3.13.10 has a weight of -1 points

(System and Communication Protection Family) 10/16

Establish and manage cryptographic keys for cryptography employed in organizational systems.

Example of Sysytem Security Plan (SSP):

  1. Cryptographic Key Management
  2. Policy Statement: The organization shall establish and manage cryptographic keys for cryptography employed in organizational systems to ensure secure communication and data protection.
  3. Purpose: This policy aims to provide guidelines and procedures for the proper management of cryptographic keys, ensuring their confidentiality, integrity, and availability.
  4. Scope: The policy applies to all organizational systems that utilize cryptographic keys for encryption, decryption, or digital signatures.
  5. Key Management Methods: The organization may employ manual procedures or mechanisms supported by manual procedures for cryptographic key management. The methods used shall comply with applicable federal laws, Executive Orders, policies, directives, regulations, and standards.
  6. Key Management Requirements: The organization defines key management requirements, including options, levels, and parameters, based on the sensitivity of the data and the system’s security needs.
  7. Guidance: The organization shall refer to [SP 800-56A] and [SP 800-57-1] for guidance on cryptographic key management and key establishment practices.
  8. Key Generation: Cryptographic keys shall be generated using secure and reliable methods to ensure their strength and uniqueness.
  9. Key Storage: Cryptographic keys must be stored securely to prevent unauthorized access or disclosure. Key storage systems shall be protected by strong access controls and encryption.
  10. Key Distribution: The organization shall establish secure procedures for distributing cryptographic keys to authorized users or systems.
  11. Key Revocation and Renewal: Procedures shall be in place for key revocation and renewal in case of compromise, expiration, or other security events.
  12. Key Destruction: Cryptographic keys that are no longer required shall be securely destroyed to prevent any potential unauthorized use.
  13. Monitoring and Auditing: Continuous monitoring and auditing of key management activities shall be performed to ensure compliance with policies and to detect any anomalies or potential security breaches.
  14. Training and Awareness: Personnel involved in cryptographic key management shall receive proper training and awareness to understand the importance of secure key management practices.
  15. Documentation: Maintain comprehensive documentation of cryptographic key management procedures, including key generation, distribution, revocation, and destruction.
  16. Review and Updates: The policy shall be periodically reviewed and updated to address emerging threats and to align with changes in regulatory requirements.
  17. Enforcement: Non-compliance with this policy may lead to disciplinary actions as per the organization’s established procedures.
  18. Communication: Communicate the policy and its requirements to all relevant personnel to promote understanding and adherence.

Example of Plan of Action and Milestones ( POA & M):

Milestone 1: Policy Development and Communication

Develop a comprehensive “Cryptographic Key Management Policy” that clearly outlines the purpose, scope, key management methods, and key management requirements. Communicate the policy to all relevant personnel within the organization. [Target Date]

Milestone 2: Identification of Systems Utilizing Cryptographic Keys

Identify all organizational systems that utilize cryptographic keys for encryption, decryption, or digital signatures. Ensure that all these systems are included in the scope of the policy. [Target Date]

Milestone 3: Key Management Methods and Requirements

Define key management requirements, including options, levels, and parameters, based on the sensitivity of the data and the system’s security needs. Select appropriate key management methods and procedures in compliance with applicable federal laws, Executive Orders, policies, directives, regulations, and standards. [Target Date]

Milestone 4: Guidance Reference

Refer to [SP 800-56A] and [SP 800-57-1] for guidance on cryptographic key management and key establishment practices. Ensure that the organization follows best practices and industry standards in key management. [Target Date]

Milestone 5: Secure Key Generation

Implement secure and reliable methods for cryptographic key generation to ensure their strength and uniqueness. Employ trusted cryptographic algorithms and random number generators for key generation. [Target Date]

Milestone 6: Secure Key Storage

Establish secure key storage systems with strong access controls and encryption mechanisms to prevent unauthorized access or disclosure of cryptographic keys. Implement secure hardware or software-based key storage solutions. [Target Date]

