Does your organization have a formal process for managing the lifecycle of cryptographic certificates, keys, identity tokens, and other credentials?
Explanation
A comprehensive cryptographic lifecycle management process ensures that digital certificates, encryption keys, and authentication credentials are properly issued, tracked, rotated, and revoked when necessary.
This prevents unauthorized access due to compromised or expired credentials and maintains the integrity of encrypted communications and data.Organizations should maintain an inventory of all cryptographic assets, implement automated rotation schedules, establish secure key storage mechanisms, and have clear procedures for emergency revocation.
Evidence could include a documented key management policy, certificate inventory reports, screenshots of a certificate management system, logs showing regular key rotation activities, or a process diagram showing the credential lifecycle workflow.
Implementation Example
Issue, manage, and revoke cryptographic certificates and identity tokens, cryptographic keys (i.e., key management), and other credentials
ID: PR.AA-01.195
Context
- Function
- PR: PROTECT
- Category
- PR.AA: Identity Management, Authentication, and Access Control
- Sub-Category
- Identities and credentials for authorized users, services, and hardware are managed by the organization
Related questions
- Does your organization have a formal process to request, track, review, and fulfill access requests that includes appropriate approval from system or data owners?
- Does your organization use unique device identifiers based on immutable hardware characteristics or secure provisioning methods?
- Does your organization physically label all authorized hardware assets with unique identifiers for inventory tracking and servicing purposes?
- Does your organization verify individuals' identities during enrollment using government-issued credentials?
- Does your organization issue unique credentials to each individual user and prohibit credential sharing?
- Has your organization implemented multifactor authentication (MFA) for all user access to systems containing sensitive data?

