← Back to catalog
SA-9(6)

Organization-controlled Cryptographic Keys

System and Services Acquisition (SA)
Baselines
Low · Not includedModerate · Not includedHigh · Not included
Description

Maintain exclusive control of cryptographic keys for encrypted material stored or transmitted through an external system.

Discussion

Maintaining exclusive control of cryptographic keys in an external system prevents decryption of organizational data by external system staff. Organizational control of cryptographic keys can be implemented by encrypting and decrypting data inside the organization as data is sent to and received from the external system or by employing a component that permits encryption and decryption functions to be local to the external system but allows exclusive organizational access to the encryption keys.

Implementation guidance

No content available.

CSF 2.0 crosswalk

No CSF mappings exist for this control.