SC.L2-3.13.10: Key Management for CMMC Level 2
Key management is the foundation of your cryptographic security posture under CMMC Level 2. Without proper establishment and management of cryptographic keys, your encryption controls become vulnerabilities. This control requires you to implement systematic processes for generating, storing, rotating, and retiring cryptographic keys across your organization.
What this means
This control mandates that your organization establish formal processes to manage all cryptographic keys used in your information systems. You must define how keys are created, stored, accessed, rotated, and destroyed throughout their lifecycle. Key management includes controlling who can access keys, protecting keys from unauthorized use, and ensuring keys are properly maintained to support the cryptographic functions protecting your systems.
How to comply
- 1.Develop a key management policy that covers the entire lifecycle of cryptographic keys from generation to retirement
- 2.Implement secure key generation procedures using approved cryptographic algorithms and methods
- 3.Establish secure key storage mechanisms that protect keys from unauthorized access and exposure
- 4.Define and enforce key access controls limiting key usage to authorized personnel and systems
- 5.Implement key rotation procedures with defined intervals appropriate to key type and usage
- 6.Create key escrow or backup procedures for recovery purposes where business-critical
- 7.Document all key management procedures and maintain records of key lifecycle events
- 8.Conduct regular audits of key management practices to ensure ongoing compliance
Evidence auditors look for
- Key management policy document defining key generation, storage, and rotation standards
- Cryptographic key inventory listing all active keys, their purposes, and assigned owners
- Key generation logs showing approval and cryptographic parameters used
- Secure key storage evidence (HSM configurations, encrypted key vaults, access logs)
- Key rotation schedules and completion records with dates and responsible parties
- Key destruction certificates documenting secure removal of retired keys
- Access control lists showing who can retrieve and use specific keys
- Annual key management audit reports or security assessments
Frequently asked questions
When will FAQs be available?
The FAQ for this control is currently being prepared.
GRCWatch automates key management documentation, tracks key lifecycle events, maintains your cryptographic key inventory, and flags rotation deadlines so your team never misses a required key management step.
See how GRCWatch handles this control automatically
Start free trial