Milestone 7: Secure Key Distribution

Develop and implement secure procedures for distributing cryptographic keys to authorized users or systems. Ensure that key distribution processes are protected against interception and tampering. [Target Date]

Milestone 8: Key Revocation and Renewal Procedures

Define procedures for key revocation and renewal in case of key compromise, expiration, or other security events. Ensure timely revocation and renewal of cryptographic keys to maintain their integrity and security. [Target Date]

Milestone 9: Key Destruction Methods

Establish secure procedures for the destruction of cryptographic keys that are no longer required. Implement robust methods to prevent any potential unauthorized use of discarded keys. [Target Date]

Milestone 10: Monitoring and Auditing

Implement continuous monitoring and auditing of key management activities to ensure compliance with policies and to detect any anomalies or potential security breaches. Regularly review audit logs and key management reports. [Target Date]

Milestone 11: Training and Awareness

Conduct training and awareness programs for personnel involved in cryptographic key management. Educate them about the importance of secure key management practices and their role in maintaining data protection. [Target Date]

Milestone 12: Documentation and Reporting

Maintain comprehensive documentation of cryptographic key management procedures, including key generation, distribution, revocation, and destruction. Ensure that key management documentation is up-to-date and readily available for audit and compliance purposes. [Target Date]

Milestone 13: Policy Review and Updates

Periodically review the “Cryptographic Key Management Policy” to ensure its effectiveness in safeguarding cryptographic keys and aligning with changing security needs and regulatory requirements. Update the policy as needed. [Target Date]

Milestone 14: Enforcement and Disciplinary Actions

Enforce compliance with the policy and establish procedures for disciplinary actions in case of policy violations. Ensure that non-compliance is appropriately addressed and corrected. [Target Date]

Milestone 15: Stakeholder Communication

Regularly communicate the policy and its requirements to all relevant personnel within the organization. Foster understanding and adherence to the policy across all departments and teams. [Target Date]

RELEVANT INFORMATION:

Cryptographic key management and establishment can be performed using manual procedures or mechanisms supported by manual procedures. Organizations define key management requirements in accordance with applicable federal laws, Executive Orders, policies, directives, regulations, and standards specifying appropriate options, levels, and parameters. [SP 800-56A] and [SP 800-57-1] provide guidance on cryptographic key management and key establishment.

Resources to consider:

Security Policy Document:

This comprehensive document outlines the organization’s security policies and procedures, including information system access controls and the specific measures implemented, such as password protection, multi-factor authentication, and device access controls. It should also cover consequences of unauthorized access and the importance of user training and awareness.

Asset Inventory and Access Control Sheet:

Create a spreadsheet that lists all information system resources in your organization, such as laptops, desktops, servers, network devices, printers, scanners, mobile devices, and paper documents. Alongside each resource, include information about authorized users, access rights, and any access restrictions.

User Account Management Log:

Maintain a log to track user account creation, modification, and removal. Include details like the date of account creation, purpose, and the individual responsible for approving the account.

Password and Multi-Factor Authentication Policy:

Combine the password policy and multi-factor authentication policy into a single document. Outline the organization’s password requirements, including complexity, length, expiration, and regular password change, as well as the implementation of multi-factor authentication for an extra layer of security.

Process and Script Accountability Log:

Maintain a log that associates automated scripts and processes with the specific authorized user who initiated them. This ensures accountability and prevents the use of generic accounts for critical processes.

Device Access Control and VPN Policy:

Merge the device access control and VPN configuration documents into a single policy. Detail the measures for controlling device access, authentication mechanisms, and VPN configuration, including which devices are allowed to connect and the authentication methods used.

Access Control Review and Monitoring Schedule:

Create a schedule for periodic reviews of access controls, including the process for adding, modifying, or revoking access rights based on personnel changes or business needs. Also, document the monitoring mechanisms implemented to track access to the information system, including logs and reports of access attempts and unusual activities.

User Training and Awareness Materials:

Prepare training materials and conduct regular sessions for authorized users. Document the topics covered, the date of the training, and the attendees.