NIST 800-171 • LEVEL 2 • SYSTEM AND COMMUNICATIONS PROTECTION
3.13.10 — Cryptographic Key Establishment and Management
Cryptographic keys can be established and managed using either manual procedures or automated mechanisms supported by manual procedures. Organizations satisfy key establishment and management requirements in accordance with applicable federal laws, Executive Orders, policies, directives, regulations, and standards that specify appropriate options, levels, and parameters. This requirement is related to [](#/cprt/framework/version/SP_800_171_3_0_0/home?element=03.13.11) 03.13.11.
CMMC Practice Mapping
NIST 800-53 Controls
Assessment Objectives
- cryptographic keys are established in the system in accordance with the following key management requirements: {{ insert: param, A.03.13.10.ODP.01 }}.
- cryptographic keys are managed in the system in accordance with the following key management requirements: {{ insert: param, A.03.13.10.ODP.01 }}.
Practitioner Notes
If you are using encryption (and you should be), you need a solid process for creating, distributing, storing, rotating, and destroying the cryptographic keys. The encryption is only as strong as how you manage the keys.
Example 1: For BitLocker, store recovery keys in Active Directory Domain Services (AD DS). Configure this via GPO: Computer Configuration > Administrative Templates > Windows Components > BitLocker > Store BitLocker recovery information in AD DS. This ensures keys are centrally managed and recoverable, not written on sticky notes.
Example 2: For TLS certificates on your web servers, use a certificate management tool or process. Track certificate expiration dates in a spreadsheet or tool like Venafi or Let's Encrypt with auto-renewal. Ensure you are using keys of at least 2048-bit RSA or 256-bit ECC, and rotate certificates annually. If using Azure, leverage Azure Key Vault to store and manage certificates and secrets with access policies and audit logging.