How often are KP rekeys required?

• A. At least annually or more frequently as required.
• B. Every 6 months
• C. Every 3 years
• D. Only upon key replacement

Answer: (A)

Rekeying KP is about renewing the cryptographic or access credentials on a regular basis to limit the window of opportunity if a key is ever compromised. The standard practice is to rekey at least once a year, with the option to do it more often if policy, risk assessments, or incidents demand it. This minimum cadence keeps keys from lingering too long in circulation and reduces the impact of potential exposures, while still being manageable in terms of operations. Rekeying only when a key is replaced misses ongoing security needs, and much longer intervals (like every three years) leave too much time for a key to be compromised or for access rights to drift. A six-month interval is more frequent than the baseline but not required by default; the policy allows faster rekeys when warranted.