Use NIST P-384 Curve for ECDSA Signatures
Use the NIST P-384 or P-521 curves, preferably P-384, for secure digital signatures.
Plain language
This control is about using a specific type of digital signature to keep online communications safe. It suggests using a secure mathematical curve, known as NIST P-384, when creating digital signatures. If we don't follow this advice, our sensitive messages or transactions could be tampered with or forged, leading to potential security breaches or financial loss.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
TS
ISM last updated
Feb 2022
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for cryptographyOfficial control statement
When using ECDSA for digital signatures, NIST P-384 or P-521 curves are used, preferably the NIST P-384 curve.
Why it matters
Without NIST P-384/P-521 for ECDSA, weaker curve choices can reduce signature strength, increasing forgery risk and undermining integrity.
Operational notes
Enforce ECDSA curve policy to use NIST P-384 (preferred) or P-521; audit TLS/cert profiles and app crypto libs to block other curves after upgrades.
Implementation tips
- System administrators should verify that current digital signature protocols use the NIST P-384 curve. To do this, check the configuration files on servers and update any older protocols to include the NIST P-384 option if they don't already.
- The IT security team should ensure that all new software acquisitions that require digital signatures support the NIST P-384 curve. When evaluating software, request detailed security documentation to confirm this support before making a purchase.
- IT managers should conduct regular training sessions for IT staff to discuss the importance of using approved cryptographic algorithms, like NIST P-384, and demonstrate how to configure systems accordingly. Include practical examples and dedicate time for questions.
- The organisation's policy writers should update internal security policies to mandate the use of the NIST P-384 curve for digital signatures. Clearly outline this requirement in the corporate IT security manual and circulate it across relevant teams.
- IT support teams should develop a checklist for system audits that includes a step to verify the use of the NIST P-384 curve in digital signature setups. Include this check in regular maintenance schedules to ensure compliance.
Audit / evidence tips
-
Askthe digital signature configuration report: Request a report that lists the cryptographic settings used for digital signatures across organisational systems
Goodshows systems configured with NIST P-384 for digital signatures
-
Askto see recent purchase orders for cryptographic software: Request documentation of recent software acquisitions that deal with digital signatures
Goodincludes contracts or purchase orders with NIST P-384 support clearly mentioned
-
AskIT training records: Request attendance logs and training materials from recent IT staff training sessions about cryptographic protocols
Goodincludes detailed materials and training logs showing staff participation
-
Askorganisational security policy documents: Request to see the latest IT security policy manual
Goodincludes explicit instructions in the policy document mandating the use of NIST P-384
-
Askto observe an internal audit checklist process: Request to sit in on a routine IT audit
Goodincludes a checklist with a dedicated item for verifying the use of NIST P-384
Cross-framework mappings
How ISM-1764 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 8.24 | ISM-1764 requires that when ECDSA is used for digital signatures, organisations use strong approved elliptic curves (preferably NIST P-38... | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.