Ensure that encryption and authentication certificates have a limited lifetime to reduce the risk of compromise and ensure the use of up-to-date security practices.
Core / Ccc / Controls / v2025.10
Minimize Lifetime of Encryption and Authentication Certificates
CCC.Core.CN13 · Encryption
Related Capabilities
| ID | Title | Description |
|---|---|---|
| CCC.Core.CP01 | Encryption in Transit Enabled by Default | The service automatically encrypts all data using industry-standard cryptographic protocols prior to transmission via a network interface. |
| CCC.Core.CP02 | Encryption at Rest Enabled by Default | The service automatically encrypts all data using industry-standard cryptographic protocols prior to being written to a storage medium. |
Related Threats
| ID | Title | Description |
|---|---|---|
| CCC.Core.TH18 | Encryption Key is Misused | Encryption keys may be used by an unauthorized entity due to inadequate key management practices or the compromise of a connected system. This could lead to the decryption of sensitive data, impacting its confidentiality and integrity. |
Assessment Requirements
| ID | Text | Applicability |
|---|---|---|
| CCC.Core.CN13.AR01 | When a port is exposed that uses certificate-based encryption, the service MUST only use valid, unexpired certificates issued by a trusted certificate authority. | tlp-clear, tlp-green, tlp-amber, tlp-red |
| CCC.Core.CN13.AR02 | When a port is exposed that uses certificate-based encryption, the service MUST rotate active certificates within 180 days of issuance. | tlp-amber |
| CCC.Core.CN13.AR03 | When a port is exposed that uses certificate-based encryption, the service MUST rotate active certificates within 90 days of issuance. | tlp-red |