SC-12 - Cryptographic Key Establishment and Management

Control requirements

Additional IBM Cloud for Financial Services specifications

The organization must implement cryptographic key establishment and management processes including:

• Key management responsibilities and key usage activities must be provided or agreed to by the customer
• All keys must be established for a discrete purpose
• Keys are rotated in accordance with operational timeframes
• Keys are stored within a proper KeyStore (e.g. a FIPS 140-2 Level 3 compliant hardware security module)
• Only authorized personnel are permitted access to key recovery functions.

Organizations providing cloud and multi-tenant services, must implement cryptographic key establishment and management processes including:

• Key management responsibilities and key usage activities must consider data categorization, sensitivity, and regulatory requirements
• Dedicated encryption keys per customer tenancy and external application for data in transit and at rest

Implementation guidance

See the resources that follow to learn more about how to implement this control.

• Data encryption in transit

• Data encryption at rest

NIST supplemental guidance

Cryptographic key management and establishment can be performed using manual procedures or automated mechanisms with supporting manual procedures. Organizations define key management requirements in accordance with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines and specify appropriate options, parameters, and levels. Organizations manage trust stores to ensure that only approved trust anchors are part of such trust stores. This includes certificates with visibility external to organizational systems and certificates related to the internal operations of systems. [NIST CMVP] and [NIST CAVP] provide additional information on validated cryptographic modules and algorithms that can be used in cryptographic key management and establishment.