Cryptography, Encryption and Key Management

Controls to secure cryptographic protocols.

CK-1: Cryptographic Key Establishment

Group: Cryptography, Encryption and Key Management

Control Statement

Use industry-standard cryptographic key establishment schemes and key derivation methods.

Control Recommendations

Refer to SP 800-56A, SP 800-56B, and SP 800-56C for updated industry-standard cryptographic key establishment schemes and key derivation methods. Cloud services such as AWS Key Management Service and Azure Key Vault can be used for generating and managing cryptographic keys.

Risk Statement

Insecure cryptographic key establishment can lead to weak or broken encryption.

CK-2: Cryptographic Key Rotation

Group: Cryptography, Encryption and Key Management

Control Statement

Rotate cryptographic keys every [ insert: param, ck-2_prm_1 ] days.

Control Recommendations

Cloud services such as AWS Key Management Service and Azure Key Vault enable automatic rotation of cryptographic keys.

Risk Statement

Failing to rotate cryptographic keys increases the risk of broken encryption.

Parameters

CK-3: Cryptographic Key Management

Group: Cryptography, Encryption and Key Management

Control Statement

Implement cryptographic key management processes to ensure cryptographic keys are well-managed and safeguarded throughout their lifecycle.

Control Recommendations

Follow key management practices such as those described in NIST SP 800-57 or ISO/IEC 27017 to cover aspects including generation, registration, storage, distribution, installation, use, rotation, backup, recovery, revocation, suspension, and destruction of keys.

Risk Statement

Inadequate key management increase the risk of unauthorized access, data breaches, and compromised cryptographic operations due to poorly managed or safeguarded cryptographic keys.