System and Communications Protection 3.13.10 (3.13.10)

Establish and manage cryptographic keys for cryptography employed in organizational systems.

Get Full Guidance

What Is This CMMC Control?

This control requires organizations to establish formal processes for creating, distributing, storing, rotating, and destroying cryptographic keys used to protect CUI. Organizations must define how keys are generated, who has access to them, how they are backed up, when they expire, and how they are securely destroyed. This includes keys for encryption at rest, encryption in transit, digital signatures, and authentication mechanisms. The control focuses on the lifecycle management of cryptographic material, not just its use.

Control Intent

To ensure cryptographic keys are properly managed throughout their lifecycle to maintain the confidentiality, integrity, and authenticity of CUI protected by cryptographic mechanisms.

Who This Control Applies To

  • Organizations that use encryption to protect CUI at rest or in transit
  • Systems that employ digital signatures or cryptographic authentication
  • Cloud service providers managing encryption keys for CUI
  • Organizations using certificate-based authentication or PKI infrastructure
  • Systems with encrypted databases, file systems, or storage volumes
  • Organizations using VPNs, TLS/SSL, or other cryptographic protocols
  • Mobile device management systems using encryption
  • Backup and recovery systems that encrypt CUI

Not Applicable When

  • The organization does not process, store, or transmit CUI
  • All CUI is protected exclusively through physical or administrative controls without cryptographic mechanisms
  • The organization relies entirely on FedRAMP-authorized cloud services where the CSP manages all cryptographic keys and the organization has no key management responsibilities
  • Cryptographic functions are performed exclusively by external service providers with no organizational key management requirements

Key Objectives

  • 1Establish documented procedures for cryptographic key generation, distribution, storage, rotation, and destruction
  • 2Ensure cryptographic keys are managed in accordance with federal standards and organizational requirements
  • 3Protect cryptographic keys from unauthorized access, disclosure, modification, or destruction throughout their lifecycle
  • 4Maintain the effectiveness of cryptographic protections by ensuring keys are properly managed and periodically refreshed

Sample Self-Assessment Questions (Partial)

Does your organization use encryption to protect CUI anywhere in your environment?

Who is responsible for managing encryption keys in your organization?

Implementation Approaches (High-Level)

Enterprise Key Management System (KMS)

Centralized key management platform that automates key generation, distribution, rotation, and destruction across the enterprise

Cloud Provider Managed Encryption with Customer-Managed Keys

Leverage cloud provider encryption services while maintaining control over key management through customer-managed keys (CMK)

Certificate and PKI Management System

Formal public key infrastructure for managing digital certificates and asymmetric key pairs used for authentication, signing, and encryption

Database Transparent Data Encryption (TDE) with Key Management

Database-level encryption with formal key management for master encryption keys and data encryption keys

Hardware Security Module (HSM) for High-Value Keys

Dedicated hardware device for generating, storing, and managing cryptographic keys with FIPS 140-2 Level 2 or higher validation

Documented Manual Key Management Procedures

Formal written procedures for manual key management when automated solutions are not feasible, typically for small environments or legacy systems

Evidence & Assessment Notes

Expected Evidence

Organizations should maintain documentation and evidence demonstrating compliance with this control. This may include policy documentation, configuration records, audit logs, access reviews, and other relevant artifacts that show how the control is implemented and maintained.

Plan of Action & Milestones (POA&M)

If no key management procedures exist, prioritize documenting current practices and identifying gaps as a first step For organizations with multiple cryptographic mechanisms, phase POA&M by system criticality and CUI sensitivity Consider quick wins such as enabling automatic key rotation in cloud KMS before tackling complex legacy systems If HSM is required but not affordable, document compensating controls such as enhanced access controls and monitoring For manual key management, focus on documentation and training before implementing automated solutions Address key rotation for long-lived keys as a high priority, especially if keys have never been rotated If keys are stored insecurely, prioritize moving them to protected storage (KMS, HSM, encrypted vaults) For cloud migrations, plan key management strategy early to avoid rework Consider consolidating key management platforms to reduce complexity and cost If separation of duties is lacking, implement role-based access controls as an interim step For legacy systems with hard-coded keys, plan for application refactoring or replacement in POA&M Document interim monitoring and alerting as compensating controls while implementing long-term solutions

Related CMMC Controls

3.13.83.13.113.13.163.5.13.5.23.1.13.1.53.3.13.3.23.4.2

Frequently Asked Questions

What is the difference between key management and encryption?

Encryption is the process of using cryptographic keys to protect data. Key management is the process of securely creating, storing, distributing, rotating, and destroying those keys throughout their lifecycle. This control focuses on managing the keys themselves, not on the encryption process. Poor key management can undermine even the strongest encryption.

Do we need to manage keys if we use cloud encryption?

Yes, even when using cloud encryption, you must ensure keys are properly managed. If you use cloud provider default keys, you should verify the provider's key management practices meet CMMC requirements. For higher assurance, use customer-managed keys (CMK or BYOK) where you control key policies, rotation, and access. The shared responsibility model determines which key management activities you must perform versus those handled by the cloud provider.

How often should encryption keys be rotated?

Key rotation frequency depends on the type of key, its usage, and organizational risk tolerance. NIST SP 800-57 provides guidance on cryptoperiods for different key types. Common practices include rotating symmetric keys annually, rotating asymmetric keys every 1-3 years, and rotating session keys per session. Your key management procedures should define rotation schedules based on risk assessment and compliance requirements.

What happens if we lose access to our encryption keys?

Loss of encryption keys typically means permanent loss of access to encrypted data. This is why key backup and recovery procedures are critical components of key management. You must balance the need for key availability (through backups) with the need for key security (protecting backups from unauthorized access). Key escrow, split knowledge, and HSM-based key replication are common approaches to key recovery.

Can the same encryption key be used across multiple systems?

Using the same key across multiple systems increases risk because compromise of one system exposes all systems using that key. Best practice is to use unique keys per system or data classification. However, some scenarios (like master keys in a key hierarchy) may justify shared keys if properly managed. Your key management procedures should address key scope and justify any key sharing based on risk assessment.

What is the difference between a key management system and a hardware security module?

A key management system (KMS) is software that manages the lifecycle of cryptographic keys, including generation, distribution, rotation, and destruction. A hardware security module (HSM) is a physical device that generates and stores keys in tamper-resistant hardware. HSMs provide higher security for key storage and operations, while KMS provides broader key lifecycle management. Many organizations use both: HSM for high-value keys and KMS for broader key management across the environment.

How ConformatIQ Helps With CMMC Readiness

ConformatIQ is an AI-assisted CMMC readiness platform designed to help organizations prepare for assessments more efficiently. The platform supports document generation such as SSPs and POA&Ms, guided readiness workflows, centralized evidence tracking, and interview preparation for assessments.

Learn More About ConformatIQ

Ready to Get Full Guidance?

Access complete implementation details, detailed assessment questions, evidence requirements, and expert guidance for this control.

Request Full Guidance

Information sourced from NIST SP 800-171 Rev. 2. See full disclaimer.