← Controls / SC

SC-17 Public Key Infrastructure Certificates

System and Communications Protection

Low Moderate High

Description

The organization issues public key certificates under an appropriate certificate policy or obtains public key certificates under an appropriate certificate policy from an approved service provider.

Supplemental Guidance

For user certificates, each agency either establishes an agency certification authority cross-certified with the Federal Bridge Certification Authority at medium assurance or higher or uses certificates from an approved, shared service provider, as required by OMB Memorandum 05-24. NIST Special Publication 800-32 provides guidance on public key technology. NIST Special Publication 800-63 provides guidance on remote electronic authentication.

Changes from Rev 4

Adds text to include only approved trust anchors in trust stores or certificate stores managed by the organization Discussion expanded to address trust anchors

Enhancements

(0) None.

MITRE ATT&CK Techniques (2)

ATT&CK v16.1

Techniques mitigated by this control, mapped via CTID.

Execution 1 Credential Access 1 Lateral Movement 1

Compliance Mappings

SOC 2 TSC

CC6.1

CSA CCM v4

CEK-13

CSA AICM v1

CEK-13

ANSSI

Hygiene.12RGS.2.3SecNumCloud.11.1

FINMA Circular 2023/1

IV.C(63)IV.C(64)

OSFI B-13

B-13.3.2

EU GDPR

Art.32(1)(a)Rec.83

EU DORA

Art.9(3)

RBI CSF

ITGRCA.16

FISC Security Guidelines

FISC.T4

HKMA TM-E-1

TME1.9.1TME1.9.2TME1.9.3

DNB Good Practice

DNB.18.3

SAMA CSF

3.4

NCA ECC

2-8

Qatar NIA

CS

CBUAE

CR-8

CBE CSF

CTO-3

SA JS2

JS2-8.3

BoG CISD

CISD-VI

BoM CTRM

3.4

FFIEC IS

II.C.19

HIPAA Security Rule

§164.312(e)(2)(ii)

BOT Cyber Resilience

Ch2.7

CMMC 2.0

SC

PCI PTS v6

D

FIPS 140-3

FIPS 140-3 §7.9

PCI HSM

9

Common Criteria

CC Part 2 — FCS

Solvency II

EIOPA-ICT-4.7

HITRUST CSF v11

10.c

FDA 21 CFR Part 11

§11.30

FDA Cybersecurity Guidance

SA-2

ISO 27799

10.2

NHS DSPT

NDG-9.6

OWASP MASVS v2.1

MASVS-CRYPTO-2MASVS-NETWORK-2

CCSS v9.0

1.02.4

MiCA

Art.63(1)Art.67(1)

Basel SCO60

SCO60.11SCO60.61

BSSC Standards

KMS-01

SEC Custody (Digital Assets)

SEC-CD-02SEC-CD-06

ISO 17799 (legacy)

12.3.2

COBIT 4.1 (legacy)

None.