GRC Store

Search / finos-ccc/ccc.keymgmt.cn / v2026.06-rc4

Release · v2026.06-rc4

FINOS-CCC/CCC.KeyMgmt.CN Control Catalog

FINOS-CCC/CCC.KeyMgmt.CN

Controls for Key Management technologies, as defined by the FINOS Common Cloud Controls project.

Published by FINOS Common Cloud Controls

Install

OCI v1.1
$grcli unpack --repository finos-ccc/ccc.keymgmt.cn --tag v2026.06-rc4
Coordinate
oci.grc.store/finos-ccc/ccc.keymgmt.cn:v2026.06-rc4
Manifest digest
sha256:63c649048f2417002a9560703ed93583678157bf5cc9aa6fd4e44423b9bda618

Provenance

1 layer
Digest Media type Size
2d7cc112cd0c… application/vnd.gemara.artifact.v1+yaml 7.2 KiB
Bundle config blob 
{
  "bundle-version": "1.0",
  "gemara-version": "v1.2.0",
  "metadata": {
    "provenance": {
      "buildDefinition": {
        "buildType": "https://grc.store/grcli/buildtype/v0",
        "externalParameters": {
          "artifact": {
            "id": "CCC.KeyMgmt.CN",
            "type": "ControlCatalog"
          },
          "target": {
            "registry": "oci.grc.store",
            "repository": "finos-ccc/ccc.keymgmt.cn",
            "tag": "v2026.06-rc4"
          }
        },
        "internalParameters": {
          "CI": "true",
          "GITHUB_ACTIONS": "true",
          "GITHUB_ACTOR": "eddie-knight",
          "GITHUB_REF": "refs/heads/main",
          "GITHUB_REPOSITORY": "eddie-knight/common-cloud-controls",
          "GITHUB_RUN_ATTEMPT": "1",
          "GITHUB_RUN_ID": "26770748733",
          "GITHUB_SHA": "2b6dab4c1307a0ac67d90c99829f6c1825154c84",
          "GITHUB_WORKFLOW": "Batch Release All Catalogs",
          "RUNNER_OS": "Linux"
        },
        "resolvedDependencies": [
          {
            "name": "artifacts/crypto/key/controls.yaml",
            "uri": "file://artifacts/crypto/key/controls.yaml",
            "digest": {
              "sha256": "2d7cc112cd0c20b822ecc4c9bbaf0ef0a36e2b10ff9a992849f1a5ab26510ccb"
            }
          },
          {
            "name": "source",
            "uri": "git+https://github.com/eddie-knight/common-cloud-controls@2b6dab4c1307a0ac67d90c99829f6c1825154c84",
            "digest": {
              "gitCommit": "2b6dab4c1307a0ac67d90c99829f6c1825154c84"
            }
          }
        ]
      },
      "runDetails": {
        "builder": {
          "id": "https://github.com/eddie-knight/common-cloud-controls/actions/runs/26770748733",
          "version": {
            "go": "go1.25.0",
            "go-arch": "amd64",
            "go-os": "linux",
            "grcli": "v0.2.2"
          }
        },
        "metadata": {
          "invocationId": "26770748733-1",
          "startedOn": "2026-06-01T17:28:13.786843762Z",
          "finishedOn": "2026-06-01T17:28:14.01902232Z"
        },
        "byproducts": [
          {
            "name": "controls.yaml",
            "digest": {
              "sha256": "2d7cc112cd0c20b822ecc4c9bbaf0ef0a36e2b10ff9a992849f1a5ab26510ccb"
            }
          }
        ]
      }
    }
  },
  "artifacts": [
    {
      "name": "controls.yaml",
      "type": "ControlCatalog",
      "id": "CCC.KeyMgmt.CN",
      "role": "artifact"
    }
  ]
}

CCC Key Management Controls

Controls for Key Management technologies, as defined by the FINOS Common Cloud Controls project.

ID
CCC.KeyMgmt.CN
Version
v2026.06-rc4
Gemara version
v1.2.0
Author
FINOS Common Cloud Controls

Observability

The Observability group covers entries related to logging, monitoring, metrics, alerting, and event publication. This includes audit trail integrity, enumeration detection, and protection against tampering or unauthorized access to operational telemetry.

  1. CCC.KeyMgmt.CN01 Alert on Key-version Changes

    Objective

    Generate near-real-time alerts when a KMS key version is disabled or scheduled for deletion, enabling rapid investigation and recovery.

    Assessment requirements

    1. When a key version is scheduled for deletion or disabled, an alert MUST be generated within five minutes.

      Applicability: tlp-amber, tlp-red

    Guidelines
    • NIST-CSF
      • RS.AN-1Notifications from detection systems are investigated
    • NIST_800_53
      • IR-5Incident Monitoring
    Threats
    • CCC.KeyMgmt.Threats
      • CCC.KeyMgmt.TH01Deletion or disabling of key versions

Access Control

The Access Control group covers entries related to authentication, authorization, and trust perimeter enforcement. This includes multi-factor authentication, least privilege access, network access rules, and prevention of unauthorized access or reconnaissance.

  1. CCC.KeyMgmt.CN02 Limit Decrypt Permissions

    Objective

    Restrict the Decrypt operation to authorised principals only, applying the principle of least privilege to protect sensitive data.

    Assessment requirements

    1. When IAM roles and key policies are reviewed, Decrypt permission MUST be granted exclusively to documented authorised principals.

      Applicability: tlp-green

    Guidelines
    • NIST-CSF
      • PR.AC-4Access to assets is managed
    • NIST_800_53
      • AC-6Least Privilege
    Threats
    • CCC.KeyMgmt.Threats
      • CCC.KeyMgmt.TH02Unrestricted use of a KMS key to decrypt data

Encryption

The Encryption group covers entries related to protecting data confidentiality and integrity through cryptographic mechanisms. This includes encryption in transit and at rest, key management, and certificate lifecycle management.

  1. CCC.KeyMgmt.CN03 Enforce Automatic Rotation

    Objective

    Ensure symmetric keys rotate automatically within policy intervals to reduce exposure of key material.

    Assessment requirements

    1. When rotation settings are examined, rotation MUST be enabled with an interval not exceeding 365 days.

      Applicability: tlp-green

    Guidelines
    • NIST-CSF
      • PR.DS-1Data at rest is protected
    • NIST_800_53
      • SC-12Cryptographic Key Establishment and Management
    Threats
    • CCC.KeyMgmt.Threats
      • CCC.KeyMgmt.TH03Key rotation is disabled or delayed

  2. CCC.KeyMgmt.CN04 Validate Imported Keys

    Objective

    Accept only externally generated keys that meet approved cryptographic strength and provenance requirements.

    Assessment requirements

    1. When a key import request is processed, the key MUST use an approved algorithm (RSA-2048+, EC-P256+) and originate from a certified HSM.

      Applicability: tlp-green

    Guidelines
    • NIST-CSF
      • PR.DS-1Data at rest is protected
    • NIST_800_53
      • SC-28Protection of Information at Rest
    Threats
    • CCC.KeyMgmt.Threats
      • CCC.KeyMgmt.TH04Weak or compromised key material