SC-12(3)—Cryptographic Key Establishment and Management | Asymmetric Keys
IL6
>Control Description
Produce, control, and distribute asymmetric cryptographic keys using ☑NSA-approved key management technology and processes; prepositioned keying material; DoD-approved or DoD-issued Medium Assurance PKI certificates; DoD-approved or DoD-issued Medium Hardware Assurance PKI certificates and hardware security tokens that protect the user's private key; certificates issued in accordance with organization-defined requirements.
>DoD Impact Level Requirements
No specific parameter values or requirements for this impact level.
>Discussion
SP 800-56A, SP 800-56B, and SP 800-56C provide guidance on cryptographic key establishment schemes and key derivation methods. SP 800-57-1, SP 800-57-2, and SP 800-57-3 provide guidance on cryptographic key management.
>Assessment Interview Topics
Questions assessors commonly ask
Process & Governance:
- •What policies govern the implementation of asymmetric keys?
- •How are system and communications protection requirements defined and maintained?
- •Who is responsible for configuring and maintaining the security controls specified in SC-12(3)?
- •What is your cryptographic key management policy?
Technical Implementation:
- •How is asymmetric keys technically implemented in your environment?
- •What systems, tools, or configurations enforce this protection requirement?
- •How do you ensure that asymmetric keys remains effective as the system evolves?
- •What encryption mechanisms and algorithms are used to protect data?
Evidence & Documentation:
- •What documentation demonstrates the implementation of SC-12(3)?
- •Can you provide configuration evidence or system diagrams showing this protection control?
- •What logs or monitoring data verify that this control is functioning correctly?
- •Can you demonstrate that FIPS 140-2 validated cryptography is used?
Ask AI
Configure your API key to use AI features.