anchors are in such trust stores. This includes certificates with visibility external to organizational information systems and certificates related to the internal operations of systems.

Enhancements

SC-12 (1) Availability

HIGH

Escrowing of encryption keys is a common practice for ensuring availability in the event of loss of keys (e.g., due to forgotten passphrase).

The organization maintains availability of information in the event of the loss of cryptographic keys by users.

SC-12 (2) Symmetric Keys

The organization produces, controls, and distributes symmetric cryptographic keys using Selection: NIST FIPS-compliant; NSA-approved key management technology and processes.

SC-12 (3) Asymmetric Keys

The organization produces, controls, and distributes asymmetric cryptographic keys using Selection: NSA-approved key management technology and processes; approved PKI Class 3 certificates or prepositioned keying material; approved PKI Class 3 or Class 4 certificates and hardware security tokens that protect the user�s private key.

SC-12 (4) Pki Certificates

Withdrawn: Incorporated into SC-12.

SC-12 (5) Pki Certificates / Hardware Tokens

Withdrawn: Incorporated into SC-12.