NIST 800-53 REV 5 • SYSTEM AND COMMUNICATIONS PROTECTION

SC-12(2)Symmetric Keys

Produce, control, and distribute symmetric cryptographic keys using {{ insert: param, sc-12.02_odp }} key management technology and processes.

CMMC Practice Mapping

No direct CMMC mapping

NIST 800-171 Mapping

No direct NIST 800-171 mapping

Related Controls

No related controls listed

Supplemental Guidance

[SP 800-56A](#20957dbb-6a1e-40a2-b38a-66f67d33ac2e), [SP 800-56B](#0d083d8a-5cc6-46f1-8d79-3081d42bcb75) , and [SP 800-56C](#eef62b16-c796-4554-955c-505824135b8a) provide guidance on cryptographic key establishment schemes and key derivation methods. [SP 800-57-1](#110e26af-4765-49e1-8740-6750f83fcda1), [SP 800-57-2](#e7942589-e267-4a5a-a3d9-f39a7aae81f0) , and [SP 800-57-3](#8306620b-1920-4d73-8b21-12008528595f) provide guidance on cryptographic key management.

Practitioner Notes

Symmetric encryption keys (the same key encrypts and decrypts) require special handling because anyone with the key can both read and create encrypted data.

Example 1: Use FIPS 140-2 validated modules to generate symmetric keys (like AES-256 keys for BitLocker or database TDE). Never generate keys with custom or homegrown random number generators — use the OS cryptographic provider.

Example 2: For symmetric keys shared between systems (like a shared encryption key for a partner data exchange), distribute the key through an out-of-band channel — for example, a phone call to verify the key after sending it via encrypted email. Never send the key and the encrypted data through the same channel.

More System and Communications Protection Controls

SC-1 Policy and Procedures SC-2 Separation of System and User Functionality SC-2(1) Interfaces for Non-privileged Users SC-2(2) Disassociability