Navigate

CM-3 (6)

CM-3 (6): Cryptography Management

The organization ensures that cryptographic mechanisms used to provide [Assignment: organization-defined security safeguards] are under configuration management.

Supplemental

Regardless of the cryptographic means employed (e.g., public key, private key, shared secrets), organizations ensure that there are processes and procedures in place to effectively manage those means. For example, if devices use certificates as a basis for identification and authentication, there needs to be a process in place to address the expiration of those certificates.

CIA Levels
Confidentiality	unknown
Integrity	low
Availability	unknown

Overlays
Classified, Int-A, Int-B, Int-C, Privacy (High), Privacy (Low), Privacy (Mod), Privacy (PHI)

Related Controls

The controls below (if any) were marked by NIST as being related to CM-3 (6).

Control	Description
SC-13	The information system implements [Assignment: organization-defined cryptographic uses and type of cryptography required for each use] in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards.

Enhancements

The controls below (if any) add on to the requirements of CM-3 (6).

Control	Description
No controls

Related CCIs

The CCIs below are tied to CM-3 (6).

CCI	Definition
CCI-001745	The organization defines the security safeguards that are to be provided by the cryptographic mechanisms which are employed by the organization.
CCI-001746	The organization ensures that cryptographic mechanisms used to provide organization-defined security safeguards are under configuration management.