CMMC Level 2
Control 3.13.10
Establish and Manage Cryptographic Keys
CMMC-RP Certified Team
24+ Years Experience
2,500+ Clients Served
Official Requirement
Establish and manage cryptographic keys for cryptography employed in organizational information systems.
What This Means in Plain English
If you use encryption, you must properly manage the encryption keys. This includes generating keys securely, storing them safely, rotating them periodically, and destroying them when no longer needed.
How Petronella Implements This Control
Petronella Technology Group implements this control through:
- Microsoft Azure Key Vault for centralized cryptographic key management
- BitLocker recovery keys stored in Active Directory and Azure AD with restricted access
- PKI certificate management with automated renewal for expiring certificates
- Key rotation policies enforcing annual rotation for encryption keys
- ComplianceArmor tracking key custodians, rotation dates, and destruction records
Assessment Guidance
Assessors will review key management procedures, verify that keys are generated using approved methods, check key storage security, confirm rotation schedules are followed, and review key destruction records for decommissioned systems.
Common Implementation Gaps
- No formal key management process
- Encryption keys stored in plain text or insecure locations
- Keys never rotated after initial creation
- No key recovery or escrow process
- Expired certificates causing service outages
Cross-Framework Mapping
| Framework | Mapped Controls |
|---|---|
| NIST SP 800-53 | SC-12 |
| PCI DSS | Req 3.5 - Protect cryptographic keys used for encryption of stored data |
Need Help Implementing 3.13.10?
Our CMMC-RP certified team can assess your current compliance posture and build a remediation plan.
Schedule a Compliance Assessment