NIST 800-53 REV 5 • SYSTEM AND COMMUNICATIONS PROTECTION

SC-28(3)Cryptographic Keys

Provide protected storage for cryptographic keys {{ insert: param, sc-28.03_odp.01 }}.

CMMC Practice Mapping

No direct CMMC mapping

NIST 800-171 Mapping

No direct NIST 800-171 mapping

Related Controls

Supplemental Guidance

A Trusted Platform Module (TPM) is an example of a hardware-protected data store that can be used to protect cryptographic keys.

Practitioner Notes

Protect cryptographic keys used for data-at-rest encryption with the same rigor as the data itself. If an attacker gets your keys, encryption is meaningless.

Example 1: Store database encryption keys in Azure Key Vault or AWS KMS, not in the database configuration files. The key management service has its own access controls, audit logging, and hardware-backed key storage.

Example 2: For BitLocker, store recovery keys in Active Directory (not on sticky notes or in shared spreadsheets). Restrict who can view recovery keys in AD to your security team and IT managers. Audit all access to recovery key objects.

More System and Communications Protection Controls

SC-1 Policy and Procedures SC-2 Separation of System and User Functionality SC-2(1) Interfaces for Non-privileged Users SC-2(2) Disassociability