CCI-004791

Maintain exclusive control of cryptographic keys for encrypted material stored or transmitted through an external system.

Implementation Guidance

Determine if exclusive control of cryptographic keys is maintained for encrypted material stored or transmitted through an external system.

Validation Procedures

Examine: [SELECT FROM: System and services acquisition policy; procedures addressing external system services; acquisition contracts for the system, system component, or system service; solicitation documentation; acquisition documentation; service level agreements; procedures addressing organization-controlled cryptographic key management; organizational security requirements or conditions for external providers; system security plan; supply chain risk management plan; other relevant documents or records]. Interview: [SELECT FROM: Organizational personnel with system and service acquisition responsibilities; organizational personnel with information security responsibilities; organization personnel with cryptographic key management responsibilities; external providers of system services; organizational personnel with supply chain risk management responsibilities]. Test: [SELECT FROM: Organizational processes for cryptographic key management; mechanisms for supporting and implementing the management of organization-controlled cryptographic keys].

The controls below (if any) were marked by NIST as being related to CCI-004791.