NIST 800-53 r5 · Controls catalogue · Family SC
SC-12Cryptographic Key Establishment and Management
Establish and manage cryptographic keys when cryptography is employed within the system in accordance with the following key management requirements: {{ insert: param, sc-12_odp }}.
Last updated: 09 May 2026 03:25 UTC
Implementations targeting this control (3)
- aws-config-cmk-backing-key-rotation-enabled KMS customer-managed key rotation is enabled AWS::KMS::Key partial
- aws-config-eks-cluster-secrets-encrypted EKS cluster encrypts Kubernetes secrets at rest with KMS AWS::EKS::Cluster partial
- azure-mcsb-keyvault-key-rotation Key Vault keys have rotation policy configured Microsoft.KeyVault/vaults/keys partial
ATT&CK techniques this control mitigates (10)
- T1072 Software Deployment Tools Execution, Lateral Movement
- T1098.004 SSH Authorized Keys Persistence, Privilege Escalation
- T1552 Unsecured Credentials Credential Access
- T1552.001 Credentials In Files Credential Access
- T1552.002 Credentials in Registry Credential Access
- T1552.004 Private Keys Credential Access
- T1563.001 SSH Hijacking Lateral Movement
- T1573 Encrypted Channel Command And Control
- T1573.001 Symmetric Cryptography Command And Control
- T1573.002 Asymmetric Cryptography Command And Control
Weaknesses this control addresses (10)AI
CWEs ranked by how often they appear in real CVEs. The rationale describes how this control reduces exploitability of each weakness class.
| CWE | Name | CVEs | Why this control addresses it |
|---|---|---|---|
CWE-319 | Cleartext Transmission of Sensitive Information | 1,042 | Key-establishment procedures specify secure distribution channels that preclude cleartext transmission of key material. |
CWE-312 | Cleartext Storage of Sensitive Information | 915 | Key-management policy requires protected storage of key material, preventing cleartext storage of sensitive cryptographic keys. |
CWE-326 | Inadequate Encryption Strength | 513 | Establishment procedures require selection and generation of keys with adequate length and strength for the chosen algorithm. |
CWE-330 | Use of Insufficiently Random Values | 420 | Key generation under controlled management uses approved random-bit sources rather than insufficiently random values. |
CWE-321 | Use of Hard-coded Cryptographic Key | 277 | Proper key establishment and management processes directly preclude embedding static cryptographic keys in source code or binaries. |
CWE-338 | Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) | 202 | Cryptographic key management standards require cryptographically strong PRNGs for key material, blocking use of weak generators. |
CWE-331 | Insufficient Entropy | 141 | Approved key-establishment methods mandate sufficient entropy during key generation, eliminating entropy-starved keys. |
CWE-340 | Generation of Predictable Numbers or Identifiers | 39 | Controlled key-establishment processes produce unpredictable key values instead of values derived from observable or guessable state. |
CWE-324 | Use of a Key Past its Expiration Date | 19 | Key-management requirements enforce lifecycle controls that prevent continued use of expired or superseded keys. |
CWE-332 | Insufficient Entropy in PRNG | 12 | Managed key generation relies on PRNGs seeded and operated with adequate entropy, avoiding the listed weakness. |
Top CVEs where this control is the strongest mitigation
| CVE | Risk | CVSS | EPSS | Match |
|---|---|---|---|---|
CVE-2025-13316 | 5.9 | 8.1 | 0.7168 | good |
CVE-2025-57174 | 2.1 | 9.8 | 0.0151 | good |
CVE-2025-67112 | 2.0 | 9.8 | 0.0015 | good |
CVE-2026-26335 | 2.0 | 9.8 | 0.0057 | good |
CVE-2025-34256 | 2.0 | 9.8 | 0.0021 | good |
CVE-2025-15016 | 2.0 | 9.8 | 0.0015 | good |
CVE-2025-59407 | 2.0 | 9.8 | 0.0012 | good |
CVE-2026-23958 | 2.0 | 9.8 | 0.0003 | good |
CVE-2025-41702 | 2.0 | 9.8 | 0.0024 | good |
CVE-2025-34198 | 2.0 | 9.8 | 0.0023 | good |
CVE-2025-55619 | 2.0 | 9.8 | 0.0014 | good |
CVE-2025-15618 | 1.8 | 9.1 | 0.0005 | good |
CVE-2025-30095 | 1.8 | 9.0 | 0.0034 | good |
CVE-2025-26340 | 1.8 | 8.8 | 0.0019 | good |
CVE-2025-44963 | 1.8 | 9.0 | 0.0011 | good |
CVE-2025-30234 | 1.7 | 8.3 | 0.0013 | good |
CVE-2026-33072 | 1.6 | 8.2 | 0.0002 | good |
CVE-2025-11899 | 1.6 | 8.1 | 0.0012 | good |
CVE-2015-10148 | 1.6 | 8.2 | 0.0001 | good |
CVE-2024-54027 | 1.6 | 8.2 | 0.0008 | good |
CVE-2026-25726 | 1.6 | 8.1 | 0.0002 | good |
CVE-2024-53522 | 1.6 | 7.5 | 0.0096 | good |
CVE-2024-52881 | 1.5 | 7.5 | 0.0011 | good |
CVE-2026-32324 | 1.5 | 7.7 | 0.0001 | good |
CVE-2024-57432 | 1.5 | 7.5 | 0.0012 | good |