NIST 800-53 REV 5 • CONFIGURATION MANAGEMENT

CM-3(6)Cryptography Management

Ensure that cryptographic mechanisms used to provide the following controls are under configuration management: {{ insert: param, cm-03.06_odp }}.

CMMC Practice Mapping

No direct CMMC mapping

NIST 800-171 Mapping

No direct NIST 800-171 mapping

Related Controls

Supplemental Guidance

The controls referenced in the control enhancement refer to security and privacy controls from the control catalog. Regardless of the cryptographic mechanisms employed, processes and procedures are in place to manage those mechanisms. For example, if system components use certificates for identification and authentication, a process is implemented to address the expiration of those certificates.

Practitioner Notes

This enhancement requires formal management of cryptographic mechanisms used in the system, including tracking certificates, keys, and cryptographic algorithms as configuration items.

Example 1: Maintain an inventory of all SSL/TLS certificates in a tool like Venafi or a spreadsheet, tracking expiration dates, key lengths, and issuing certificate authorities.

Example 2: Document all cryptographic algorithms and key management procedures used in your system, and include cryptographic changes in your CCB review process.

More Configuration Management Controls

CM-1 Policy and Procedures CM-2 Baseline Configuration CM-2(1) Reviews and Updates CM-2(2) Automation Support for Accuracy and Currency