Cyber Resilience

NIST 800-53 r5 · Controls catalogue · Family SC

SC-12Cryptographic Key Establishment and Management

Establish and manage cryptographic keys when cryptography is employed within the system in accordance with the following key management requirements: {{ insert: param, sc-12_odp }}.

Last updated: 04 July 2026 00:28 UTC

Cumulative inbound coverage

How completely the frameworks we cross-walk collectively cover this — the verdict is the strongest single mapping (overlapping partials are not summed); breadth shows the corroboration behind it.

Collective: mostly · 18 mapping(s) from 3 framework(s): ASVS 5.0 14 (mostly) · CSF 2.0 3 (mostly) · OWASP-Web 1 (partial)

See the full cumulative-coverage rollup →

Implementations targeting this control (4)

ATT&CK techniques this control mitigates (10)

Weaknesses this control addresses (10)AI

CWEs ranked by how often they appear in real CVEs. The rationale describes how this control reduces exploitability of each weakness class.

CWE Name CVEs Why this control addresses it
CWE-319Cleartext Transmission of Sensitive Information1,076Key-establishment procedures specify secure distribution channels that preclude cleartext transmission of key material.
CWE-312Cleartext Storage of Sensitive Information935Key-management policy requires protected storage of key material, preventing cleartext storage of sensitive cryptographic keys.
CWE-326Inadequate Encryption Strength520Establishment procedures require selection and generation of keys with adequate length and strength for the chosen algorithm.
CWE-330Use of Insufficiently Random Values431Key generation under controlled management uses approved random-bit sources rather than insufficiently random values.
CWE-321Use of Hard-coded Cryptographic Key302Proper key establishment and management processes directly preclude embedding static cryptographic keys in source code or binaries.
CWE-338Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)224Cryptographic key management standards require cryptographically strong PRNGs for key material, blocking use of weak generators.
CWE-331Insufficient Entropy149Approved key-establishment methods mandate sufficient entropy during key generation, eliminating entropy-starved keys.
CWE-340Generation of Predictable Numbers or Identifiers48Controlled key-establishment processes produce unpredictable key values instead of values derived from observable or guessable state.
CWE-324Use of a Key Past its Expiration Date20Key-management requirements enforce lifecycle controls that prevent continued use of expired or superseded keys.
CWE-332Insufficient Entropy in PRNG13Managed key generation relies on PRNGs seeded and operated with adequate entropy, avoiding the listed weakness.

Top CVEs where this control is the strongest mitigation

CVE Risk CVSS EPSS Match
CVE-2025-3935 KEV UPD10.08.10.0329good
CVE-2023-27524 KEV10.08.90.9740good
CVE-2019-6693 KEV10.06.50.0566good
CVE-2019-18988 KEV10.07.00.0475good
CVE-2017-9248 KEV10.09.80.7510good
CVE-2016-4437 KEV10.09.80.9314good
CVE-2023-340398.09.80.6395good
CVE-2025-671127.09.80.0040good
CVE-2026-263357.09.80.0281good
CVE-2025-342567.09.80.0059good
CVE-2025-150167.09.80.0045good
CVE-2025-594077.09.80.0052good
CVE-2025-156187.09.10.0033good
CVE-2025-300957.09.00.0048good
CVE-2026-239587.09.80.0047good
CVE-2025-571747.09.80.0122good
CVE-2025-41702 UPD7.09.80.0049good
CVE-2025-341987.09.80.0075good
CVE-2025-55619 UPD7.09.80.0038good
CVE-2025-44963 UPD7.09.00.0059good
CVE-2022-340457.09.80.0242good
CVE-2024-555577.09.80.0134good
CVE-2023-332427.09.60.0109good
CVE-2022-208666.07.40.1665good
CVE-2025-133165.58.10.0265good

Other controls in family SC

SC-1 SC-10 SC-11 SC-13 SC-14 SC-15 SC-16 SC-17 SC-18 SC-19 SC-2 SC-20 SC-21 SC-22 SC-23 SC-24 SC-25 SC-26 SC-27 SC-28 SC-29 SC-3 SC-30 SC-31 SC-32 SC-33 SC-34 SC-35 SC-36 SC-37 SC-38 SC-39 SC-4 SC-40 SC-41 SC-42 SC-43 SC-44 SC-45 SC-46 SC-47 SC-48 SC-49 SC-5 SC-50 SC-51 SC-6 SC-7 SC-8 SC-9