NIST 800-171 Control 3.13.10: Cryptographic Key Management
Control 3.13.10 requires organizations to establish and manage cryptographic keys used across systems and data protection mechanisms. Proper key management is foundational to any cryptography program—weak key practices expose even strong algorithms to compromise. This control ensures your organization maintains lifecycle oversight of all cryptographic keys from generation through destruction.
What this means
This control mandates establishing formal processes to manage the complete lifecycle of cryptographic keys. Organizations must define how keys are generated, stored, rotated, backed up, and securely destroyed. Key management includes controlling who has access to keys, how they are protected, and monitoring their usage across systems. The goal is to prevent unauthorized key access, ensure continuity through key recovery procedures, and maintain audit trails of key-related activities.
How to comply
- 1.Document a cryptographic key management policy covering generation, storage, rotation, backup, and destruction procedures
- 2.Establish role-based access controls limiting who can create, modify, or delete cryptographic keys
- 3.Implement a centralized key management system or HSM (Hardware Security Module) to store and protect keys
- 4.Define and enforce key rotation schedules based on key type and risk classification
- 5.Create secure key backup and recovery procedures with tested restoration capabilities
- 6.Maintain a cryptographic key inventory tracking all keys, their purpose, owner, and lifecycle status
- 7.Establish monitoring and logging for all key management activities including access and modifications
- 8.Define secure key destruction procedures and verify destruction upon key retirement
- 9.Conduct periodic reviews and audits of key management practices and compliance
Evidence auditors look for
- Cryptographic key management policy document with lifecycle procedures
- Key inventory spreadsheet or system tracking all organizational keys
- Key rotation logs showing dates keys were rotated and by whom
- HSM or key management system configuration and access control documentation
- Key backup and recovery test results with dates and outcomes
- Audit logs showing key access, creation, modification, and deletion events
- Key destruction certificates or disposal records
- Role-based access control matrix for key management personnel
- Risk assessment documenting key protection requirements by data classification
Frequently asked questions
When will FAQs be available?
The FAQ for this control is currently being prepared.
GRCWatch automates cryptographic key inventory tracking, rotation scheduling, and access logging—automatically flagging overdue rotations and unauthorized key access to keep your organization audit-ready without manual spreadsheet maintenance.
See how GRCWatch handles this control automatically
Start free trial