SC.L2-3.13.10—Key Management
Level 2
800-171: 3.13.10
>Control Description
Establish and manage cryptographic keys for cryptography employed in organizational systems.
>Cross-Framework Mappings
>Assessment Interview Topics
Questions assessors commonly ask
Process & Governance:
- •What is your cryptographic key management policy?
- •How do you govern key generation, distribution, storage, and destruction?
- •Who is responsible for managing cryptographic keys?
- •What standards guide your key management practices?
- •How often do you review key management procedures?
Technical Implementation:
- •What key management systems manage cryptographic keys?
- •What HSMs store and protect keys?
- •What tools generate cryptographic keys?
- •What technologies enforce key rotation?
- •What logging captures key lifecycle events?
- •What escrow or backup protects keys?
Evidence & Documentation:
- •What network diagrams show boundary protection architecture?
- •What firewall rule sets and configurations can you provide?
- •What encryption implementation documentation shows FIPS-validated crypto?
- •What key management procedures can you provide?
- •What network segmentation documentation shows proper separation?
- •What evidence shows cryptographic mechanisms protect CUI?
- •What configuration documentation shows security controls are properly implemented?
Ask AI
Configure your API key to use AI features.