>myctrl.tools
Preferences
Under active development Content is continuously updated and improved
Compare

SC-12(2)Cryptographic Key Establishment and Management | Symmetric Keys

IL6

>Control Description

Produce, control, and distribute symmetric cryptographic keys using NIST FIPS-validated; NSA-approved key management technology and processes.

>DoD Impact Level Requirements

No specific parameter values or requirements for this impact level.

>Discussion

SP 800-56A, SP 800-56B, and SP 800-56C provide guidance on cryptographic key establishment schemes and key derivation methods. SP 800-57-1, SP 800-57-2, and SP 800-57-3 provide guidance on cryptographic key management.

>Assessment Interview Topics

Questions assessors commonly ask

Process & Governance:

  • What policies govern the implementation of symmetric keys?
  • How are system and communications protection requirements defined and maintained?
  • Who is responsible for configuring and maintaining the security controls specified in SC-12(2)?
  • What is your cryptographic key management policy?

Technical Implementation:

  • How is symmetric keys technically implemented in your environment?
  • What systems, tools, or configurations enforce this protection requirement?
  • How do you ensure that symmetric keys remains effective as the system evolves?
  • What encryption mechanisms and algorithms are used to protect data?

Evidence & Documentation:

  • What documentation demonstrates the implementation of SC-12(2)?
  • Can you provide configuration evidence or system diagrams showing this protection control?
  • What logs or monitoring data verify that this control is functioning correctly?
  • Can you demonstrate that FIPS 140-2 validated cryptography is used?

Ask AI

Configure your API key to use AI features.