cisa-d5-protection-info-assets-public-key-infrastructure-pki

Public Key Infrastructure (PKI)

isaca-cisa · framework · Production-ready

Drawn fromCISA Review Manual · ISACA peer-reviewed case sets·Reviewed May 4, 2026

How this was built ▾

Every cubelet runs through five agent passes before publishing. Each stage's output is recorded so we can trace how a claim got here.

01 · RESEARCHSource synthesisClaude Haiku
02 · WRITERSix-face draftingClaude Sonnet
03 · EDITORCoherence + clarity passClaude Sonnet
04 · QAQuality gate scoringClaude Opus
05 · PUBLISHERCatalog + graph commitClaude Haiku

This runcourse-factory-pipeline-v1

1

Face 1 of 6 · WHAT

What is Public Key Infrastructure (PKI)

Public Key Infrastructure (PKI) is the organizational, technical, and operational system that manages digital certificates and cryptographic key pairs to establish verified identity and secure communication at enterprise scale. PKI binds a public key to a verified identity — person, device, service, or organization — through a digitally signed certificate issued by a trusted Certificate Authority (CA). This binding enables four core security services: authentication (proving who you are), confidentiality (encrypting data so only the intended recipient can read it), integrity (detecting unauthorized modification), and non-repudiation (proving an action occurred and cannot be denied). PKI is not the cryptographic algorithm itself — it is the governance and operational infrastructure that makes asymmetric cryptography usable and trustworthy at scale. It is not a single product; it is a system of policies, processes, technologies, and roles working together.

Where it stops · what it isn't

—PKI IS: Certificate lifecycle management (issuance, renewal, revocation), the CA trust hierarchy (root CA, intermediate CA, issuing CA), digital certificate standards (X.509v3), CA key protection mechanisms (HSMs), and governance policies (Certificate Policy, Certification Practice Statement).
—PKI IS NOT: The underlying cryptographic mathematics (covered in the sibling Data Encryption cubelet), a single vendor product or appliance, nor limited to web/TLS certificates — PKI extends to email (S/MIME), code signing, document signing, device/machine identity, and VPN authentication.
—PKI IS NOT symmetric key encryption or shared-secret systems — PKI specifically governs the asymmetric (public/private) key ecosystem. Password-based authentication systems are not PKI even if they coexist with it.
—PKI IS NOT a one-time implementation — it is a continuously operated program requiring certificate lifecycle management, CA health monitoring, revocation infrastructure, and periodic policy review.
—CISA audit scope covers: CA controls, certificate policy documentation, revocation infrastructure, key generation and storage practices, and certificate lifecycle processes — not the encryption strength of individual ciphers.

Connected concepts in the graph

Every cubelet sits in a knowledge graph. Here's what this one connects to.

REQUIRES

Asymmetric Cryptography (Public/Private Key Pairs)Certificate Authority (CA) Trust HierarchyHardware Security Module (HSM) for CA Key Protection

PART OF

Protection of Information Assets (CISA Domain 5)

ENABLES

Transport Layer Security (TLS/SSL) — HTTPSDigital Signatures and Non-RepudiationMutual TLS (mTLS) for Zero-Trust ArchitectureCode Signing and Software Supply Chain IntegrityMachine Identity Management (IoT, APIs, Microservices)

RELATED TO

Data Encryption and Key Management (CISA Domain 5)

CONSTRAINS

Post-Quantum Cryptography Migration Planning

Practice this judgment ↗

Adaptive, ~8 min

Sit in the practitioner's chair ↗

Live simulator

06 · APPLYSign up to enter the judgment simulator →

Watch your judgment grow on this concept

Create a free account to unlock all 6 faces, the judgment simulator, and a mastery score that updates with every attempt.