Navigate

CM-3(6)

CM-3(6): Cryptography Management

Ensure that cryptographic mechanisms used to provide the following controls are under configuration management: [controls provided by cryptographic mechanisms that are to be under configuration management are defined;].

Supplemental

The controls referenced in the control enhancement refer to security and privacy controls from the control catalog. Regardless of the cryptographic mechanisms employed, processes and procedures are in place to manage those mechanisms. For example, if system components use certificates for identification and authentication, a process is implemented to address the expiration of those certificates.

CIA Levels
Confidentiality	unknown
Integrity	low
Availability	unknown

Overlays
Classified, DAF Baseline, Int-A, Int-B, Int-C, Privacy (high), Privacy (low), Privacy (moderate)

CSF Categories
None

Related Controls

The controls below (if any) were marked by NIST as being related to CM-3(6).

Control	Description
SC-12	Establish and manage cryptographic keys when cryptography is employed within the system in accordance with the following key management requirements: [requirements for key generation, distribution, storage, access, and destruction are defined;].

Enhancements

The controls below (if any) add on to the requirements of CM-3(6).

Control	Description
No controls

Related CCIs

The CCIs below are tied to CM-3(6).

CCI	Definition
CCI-001745	Defines the controls that are to be provided by the cryptographic mechanisms are under configuration management.
CCI-001746	Ensure that cryptographic mechanisms used to provide organization-defined control are under configuration management.