Aspects
1
Controls
10
Requirements
12
| Aspect ID | Aspect Name | Control ID | Control Name | Requirement ID | Requirement | Level |
|---|---|---|---|---|---|---|
| 1.05 | Key Material Usage | 1.05.1 | Access Authentication to Key Material | 1.05.1.1 | Access to the operational key material requires an identifier and at least 2 (two) distinct types of authentication factors. | Level I |
| 1.05 | Key Material Usage | 1.05.1 | Access Authentication to Key Material | 1.05.1.2 | Access to the operational key material requires an identifier (e.g., username, email, GUID) and at least 3 (three) distinct types of authentication factors. | Level III |
| 1.05 | Key Material Usage | 1.05.2 | Operational Key Material Environment | 1.05.2.1 | Key material is only used within the CCSS Trusted Environment. | Level I |
| 1.05 | Key Material Usage | 1.05.2 | Operational Key Material Environment | 1.05.2.2 | The key material is isolated from other operating systems and application processes to avoid unauthorized access or leakage of key material. | Level I |
| 1.05 | Key Material Usage | 1.05.3 | Operator Reference Checks | 1.05.3.1 | All individual actors involved in operations with key material, or with the ability to impact the security of key generation, management, or usage have had their references checked prior to the actor being trusted with access to key material or operations. | Level I |
| 1.05 | Key Material Usage | 1.05.4 | Operator ID Checks | 1.05.4.1 | All individual actors involved in operations with key material, or with the ability to impact the security of key generation, management, usage, or storage have undergone identity verification to ensure they are who they say they are. These checks are conducted prior to the actor being trusted with access to key material. | Level I |
| 1.05 | Key Material Usage | 1.05.5 | Operator Background Checks | 1.05.5.1 | All individual actors involved in operations with key material, or with the ability to impact the security of key generation, management, usage, or storage have had background checks performed by law enforcement personnel or investigative firms. These checks are conducted prior to the actor being trusted with access to key material or operations and periodically; as allowed by local laws and regulations. | Level I |
| 1.05 | Key Material Usage | 1.05.6 | Key Management Training | 1.05.6.1 | All individuals involved in key management operations, or with the ability to impact the security of key material, complete specific applicable training. This training is to be conducted on hire, and conducted before the actor being trusted with access to Key Material, and then annually. | Level I |
| 1.05 | Key Material Usage | 1.05.7 | Key Management Responsibilities | 1.05.7.1 | Key management roles and responsibilities are formally acknowledged in writing by each person who has access to key material. This includes personnel who have been delegated key management responsibilities. | Level I |
| 1.05 | Key Material Usage | 1.05.8 | Spend Verification | 1.05.8.1 | Verification of fund destinations and amounts is performed via Approved Communication Channels prior to the use of key material. | Level II |
Page 1 of 2