Use Approved Elliptic Curves for Encryption
Ensure secure cryptography by using NIST-approved elliptic curves for encryption.
Plain language
When using elliptic curve cryptography, it's important to choose the right mathematical curve to ensure data security. If you don't use curves approved by experts like those at NIST, your encrypted messages could be vulnerable to hackers who might steal sensitive information or cause financial harm.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
Feb 2024
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for cryptographyOfficial control statement
When using elliptic curve cryptography, a suitable curve from NIST SP 800-186 is used.
Why it matters
If non‑NIST SP 800‑186 curves are used, ECC may be weaker or noncompliant, enabling decryption, MITM attacks, or undetected data tampering.
Operational notes
Restrict TLS/crypto configurations to NIST SP 800‑186 curves only; regularly audit libraries and settings to prevent non‑approved curve negotiation.
Implementation tips
- IT team should review current encryption setup: Examine which elliptic curves are being used for encrypting sensitive data. Ensure they match the ones listed in NIST SP 800-186, which is a trusted guideline by the National Institute of Standards and Technology.
- System owners should coordinate with cybersecurity advisors: Arrange a session to understand why NIST-approved elliptic curves are essential and how they improve security for your systems. This can involve a workshop or a detailed briefing with your security provider to ensure awareness and compliance.
- Procurement officers should ensure new systems use compliant encryption: When acquiring new software or systems that involve encryption, specify the requirement for NIST-approved elliptic curves in procurement documents. This ensures that any new purchases are secured right from the start.
- IT managers must update existing policies: Revise organisational policies related to encryption to include the mandate for NIST-approved elliptic curves. Communicate updates to all relevant staff so everyone is aware and understands the importance of this measure.
- Internal audit teams should perform regular checks: Set up a schedule for auditing cryptographic implementations. This includes checking that the implemented elliptic curves are on the NIST-approved list and ensuring adherence over time.
Audit / evidence tips
- AskThe list of elliptic curves currently in use: Request a document from the IT department detailing which curves are employed for encryption GoodShows exact matches and indicates review dates
- AskThe procurement policy regarding encryption standards: Request to see the procurement guidelines that mention encryption requirements GoodWill highlight these in the acquisition criteria
- AskThe internal encryption policy: Request the organisational encryption policy to review its contents GoodIs clear policy wording matching this requirement
- AskRecent training or briefing records: Request documentation of recent training sessions concerning encryption standards GoodIncludes detailed session summaries and attendance lists
- AskThe results of the latest audit or review on cryptographic implementations: Request findings or audit results related to encryption methods GoodShowcases thorough checks and compliance notes
Cross-framework mappings
How ISM-1446 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 8.24 | ISM-1446 mandates the use of elliptic curves from NIST SP 800-186 for encryption, focusing on selecting specific cryptographic parameters | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.