7.9 Policy for cryptographic key management exists and is enforced

Verify that there is an explicit policy for how cryptographic keys are managed (e.g., generated, distributed, revoked, and expired). Verify that this key lifecycle is properly enforced.

Levels: 2, 3