Device Class 1: Cryptographic Key Establishment And Management

Control ID: SC-12 Cryptographic Key Establishment And Management Family: System and Communications Protection Source: NIST 800-53r4
Control: The organization establishes and manages cryptographic keys for required cryptography employed within the information system in accordance with IEEE 1609.2 for IEEE 1609.2 keys, and as per NIST 800-56 and NIST 800-57 for X.509-based keys.
Supplemental Guidance:
Cryptographic key management and establishment can be performed using manual procedures or automated mechanisms with supporting manual procedures. Organizations define key management requirements in accordance with applicable state and federal laws, Executive Orders, directives, regulations, policies, standards, and guidance, specifying appropriate options, levels, and parameters. Organizations manage trust stores to ensure that only approved trust anchors are in such trust stores. This includes certificates with visibility external to organizational information systems and certificates related to the internal operations of systems.

Related Controls: SC-13, SC-17
Control Enhancements: N/A
References: NIST Special Publications 800-56, 800-57.
Mechanisms:

  • Reference 1609.2 CA key management policies – not defined as of this writing, but will be relevant.
  • Compliant with NIST 800-56 and NIST 800-57 for key establishment and management for X.509-based keys.
  • All private keys shall be stored in a cryptographic hardware module with hardware protection equivalent to FIPS 140-2 level 3 security.
  • All key pairs shall be generated in a cryptographic hardware module using a FIPS 140 compliant random number generator.
  • Root certificates shall be managed per IA-2.

Protocol Implementation Conformance Statements:
ID Statement Status Reference Notes
SC-12/1 Stores IEEE 1609.2 keys in a cryptographic hardware module SC-12/1:M IEEE 1609.2;
SC-12/2 Stores TLS keys in a cryptographic hardware module SC-12/2:M If TLS supported. If TLS not supported, this is not mandatory
SC-12/3 Generates IEEE 1609.2 keys on-board SC-12/3:M IEEE 1609.2;
SC-12/3 Generates TLS keys on-board SC-12/4:M If TLS supported. If TLS not supported, this is not mandatory