>myctrl.tools
Preferences
Under active development Content is continuously updated and improved
Compare

SC-12(6)Cryptographic Key Establishment and Management | Physical Control of Keys

IL4 Mod
IL4 High
IL5
IL6

>Control Description

Maintain physical control of cryptographic keys when stored information is encrypted by external service providers.

>DoD Impact Level Requirements

No specific parameter values or requirements for this impact level.

>Discussion

For organizations that use external service providers (e.g., cloud service or data center providers), physical control of cryptographic keys provides additional assurance that information stored by such external providers is not subject to unauthorized disclosure or modification.

>Assessment Interview Topics

Questions assessors commonly ask

Process & Governance:

  • What policies govern the implementation of physical control of keys?
  • How are system and communications protection requirements defined and maintained?
  • Who is responsible for configuring and maintaining the security controls specified in SC-12(6)?
  • What is your cryptographic key management policy?

Technical Implementation:

  • How is physical control of keys technically implemented in your environment?
  • What systems, tools, or configurations enforce this protection requirement?
  • How do you ensure that physical control of keys remains effective as the system evolves?
  • What encryption mechanisms and algorithms are used to protect data?

Evidence & Documentation:

  • What documentation demonstrates the implementation of SC-12(6)?
  • Can you provide configuration evidence or system diagrams showing this protection control?
  • What logs or monitoring data verify that this control is functioning correctly?
  • Can you demonstrate that FIPS 140-2 validated cryptography is used?

Ask AI

Configure your API key to use AI features.