Use NIST Curves for ECDH Encryption
Use specific NIST curves for secure encryption key exchanges, with P-384 preferred.
Plain language
When we talk about securing sensitive communications online, it's a bit like making sure your personal diary is under lock and key. This control recommends using specific mathematical techniques (NIST curves) for protecting data exchanges, with a preference for one type called P-384. If these techniques are not used, there’s a heightened risk that hackers could intercept and understand sensitive information intended to be private.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
S
ISM last updated
Feb 2022
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for cryptographyOfficial control statement
When using ECDH for agreeing on encryption session keys, NIST P-256, P-384 or P-521 curves are used, preferably the NIST P-384 curve.
Why it matters
Using non‑NIST curves for ECDH can weaken key agreement, enabling attackers to derive session keys and decrypt sensitive traffic.
Operational notes
Audit TLS/ECDH configurations so only NIST P‑256, P‑384 or P‑521 curves are enabled; prefer P‑384 and remove all others.
Implementation tips
- The IT team should ensure that their encryption software is configured to use the NIST P-384 curve when setting up secure communications. They can do this by checking the settings in their encryption tools or consulting with their software vendors to confirm that these settings are available and enabled.
- System owners should collaborate with their IT providers to ensure that any new systems they procure include support for NIST curves, particularly P-384, for encrypting data. This involves having detailed discussions before purchase and verifying the encryption capabilities with the vendor.
- Managers should oversee staff training sessions about secure communications and why using specific encryption settings, like NIST P-384, can protect against data breaches. This can be achieved through a one-hour interactive workshop using simple, relatable analogies to explain complex concepts.
- The procurement team should update their purchasing checklists to require that any encryption product supports NIST P-384 or higher. They can implement this by creating a new section on the checklist specifically for technical compliance and ticking it off during vendor evaluations.
- Executives should set a policy that mandates the use of recommended NIST curves across all levels of the organisation where sensitive information is being communicated. This can be done by formalising it in the organisation's cybersecurity policy documents and ensuring everyone, from managers to employees, adheres to it.
Audit / evidence tips
- AskThe encryption product documentation: Request to see manuals or specification sheets for encryption tools being used GoodShows clear support for P-384 and others
- GoodIncludes specific mention of P-384 as a standard requirement
- AskSystem configuration reports: Request a report or demonstration on how encryption settings are configured GoodIs a printout or screen capture showing P-384 active
- AskTraining materials or attendance records from sessions on secure communications GoodIncludes a training schedule and materials referencing P-384
- AskTo see the procurement checklists used for evaluating new encryption tools GoodIs a checklist showing this requirement ticked off
Cross-framework mappings
How ISM-1761 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 8.24 | ISM-1761 requires that when ECDH is used to agree encryption session keys, organisations use specific NIST curves (P-256, P-384 or P-521)... | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.