Requirement text: SC.3.187: Establish and manage cryptographic keys for cryptography employed in
organizational systems.
DISCUSSION FROM SOURCE: DRAFT NIST SP 800-171 R2
Cryptographic key management and establishment can be performed using manual
procedures or mechanisms supported by manual procedures. Organizations define key
management requirements in accordance with applicable federal laws, Executive Orders,
policies, directives, regulations, and standards specifying appropriate options, levels, and
parameters.
CMMC CLARIFICATION
The organization develops processes and technical mechanisms to protect the cryptographic
key’s confidentiality, authenticity and authorized use in accordance to industry standards
and regulations. Key management systems provide oversight, assurance, and the capability
to demonstrate the cryptographic keys are created in a secure manner and protected from
loss or misuse throughout their lifecycle, e.g., active, expired, revoked. For a small number
of keys, this can be accomplished with manual procedures and mechanisms. As the number
of keys and cryptographic units increase, automation and tool support will be required.
Key establishment best practices are identified in NIST SP 800-56A, B and C. Key
management best practices are identified in NIST SP 800-57 Parts 1, 2 and 3.
Example
You are an IT administrator at your organization responsible for providing key management.
You have generated a public-private key pair to exchange CUI. You require all system
administrators to read the company’s policy on Key Management before you allow them to
install the private key on their machines. No one else in the company is allowed to know or
have a copy of the private key per the policy. You provide the public key to the other parties
who will be sending you CUI and test the PKI to ensure the encryption is working.
References
• NIST SP 800-171 Rev 1 3.13.10
• CERT RMM v1.2 KIM:SG4.SP1
• NIST SP 800-53 Rev 4 SC-12