Use NIST P-384 Curve for ECDH Keys
When using ECDH, utilise the NIST P-384 curve for better encryption security.
Plain language
This control suggests using a special mathematical tool called the NIST P-384 curve to securely share secret keys over the internet. If this isn't done, sensitive information might be intercepted by hackers, leading to data breaches or financial losses.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
TS
ISM last updated
Feb 2022
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for cryptographyOfficial control statement
When using ECDH for agreeing on encryption session keys, NIST P-384 or P-521 curves are used, preferably the NIST P-384 curve.
Why it matters
If ECDH uses curves other than NIST P-384/P-521, key agreement strength may drop, increasing risk of session key compromise and data exposure.
Operational notes
Configure TLS/ECDH settings to prefer NIST P-384 (allow P-521) and disable weaker/unsupported curves; validate via scans and library policy.
Implementation tips
- The IT team should ensure they're using the NIST P-384 curve when setting up systems that share encryption keys. They can do this by checking the software settings in their encryption tools to confirm the NIST P-384 option is selected.
- Managers should ask the IT team for a simple explanation of how the NIST P-384 curve protects the organisation's data. This helps everyone understand why this specific curve is important for our online security.
- Procurement officers should verify that new software purchases support NIST P-384 encryption. They can do this by asking vendors for technical specifications or documentation that lists supported encryption methods.
- The IT security coordinator should conduct a training session to explain why NIST P-384 is crucial, ensuring the team is aware of current security practices. This session should also cover basic troubleshooting if configurations need adjustments.
- System owners should periodically review and update system configurations to maintain compliance with this control. They can schedule regular quarterly checks where the team ensures that all systems are still using the recommended encryption settings.
Audit / evidence tips
- AskThe current encryption policy: Check that the document specifies using NIST P-384 for key agreements GoodWould include explicit instructions about selecting this curve in all related systems
- GoodDemonstration will show that this setting is in place across all systems
- AskSoftware vendor agreements: Review the contracts or product brochures to confirm support for NIST P-384 GoodIs documentation that explicitly mentions compatibility with NIST P-384
- AskThe encryption tool audit logs GoodIncludes specific log entries that show the algorithm in use
Cross-framework mappings
How ISM-1762 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 8.24 | ISM-1762 requires that when ECDH is used to agree encryption session keys, organisations should use NIST P-384 (preferred) or P-521 curves | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.