Back to Control Explorer



Control Acronym



System And Communications Protection

CMMC Level


800-171 Control #


CMMC Description

Establish and manage cryptographic keys for cryptography employed in organizational systems.

CMMC Clarification

The organization develops processes and technical mechanisms to protect the cryptographic key’s confidentiality, authenticity and authorized use in accordance to industry standards and regulations. Key management systems provide oversight, assurance, and the capability to demonstrate the cryptographic keys are created in a secure manner and protected from loss or misuse throughout their lifecycle, e.g., active, expired, revoked. For a small number of keys, this can be accomplished with manual procedures and mechanisms. As the number of keys and cryptographic units increase, automation and tool support will be required. Key establishment best practices are identified in NIST SP 800-56A, B and C. management best practices are identified in NIST SP 800-57 Parts 1, 2 and 3. Example Key You are an IT administrator at your organization responsible for providing key management. You have generated a public-private key pair to exchange CUI. You require all system administrators to read the company’s policy on Key Management before you allow them to install the private key on their machines. No one else in the company is allowed to know or have a copy of the private key per the policy. You provide the public key to the other parties who will be sending you CUI and test the PKI to ensure the encryption is working.

800-171 Description

Establish and manage cryptographic keys for cryptography employed in organizational systems.

800-171 Discussion

Cryptographic key management and establishment can be performed using manual procedures or mechanisms supported by manual procedures. Organizations define key management requirements in accordance with applicable federal laws, Executive Orders, policies, directives, regulations, and standards specifying appropriate options, levels, and parameters. [SP 800-56A] and [SP 800-57-1] provide guidance on cryptographic key management and key establishment.

Other Source Discussion


CIS Control References

NIST 800-53 Control Ref.

NIST SP 800-53 Rev 4 SC-12

CMMC Derived

NIST CSF Control References

NIST 800-171 References

NIST SP 800-171 Rev 1 3.13.10

Applicable FAR Clause

NIST CSF Control Reference

CERT RMM Reference


Modification of NIST 800-171B Reference

NIST 800-171B Reference

UK NCSCCyber Reference

AS ACSC Reference


Assessment Sub-Criteria 1

SC.3.187.[a] cryptographic keys are established whenever cryptography is employed; and

Assessment Sub-Criteria 2

SC.3.187.[b] cryptographic keys are managed whenever cryptography is employed.

Assessment Sub-Criteria 3

Assessment Sub-Criteria 4

Assessment Sub-Criteria 5

Assessment Sub-Criteria 6

Assessment Sub-Criteria 7

Assessment Sub-Criteria 8

Assessment Sub-Criteria 9

Assessment Sub-Criteria 10

Assessment Sub-Criteria 11

Assessment Sub-Criteria 12

Assessment Sub-Criteria 13

Assessment Sub-Criteria 14

Assessment Sub-Criteria 15