3.7.5 Retirement, replacement, or destruction of cryptographic keys

Defined Approach Requirements

3.7.5 Key management policies procedures are implemented to include the retirement, replacement, or destruction of keys used to protect stored account data, as deemed necessary when:

• The key has reached the end of its defined cryptoperiod.
• The integrity of the key has been weakened, including when personnel with knowledge of a cleartext key component leaves the company, or the role for which the key component was known.
• The key is suspected of or known to be compromised.

Retired or replaced keys are not used for encryption operations.

Customized Approach Objective

Keys are removed from active use when it is suspected or known that the integrity of the key is weakened.

Applicability Notes

If retired or replaced cryptographic keys need to be retained, these keys must be securely archived (for example, by using a key-encryption key).

Defined Approach Testing Procedures

3.7.5.a Examine the documented key-management policies and procedures for keys used for protection of stored account data and verify that they define retirement, replacement, or destruction of keys in accordance with all elements specified in this requirement.

3.7.5.b Interview personnel to verify that processes are implemented in accordance with all elements specified in this requirement.

Purpose

Keys that are no longer required, keys with weakened integrity, and keys that are known or suspected to be compromised, should be archived, revoked, and/or destroyed to ensure that the keys can no longer be used.

If such keys need to be kept (for example, to support archived encrypted data), they should be strongly protected.

Good Practice

Archived cryptographic keys should be used only for decryption/verification purposes.

The encryption solution should provide for and facilitate a process to replace keys that are due for replacement or that are known to be, or suspected of being, compromised. In addition, any keys that are known to be, or suspected of being, compromised should be managed in accordance with the entity's incident response plan per Requirement 12.10.1.

Further Information

Industry best practices for archiving retired keys are outlined in NIST SP 800-57 Part 1, Revision 5, Section 8.3.1, and includes maintaining the archive with a trusted third party and storing archived key information separately from operational data.