NIST 800-53 REV 5 • SYSTEM AND SERVICES ACQUISITION

SA-9(6)Organization-controlled Cryptographic Keys

Maintain exclusive control of cryptographic keys for encrypted material stored or transmitted through an external system.

CMMC Practice Mapping

No direct CMMC mapping

NIST 800-171 Mapping

No direct NIST 800-171 mapping

Related Controls

Supplemental Guidance

Maintaining exclusive control of cryptographic keys in an external system prevents decryption of organizational data by external system staff. Organizational control of cryptographic keys can be implemented by encrypting and decrypting data inside the organization as data is sent to and received from the external system or by employing a component that permits encryption and decryption functions to be local to the external system but allows exclusive organizational access to the encryption keys.

Practitioner Notes

When using external services that encrypt your data, you should control your own encryption keys rather than relying on the provider to manage them. This ensures you maintain control over your data even if the relationship with the provider ends.

Example 1: For cloud services that offer customer-managed keys, use your own keys stored in your Azure Key Vault or AWS KMS rather than relying on the provider's default encryption. This ensures the provider cannot access your encrypted data without your key.

Example 2: In Microsoft 365, configure Customer Key (available with E5) so that your data in Exchange Online, SharePoint, and Teams is encrypted with keys you control. If you ever need to leave the service, you can revoke the keys, rendering the data unreadable.

More System and Services Acquisition Controls

SA-1 Policy and Procedures SA-2 Allocation of Resources SA-3 System Development Life Cycle SA-3(1) Manage Preproduction Environment