Ensure that encryption keys are managed securely by enforcing the use of approved algorithms, regular key rotation, and customer-managed encryption keys (CMEKs).
Core / Ccc / Controls / DEV
Protect Encryption Keys
CCC.Core.CN11 · Encryption
Related Capabilities
| ID | Title | Description |
|---|---|---|
| CCC.Core.CP01 | Encryption in Transit Enabled by Default | The service automatically encrypts all data using industry-standard cryptographic protocols prior to transmission via a network interface. |
| CCC.Core.CP02 | Encryption at Rest Enabled by Default | The service automatically encrypts all data using industry-standard cryptographic protocols prior to being written to a storage medium. |
Related Threats
| ID | Title | Description |
|---|---|---|
| CCC.Core.TH18 | Encryption Key is Misused | Encryption keys may be used by an unauthorized entity due to inadequate key management practices or the compromise of a connected system. This could lead to the decryption of sensitive data, impacting its confidentiality and integrity. |
Assessment Requirements
| ID | Text | Applicability |
|---|---|---|
| CCC.Core.CN11.AR01 | When encryption keys are used, the service MUST verify that all encryption keys use the latest industry-standard cryptographic algorithms. | tlp-amber, tlp-red |
| CCC.Core.CN11.AR02 | When encryption keys are used, the service MUST rotate active keys within 180 days of issuance. | tlp-amber |
| CCC.Core.CN11.AR03 | When encrypting data, the service MUST verify that customer-managed encryption keys (CMEKs) are used. | tlp-amber, tlp-red |
| CCC.Core.CN11.AR04 | When encryption keys are accessed, the service MUST verify that access to encryption keys is restricted to authorized personnel and services, following the principle of least privilege. | tlp-clear, tlp-green, tlp-amber, tlp-red |
| CCC.Core.CN11.AR05 | When encryption keys are used, the service MUST rotate active keys within 365 days of issuance. | tlp-clear, tlp-green |
| CCC.Core.CN11.AR06 | When encryption keys are used, the service MUST rotate active keys within 90 days of issuance. | tlp-red |