1. Home
  2. Industrial Control Systems
  3. SC-12

SC-12: CRYPTOGRAPHIC KEY ESTABLISHMENT AND MANAGEMENT

TAILORED FOR INDUSTRIAL CONTROL SYSTEM

  • ICS Control Baselines:
  • Low
  • Moderate
  • High

The organization establishes and manages cryptographic keys for required cryptography employed within the information system in accordance with [Assignment: organization-defined requirements for key generation, distribution, storage, access, and destruction].

SUPPLEMENTAL GUIDANCE

Cryptographic key management and establishment can be performed using manual procedures or automated mechanisms with supporting manual procedures. Organizations define key management requirements in accordance with applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance, specifying appropriate options, levels, and parameters. Organizations manage trust stores to ensure that only approved trust anchors are in such trust stores. This includes certificates with visibility external to organizational information systems and certificates related to the internal operations of systems.

ICS SUPPLEMENTAL GUIDANCE

The use of cryptographic key management in ICS is intended to support internal nonpublic use.

CONTROL ENHANCEMENTS

SC-12 (1) CRYPTOGRAPHIC KEY ESTABLISHMENT AND MANAGEMENT | AVAILABILITY
  • ISC Control Baseline:
  • High

The organization maintains availability of information in the event of the loss of cryptographic keys by users.

Supplemental Guidance:

Escrowing of encryption keys is a common practice for ensuring availability in the event of loss of keys (e.g., due to forgotten passphrase).

No ICS Supplemental Guidance.

SC-12 (2) CRYPTOGRAPHIC KEY ESTABLISHMENT AND MANAGEMENT | SYMMETRIC KEYS

The organization produces, controls, and distributes symmetric cryptographic keys using [Selection: NIST FIPS-compliant; NSA-approved] key management technology and processes.

Supplemental Guidance: NONE

NOT SELECTED FOR THE NIST ISC CONTROL SET

SC-12 (3) CRYPTOGRAPHIC KEY ESTABLISHMENT AND MANAGEMENT | ASYMMETRIC KEYS

NOT SELECTED FOR THE NIST ISC CONTROL SET

The organization produces, controls, and distributes asymmetric cryptographic keys using [Selection: NSA-approved key management technology and processes; approved PKI Class 3 certificates or prepositioned keying material; approved PKI Class 3 or Class 4 certificates and hardware security tokens that protect the user�s private key].

Supplemental Guidance: NONE

SC-12 (4) CRYPTOGRAPHIC KEY ESTABLISHMENT AND MANAGEMENT | PKI CERTIFICATES

NOT SELECTED FOR THE NIST ISC CONTROL SET

[Withdrawn: Incorporated into SC-12]. (See above.)

SC-12 (5) CRYPTOGRAPHIC KEY ESTABLISHMENT AND MANAGEMENT | PKI CERTIFICATES / HARDWARE TOKENS

NOT SELECTED FOR THE NIST ISC CONTROL SET

[Withdrawn: Incorporated into SC-12]. (See above.)

REFERENCES:

  • NIST Special Publication 800-56
  • NIST Special Publication 800-57