NIST 800-53 REV 5 • SYSTEM AND COMMUNICATIONS PROTECTION
SC-12 — Cryptographic Key Establishment and Management
Establish and manage cryptographic keys when cryptography is employed within the system in accordance with the following key management requirements: {{ insert: param, sc-12_odp }}.
Supplemental Guidance
Cryptographic key management and establishment can be performed using manual procedures or automated mechanisms with supporting manual procedures. Organizations define key management requirements in accordance with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines and specify appropriate options, parameters, and levels. Organizations manage trust stores to ensure that only approved trust anchors are part of such trust stores. This includes certificates with visibility external to organizational systems and certificates related to the internal operations of systems. [NIST CMVP](#1acdc775-aafb-4d11-9341-dc6a822e9d38) and [NIST CAVP](#84dc1b0c-acb7-4269-84c4-00dbabacd78c) provide additional information on validated cryptographic modules and algorithms that can be used in cryptographic key management and establishment.
Practitioner Notes
Cryptographic keys are the foundation of all your encryption — if keys are poorly managed, your encryption is worthless. This control requires a formal process for creating, distributing, storing, rotating, and destroying keys.
Example 1: Use Active Directory Certificate Services (AD CS) as your internal PKI to issue, renew, and revoke certificates for servers and users. Configure auto-enrollment via GPO so certificates are automatically issued and renewed. Store the CA root key on an offline, air-gapped system.
Example 2: For cloud environments, use Azure Key Vault or AWS KMS to manage encryption keys. These services handle key generation, rotation, and access control. Configure automatic key rotation every 90 days and audit all key access through the service's built-in logging.