Protect Encryption Keys | CCC

Skip to main content

CCC.Core.CN11: Protect Encryption Keys

Control ID:CCC.Core.CN11

Title:Protect Encryption Keys

Objective:Ensure that encryption keys are managed securely by enforcing the use of approved algorithms, regular key rotation, and customer-managed encryption keys (CMEKs).

Control Family:

Data

Related Threats

ID	Title	Description	External Mappings	Capability Mappings	Control Mappings
CCC.Core.TH16	Publications are Disabled	Publication of events, metrics, and runtime logs may be disabled, leading to a lack of expected security and operational information being shared. This can impact system availability by delaying the detection of incidents while also impacting system design decisions and enforcement of operational thresholds, such as autoscaling or cost management.	1	1	0

Related Capabilities

ID	Title	Description
CCC.Core.CP09	Metrics Publication	The service automatically publishes structured, numeric, time-series data points related to the performance, availability, and health of the service or its child resources.
CCC.Core.CP10	Log Publication	The service automatically publishes structured, verbose records of activities, operations, or events that occur within the service.

Guideline Mappings

Reference ID	Entry ID	Strength	Remarks
CCM	CEK-08	3	CSC Key Management Capability (must provide the capability to self-manage keys)
CCM	CEK-10	10	Key Generation (using industry accepted cryptographic libraries)
CCM	CEK-12	10	Key Rotation

Assessment Requirements

ID	Description	Applicability
CCC.Core.CN11.AR01	When encryption keys are used, the service MUST verify that all encryption keys use the latest industry-standard cryptographic algorithms.	tlp-amber tlp-red
CCC.Core.CN11.AR02	When encryption keys are used, the service MUST rotate active keys within 180 days of issuance.	tlp-amber
CCC.Core.CN11.AR03	When encrypting data, the service MUST verify that customer-managed encryption keys (CMEKs) are used.	tlp-amber tlp-red
CCC.Core.CN11.AR04	When encryption keys are accessed, the service MUST verify that access to encryption keys is restricted to authorized personnel and services, following the principle of least privilege.	tlp-clear tlp-green tlp-amber tlp-red
CCC.Core.CN11.AR05	When encryption keys are used, the service MUST rotate active keys within 365 days of issuance.	tlp-clear tlp-green
CCC.Core.CN11.AR06	When encryption keys are used, the service MUST rotate active keys within 90 days of issuance.	tlp-red