Cryptographic Key Management
Description
Establish and manage cryptographic keys used in the system.
⚠️ Risk Impact
Poor key management leads to encrypted data being compromised.
🔧 Remediation
Use cloud KMS services with automatic rotation. EchelonGraph checks key rotation policies.
💀 Real-World Attack Scenario
A government system used a single encryption key for all data across all environments (dev, staging, production) with no key rotation. When a developer accidentally committed the key to a public GitHub repository, ALL data across ALL environments was compromised. The key had not been rotated in 3 years.
💰 Cost of Non-Compliance
Key management failures in government systems average $4.8M per incident. SC-12 violations can result in loss of ATO. FIPS 140-2 validated key management is required for federal systems.
📋 Audit Questions
- 1.How are encryption keys generated, stored, and rotated?
- 2.What is the key rotation period?
- 3.Are keys stored in FIPS 140-2 validated HSMs?
- 4.How is key compromise detected and responded to?
🎯 MITRE ATT&CK Mapping
⚡ Common Pitfalls
- ⛔Sharing encryption keys across environments
- ⛔Key rotation policy exists but is not automated
- ⛔Not using FIPS 140-2 validated key storage for government systems
📈 Business Value
Proper key management ensures encryption actually protects data. Without it, encryption is security theater. FIPS 140-2 validated key management is required for FedRAMP.
⏱️ Effort Estimate
8-16 hours for key management audit and policy implementation
EchelonGraph monitors key rotation policies and FIPS compliance
🔗 Cross-Framework References
Automate NIST 800-53 SC-12 compliance
EchelonGraph continuously monitors this control across all your cloud accounts.
Start Free →