SC-28(3)—Protection of Information at Rest | Cryptographic Keys

IL5

IL6

>Control Description

Provide protected storage for cryptographic keys ☑[Assignment: organization-defined safeguards; hardware-protected key store].

No specific parameter values or requirements for this impact level.

A Trusted Platform Module (TPM) is an example of a hardware-protected data store that can be used to protect cryptographic keys.

Questions assessors commonly ask

•What policies govern the implementation of cryptographic keys?
•How are system and communications protection requirements defined and maintained?
•Who is responsible for configuring and maintaining the security controls specified in SC-28(3)?
•What is your cryptographic key management policy?

•How is cryptographic keys technically implemented in your environment?
•What systems, tools, or configurations enforce this protection requirement?
•How do you ensure that cryptographic keys remains effective as the system evolves?
•What encryption mechanisms and algorithms are used to protect data?

•What documentation demonstrates the implementation of SC-28(3)?
•Can you provide configuration evidence or system diagrams showing this protection control?
•What logs or monitoring data verify that this control is functioning correctly?
•Can you demonstrate that FIPS 140-2 validated cryptography is used?

Configure your API key to use AI features.