Use appropriate cryptographic mechanisms and industry-recognized key management practices to protect sensitive and regulated data at rest and in transit.
Organizations protect the confidentiality and integrity of data through approved cryptographic technologies, key lifecycle management, cryptographic inventory practices and migration planning that supports secure, resilient and compliant cryptographic protections.
Encryption is not just a checkbox. The CRY domain governs the selection, deployment and lifecycle management of cryptographic mechanisms, including key management practices that determine whether encryption actually protects data or just creates the appearance of protection. An encryption implementation with weak key management, poor algorithm selection, or no key rotation schedule provides less assurance than its existence suggests.
The SCF's intent for CRY includes cryptographic inventory practices and migration planning. Those requirements exist because cryptographic algorithms have finite lifespans and organizations that haven't catalogued what they're using cannot plan migrations when algorithms are deprecated. The migration planning requirement has become more urgent given the quantum computing threat addressed in domain 26 (QTS). An organization that doesn't know where it uses RSA cannot begin planning a post-quantum migration.
CRY addresses protections for data at rest and in transit. Both contexts require distinct implementation decisions. The domain treats them together because the underlying discipline, selecting approved algorithms, managing keys through their lifecycle and validating that protections are operating as intended, is the same even when the technical implementations differ.