SC-12 - Cryptographic Key Establishment and Management
Control requirements
- SC-12 - 0
- The organization establishes and manages cryptographic keys for required cryptography employed within the information system in accordance with [Assignment: organization-defined requirements for key generation, distribution, storage, access, and destruction].
Additional IBM Cloud for Financial Services specifications
The organization must implement cryptographic key establishment and management processes including:
- Key management responsibilities and key usage activities must be provided or agreed to by the customer
- All keys must be established for a discrete purpose
- Keys are rotated in accordance with operational timeframes
- Keys are stored within a proper KeyStore (e.g. a FIPS 140-2 Level 3 compliant hardware security module)
- Only authorized personnel are permitted access to key recovery functions.
Organizations providing cloud and multi-tenant services, must implement cryptographic key establishment and management processes including:
- Key management responsibilities and key usage activities must consider data categorization, sensitivity, and regulatory requirements
- Dedicated encryption keys per customer tenancy and external application for data in transit and at rest
Implementation guidance
See the resources that follow to learn more about how to implement this control.
IBM Cloud for Financial Services profile
The rules related to this control that follow are part of the IBM Cloud for Financial Services v1.2.0 profile in IBM Cloud® Security and Compliance Center.
- Check whether permissions for API key creation are limited and configured in IAM settings for the account owner
- Check whether Hyper Protect Crypto Services encryption keys that are generated by the service are rotated automatically at least every # months
- Check whether Hyper Protect Crypto Services instance is enabled with a dual authorization deletion policy
NIST supplemental guidance
Cryptographic key management and establishment can be performed using manual procedures or automated mechanisms with supporting manual procedures. Organizations define key management requirements in accordance with applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance, specifying appropriate options, levels, and parameters. Organizations manage trust stores to ensure that only approved trust anchors are in such trust stores. This includes certificates with visibility external to organizational information systems and certificates related to the internal operations of systems.