SA-9(6): Organization-controlled Cryptographic Keys
(Not part of any baseline)
Control is new to this version of the control set.
Maintain exclusive control of cryptographic keys for encrypted material stored or transmitted through an external system.
Maintaining exclusive control of cryptographic keys in an external system prevents decryption of organizational data by external system staff. Organizational control of cryptographic keys can be implemented by encrypting and decrypting data inside the organization as data is sent to and received from the external system or by employing a component that permits encryption and decryption functions to be local to the external system but allows exclusive organizational access to the encryption keys.