CCI-004899

Maintain physical control of cryptographic keys when store information is encrypted by external service providers.

Implementation Guidance

Determine if physical control of cryptographic keys is maintained when stored information is encrypted by external service providers.

Validation Procedures

Examine: [SELECT FROM: System and communications protection policy; procedures addressing cryptographic key establishment, management, and recovery; system design documentation; system configuration settings and associated documentation; system audit records; system security plan; other relevant documents or records]. Interview: [SELECT FROM: System/network administrators; organizational personnel with information security responsibilities; organizational personnel with responsibilities for cryptographic key establishment or management]. Test: [SELECT FROM: Mechanisms supporting and/or implementing cryptographic key establishment and management].

The controls below (if any) were marked by NIST as being related to CCI-004899.