NIST 800-53 REV 5 • SYSTEM AND COMMUNICATIONS PROTECTION

SC-17Public Key Infrastructure Certificates

Issue public key certificates under an {{ insert: param, sc-17_odp }} or obtain public key certificates from an approved service provider; and Include only approved trust anchors in trust stores or certificate stores managed by the organization.

CMMC Practice Mapping

No direct CMMC mapping

NIST 800-171 Mapping

No direct NIST 800-171 mapping

Related Controls

Supplemental Guidance

Public key infrastructure (PKI) certificates are certificates with visibility external to organizational systems and certificates related to the internal operations of systems, such as application-specific time services. In cryptographic systems with a hierarchical structure, a trust anchor is an authoritative source (i.e., a certificate authority) for which trust is assumed and not derived. A root certificate for a PKI system is an example of a trust anchor. A trust store or certificate store maintains a list of trusted root certificates.

Practitioner Notes

If your organization uses PKI certificates (and most do), you need to issue them from a trusted certificate authority following established policies.

Example 1: Deploy Active Directory Certificate Services as your internal PKI. Publish your CA certificate to all domain machines via GPO so they automatically trust certificates issued by your CA. Create a Certificate Practice Statement (CPS) that documents how certificates are issued, managed, and revoked.

Example 2: For external-facing services, use certificates from a publicly trusted CA. Implement Certificate Transparency (CT) log monitoring so you are alerted if someone fraudulently obtains a certificate for your domain from any CA in the world.

More System and Communications Protection Controls

SC-1 Policy and Procedures SC-2 Separation of System and User Functionality SC-2(1) Interfaces for Non-privileged Users SC-2(2) Disassociability