NIST 800-53 REV 5 • IDENTIFICATION AND AUTHENTICATION

IA-13(1)Protection of Cryptographic Keys

Cryptographic keys that protect access tokens are generated, managed, and protected from disclosure and misuse.

CMMC Practice Mapping

No direct CMMC mapping

NIST 800-171 Mapping

No direct NIST 800-171 mapping

Related Controls

Supplemental Guidance

Identity assertions and access tokens are typically digitally signed. The private keys used to sign these assertions and tokens are protected commensurate with the impact of the system and information resources that can be accessed.

Practitioner Notes

This enhancement requires protection of cryptographic keys used by identity providers and authorization servers — these keys are the crown jewels of your authentication infrastructure.

Example 1: Store your SAML signing certificates and OAuth signing keys in a Hardware Security Module (HSM) or Azure Key Vault with HSM backing to prevent extraction.

Example 2: Implement automatic key rotation for your identity provider's token signing keys and publish updated public keys to relying parties through standard metadata endpoints.

More Identification and Authentication Controls

IA-1 Policy and Procedures IA-2 Identification and Authentication (Organizational Users) IA-2(1) Multi-factor Authentication to Privileged Accounts IA-2(2) Multi-factor Authentication to Non-privileged Accounts