>myctrl.tools
Preferences
Under active development Content is continuously updated and improved
Compare

SC-12Cryptographic Key Establishment and Management

LI-SaaS
Low
Moderate
High

>Control Description

Establish and manage cryptographic keys when cryptography is employed within the system in accordance with the following key management requirements: organization-defined requirements for key generation, distribution, storage, access, and destruction.

>FedRAMP Baseline Requirements

Additional Requirements and Guidance

SC-12 Guidance: See references in NIST 800-53 documentation. SC-12 Guidance: Must meet applicable Federal Cryptographic Requirements. See References Section of control. SC-12 Guidance: Wildcard certificates may be used internally within the system, but are not permitted for external customer access to the system.

>Discussion

Cryptographic key management and establishment can be performed using manual procedures or automated mechanisms with supporting manual procedures. Organizations define key management requirements in accordance with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines and specify appropriate options, parameters, and levels. Organizations manage trust stores to ensure that only approved trust anchors are part of such trust stores.

This includes certificates with visibility external to organizational systems and certificates related to the internal operations of systems. NIST CMVP and NIST CAVP provide additional information on validated cryptographic modules and algorithms that can be used in cryptographic key management and establishment.

>Cross-Framework Mappings

SCF

CRY-08
Compare

>Programmatic Queries

Beta

Related Services

KMS
CloudHSM
Secrets Manager

CLI Commands

List KMS keys
aws kms list-keys
Check key rotation status
aws kms get-key-rotation-status --key-id KEY_ID
List key policies
aws kms get-key-policy --key-id KEY_ID --policy-name default
Check CloudHSM clusters
aws cloudhsmv2 describe-clusters
Open AWS ConsoleDocumentation

>Assessment Interview Topics

Questions assessors commonly ask

Process & Governance:

  • What policies govern the implementation of cryptographic key establishment and management?
  • How are system and communications protection requirements defined and maintained?
  • Who is responsible for configuring and maintaining the security controls specified in SC-12?
  • What is your cryptographic key management policy?

Technical Implementation:

  • How is cryptographic key establishment and management technically implemented in your environment?
  • What systems, tools, or configurations enforce this protection requirement?
  • How do you ensure that cryptographic key establishment and management remains effective as the system evolves?
  • What encryption mechanisms and algorithms are used to protect data?

Evidence & Documentation:

  • What documentation demonstrates the implementation of SC-12?
  • Can you provide configuration evidence or system diagrams showing this protection control?
  • What logs or monitoring data verify that this control is functioning correctly?
  • Can you demonstrate that FIPS 140-2 validated cryptography is used?

Ask AI

Configure your API key to use AI features.