← Controls / SC

SC-12 Cryptographic Key Establishment And Management

System and Communications Protection

Low Moderate High

Description

When cryptography is required and employed within the information system, the organization establishes and manages cryptographic keys using automated mechanisms with supporting procedures or manual procedures.

Supplemental Guidance

NIST Special Publication 800-56 provides guidance on cryptographic key establishment. NIST Special Publication 800-57 provides guidance on cryptographic key management.

Enhancements

(0) None.

MITRE ATT&CK Techniques (10)

ATT&CK v16.1

Techniques mitigated by this control, mapped via CTID.

Execution 1 Persistence 1 Privilege Escalation 1 Credential Access 4 Lateral Movement 2 Command & Control 3

Privilege Escalation

T1098.004

Compliance Mappings

ISO 27001:2022

A.5.14A.8.24

ISO 27002:2022

5.148.24

NIST CSF 2.0

PR.DS-02

SOC 2 TSC

CC6.1

PCI DSS v4.0.1

3.53.63.7

CSA CCM v4

CEK-01CEK-02CEK-08CEK-09CEK-10CEK-11CEK-12CEK-13CEK-14CEK-15CEK-16CEK-17CEK-18CEK-19CEK-20CEK-21

CSA AICM v1

CEK-01CEK-02CEK-08CEK-09CEK-10CEK-11CEK-12CEK-13CEK-14CEK-15CEK-16CEK-17CEK-18CEK-19CEK-20CEK-21

FINOS CCC

CCC-C02

NIS2 Directive

Art. 21(2)(h)

MAS TRM

10

APRA CPS 234

Para 22-23

BSI IT-Grundschutz

CON.1

ANSSI

Hygiene.12RGS.2.3SecNumCloud.11.1

FINMA Circular 2023/1

IV.C(63)IV.C(64)

OSFI B-13

B-13.3.2

EU GDPR

Art.32(1)(a)Rec.83

EU DORA

Art.9(3)

BIO2

5.148.24

RBI CSF

ITGRCA.16

FISC Security Guidelines

FISC.T11FISC.T12FISC.T4

LGPD + BCB 4893

BCB.Art.3BCB.PIXLGPD.Art.46

HKMA TM-E-1

TME1.10.3TME1.11.2TME1.8.5TME1.9.1TME1.9.2

MLPS 2.0

8.1.10.78.1.2.2

DNB Good Practice

DNB.18.3DNB.18.5

EU CRA

CRA.I.2e

SWIFT CSCF

SWIFT.2.1SWIFT.2.5A

SAMA CSF

3.44.3

NCA ECC

2-8

UAE IA

T8

CBB TM

TM-9

Qatar NIA

CS

CBUAE

CR-8

CBE CSF

CTO-3

SA JS2

JS2-8.3

CBN CSF

Part3.3

BoG CISD

CISD-VI

POPIA

s19

BoM CTRM

3.4

IOSCO Cyber Resilience

PROT-3

CPMI-IOSCO PFMI

CG.PR

FFIEC IS

II.C.13(b)II.C.15(c)II.C.16II.C.19

NYDFS 500

500.15

HIPAA Security Rule

§164.312(a)(2)(iv)§164.312(e)(1)§164.312(e)(2)(ii)

ECB CROE

CROE.2.3.3

EBA ICT Guidelines

3.8(b)

SEBI CSCRF

DATALOCPR.DS

BOT Cyber Resilience

Ch2.3Ch2.7

CMMC 2.0

SC

NERC CIP

CIP-012-1

10 CFR 73.54

RG5.71-A-SC

IEEE 1686-2022

5.5

API 1164

Sec 8

IAEA NSS 17-T

Sec 5.6

PCI PTS v6

DE

FIPS 140-3

FIPS 140-3 §7.9

CBEST

CBEST.9

PCI HSM

34569

Common Criteria

CC Part 2 — FCS

ISAE 3402

Clause 4

Solvency II

DR.266-DataSecEIOPA-ICT-4.7

Lloyd's Minimum Standards

BP2.1

NAIC Insurance Data Security

4-encryption4B

FCA SYSC 13

SYSC 13.7.3

HITRUST CSF v11

10.c

FDA 21 CFR Part 11

§11.30

FDA Cybersecurity Guidance

SA-2

ISO 27799

10.110.213.2H.2

NHS DSPT

NDG-9.6

OWASP MASVS v2.1

MASVS-STORAGE-1MASVS-CRYPTO-2

CCSS v9.0

1.01.11.01.21.01.41.01.51.01.61.01.71.02.11.02.21.02.31.02.41.02.51.02.61.03.11.03.21.03.61.05.51.06.1

MiCA

Art.40(1)Art.55(1)Art.63(1)Art.67(1)Art.76(1)Art.97(1)

Basel SCO60

SCO60.11SCO60.21SCO60.23SCO60.41SCO60.51SCO60.61SCO60.63SCO60.64SCO60.65SCO60.66

BSSC Standards

NOS-08TIS-07KMS-01KMS-02KMS-03KMS-04KMS-05KMS-07KMS-08KMS-09KMS-10GSP-13

SEC Custody (Digital Assets)

SEC-CD-02SEC-CD-03SEC-CD-06SEC-CD-07SEC-CD-08SEC-CD-12SEC-CD-13SEC-CD-16

ISO 17799 (legacy)

12.3.112.3.2

COBIT 4.1 (legacy)

DS5.8