SC.L2-3.13.10 — Establish and manage cryptographic keys for cryptography employed in organizational systems.
What this control requires
Establish and manage cryptographic keys for cryptography employed in organizational systems.
Source: CMMC L2 v2.13 SC.L2-3.13.10 / NIST SP 800-171 R2 3.13.10 (official control text).
Why this matters
Cryptographic keys are the foundation of data confidentiality and integrity across your entire IT environment. Without proper key management, encrypted data becomes vulnerable — lost keys mean inaccessible systems, compromised keys mean breached secrets, and weak keys mean bypassed encryption. This control ensures keys are generated with sufficient entropy, rotated on defined schedules, stored in protected vaults or hardware security modules, and destroyed when no longer needed. Poor key hygiene turns strong encryption into security theater, exposing sensitive CUI to adversaries who can decrypt communications, forge signatures, or impersonate legitimate services.
What evidence assessors expect
Assessors typically look for: PDF, CSV export, screenshot. FORCE coaches you through the exact implementation steps and captures each artifact in-platform.
Related controls
See your live posture on SC.L2-3.13.10.
FORCE shows where you stand on this control and walks you through closing it.
Start a free trial tenant →