CMMC Practice SC.3.187: Establish and manage cryptographic keys for cryptography employed in organizational systems.
CMMC CLARIFICATION (Ref CMMC – Appendix B)
The organization develops processes and technical mechanisms to protect the cryptographic key’s confidentiality, authenticity and authorized use in accordance to industry standards and regulations. Key management systems provide oversight, assurance, and the capability to demonstrate the cryptographic keys are created in a secure manner and protected from loss or misuse throughout their lifecycle, e.g., active, expired, revoked. For a small number of keys, this can be accomplished with manual procedures and mechanisms. As the number of keys and cryptographic units increase, automation and tool support will be required.
Key establishment best practices are identified in NIST SP 800-56A, B and C. Key management best practices are identified in NIST SP 800-57 Parts 1, 2 and 3.