The entity that selects the capabilities to be included in a CKMS, documents the design in accordance with the requirements specified in [NIST SP 800-130], and specifies a CKMS Security Policy that defines the rules that are to be enforced in the CKMS.
Sources:
NIST SP 800-152