Use NIST P-384 Curve for ECDSA Signatures
When signing digitally, prefer using the NIST P-384 curve for better security.
Plain language
When you're signing documents digitally, it's like putting your unique signature on paper. This control suggests using a specific type of digital 'signature' method, called the NIST P-384 curve, which is known for being very secure. If you don't use this, your digital signatures might get easier to forge, potentially leading to unauthorised access or fraud.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
S
ISM last updated
Feb 2022
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for cryptographyOfficial control statement
When using ECDSA for digital signatures, NIST P-256, P-384 or P-521 curves are used, preferably the NIST P-384 curve.
Why it matters
Using weaker or non-approved ECDSA curves instead of NIST P-384 can reduce signature strength, increasing the chance of forged signatures and unauthorised actions.
Operational notes
Confirm ECDSA implementations are restricted to NIST P-256/P-384/P-521 and prefer P-384; audit certificate keys and signing libraries to prevent weaker curves.
Implementation tips
- IT team should review current digital signing methods: Check what algorithms are currently being used. Ensure that NIST P-384 curve is included as an option for digital signatures and update software if necessary.
- Procurement should specify security requirements: When purchasing software or services that involve digital signatures, ensure contracts specify that they support the NIST P-384 curve for ECDSA signatures. Clarify this during vendor negotiation.
- IT security manager should run awareness sessions: Educate team members about the importance of using recommended algorithms. Use simple examples to explain why the NIST P-384 curve is preferred for security.
- System owner should coordinate upgrade plans: If the required software does not support the NIST P-384 curve, collaborate with IT to plan and prioritise an upgrade. Create a timeline for implementing this change.
- Policy manager should update documentation: Ensure internal security policies reflect the use of the NIST P-384 curve for digital signatures. This ensures everyone knows it's the standard and follows it.
Audit / evidence tips
-
Askthe list of algorithms used for digital signatures: Request documentation from the IT team detailing current algorithms
Goodincludes NIST P-384 listed with implementation notes
-
Goodconfirms NIST P-384 inclusion or future update commitments
-
AskIT awareness session records: Review attendance and materials from training sessions
Goodincludes clear session agendas and participant feedback
-
Askupgrade timelines: Request a project plan or timeline for software upgrades
Goodincludes a specific timeline and responsible parties
-
Askto see updated security policies: Review new policies set by the policy manager
Goodincludes explicit statements about using NIST P-384
Cross-framework mappings
How ISM-1763 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 8.24 | ISM-1763 requires that when an organisation uses ECDSA for digital signatures it uses approved NIST curves (preferably P-384) | |
| handshake Supports (1) expand_less | ||
| Annex A 5.36 | ISM-1763 requires organisations to standardise ECDSA signature configurations to approved NIST curves, preferably P-384 | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.