>myctrl.tools
Preferences
Under active development Content is continuously updated and improved
Compare

3.13.10System and Communications Protection - Derived

Derived Requirement

>Control Description

Establish and manage cryptographic keys for cryptography employed in organizational systems.

>Discussion

Cryptographic key management and establishment can be performed using manual procedures or mechanisms supported by manual procedures. Organizations define key management requirements in accordance with applicable federal laws, Executive Orders, policies, directives, regulations, and standards specifying appropriate options, levels, and parameters. [SP 800-56A] and [SP 800-57-1] provide guidance on cryptographic key management and key establishment.

>Cross-Framework Mappings

CMMC

SC.L2-3.13.10
Compare

SCF

CRY-08
Compare
CRY-09
Compare

>Assessment Interview Topics

Questions assessors commonly ask

Process & Governance:

  • What policies govern establishing cryptographically protected network connections?
  • What procedures define secure connection requirements?
  • Who approves cryptographic standards for network connections?
  • What governance ensures secure session establishment?
  • What training addresses secure connection practices?

Technical Implementation:

  • What cryptographic protocols establish secure connections (TLS, IPsec)?
  • How do you enforce mutual authentication for connections?
  • What certificate management supports secure connections?
  • How do you prevent downgrade attacks or weak cipher use?
  • What monitoring verifies cryptographically protected connections?

Evidence & Documentation:

  • Can you show configurations for cryptographically protected connections?
  • What evidence demonstrates TLS/IPsec implementation?
  • Can you provide certificate management documentation?
  • What scan results verify strong cryptographic connection establishment?
  • What audit findings confirm secure connection compliance?

Ask AI

Configure your API key to use AI features.