PR.AA-01.195

Does your organization have a formal process for managing the lifecycle of cryptographic certificates, keys, identity tokens, and other credentials?

Explanation

A comprehensive cryptographic lifecycle management process ensures that digital certificates, encryption keys, and authentication credentials are properly issued, tracked, rotated, and revoked when necessary. This prevents unauthorized access due to compromised or expired credentials and maintains the integrity of encrypted communications and data.Organizations should maintain an inventory of all cryptographic assets, implement automated rotation schedules, establish secure key storage mechanisms, and have clear procedures for emergency revocation. Evidence could include a documented key management policy, certificate inventory reports, screenshots of a certificate management system, logs showing regular key rotation activities, or a process diagram showing the credential lifecycle workflow.

Implementation Example

Issue, manage, and revoke cryptographic certificates and identity tokens, cryptographic keys (i.e., key management), and other credentials

ID: PR.AA-01.195

Context

Function: PR: PROTECT
Category: PR.AA: Identity Management, Authentication, and Access Control
Sub-Category: Identities and credentials for authorized users, services, and hardware are managed by the organization

ResponseHub is the product I wish I had when I was a CTO

Previously I was co-founder and CTO of Progression, a VC backed HR-tech startup used by some of the biggest names in tech.

As our sales grew, security questionnaires quickly became one of my biggest pain-points. They were confusing, hard to delegate and arrived like London busses - 3 at a time!

I'm building ResponseHub so that other teams don't have to go through this. Leave the security questionnaires to us so you can get back to closing deals, shipping product and building your team.

Neil Cameron

Founder, ResponseHub