Implement ML-DSA for Enhanced Digital Signature Security
Use ML-DSA algorithms, preferring ML-DSA-87, for secure digital signatures.
Plain language
This control is about using a specific kind of digital signature (called ML-DSA) to secure electronic documents or messages. It's like a super-safe way of proving a document is authentic and hasn't been tampered with. Without it, there's a risk that unsigned documents could be faked or altered, leading to data breaches or financial losses.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
Nov 2024
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for cryptographyOfficial control statement
When using ML-DSA for digital signatures, ML-DSA-65 or ML-DSA-87 is used, preferably ML-DSA-87.
Why it matters
If ML-DSA-65/87 is not used, digital signatures may be forgeable (including by future quantum attacks), enabling tampered documents and fraud.
Operational notes
Prefer ML-DSA-87 (or ML-DSA-65 where needed), enforce approved parameter sets in signing services, and verify signatures to detect unauthorised changes.
Implementation tips
- IT team should prioritise implementing the ML-DSA algorithm. This involves updating systems to use ML-DSA-87 for signing important documents. You can do this by working closely with your software vendor to ensure the most secure version is in place and configuring your systems to use it by default.
- Security managers should verify existing digital signatures. They need to review current practices to ensure ML-DSA-87 is being used wherever possible. This can be achieved by conducting a check of signature settings in document management systems and configurations.
- Training departments should educate staff about ML-DSA usage. Organise workshops to explain when and why to use digital signatures on documents. This can be reinforced with simple guides and step-by-step instructions for day-to-day use.
- HR should ensure hiring practices include verification of expertise. When recruiting IT staff, ensure candidates have experience with updating and maintaining digital signature systems. Assess this by discussing relevant past projects during interviews.
-
Askvendors to provide documentation proving compatibility and security certification
Audit / evidence tips
-
Askthe digital signature policy document: Request to see the organisation's policy that mandates the use of ML-DSA-87
Goodpolicy will have clear instructions on implementation and usage
-
Asksystem configuration documentation showing ML-DSA settings: Request to review documents that outline current system configurations related to digital signatures
-
Asktraining records for digital signature protocols: Request records of training sessions regarding the use of digital signatures
-
Askvendor communication logs: Request email or meeting notes showing discussions with vendors about digital signature capabilities. Review the logs to ensure vendors confirm support for ML-DSA-87
Goodwill include references to supplier guarantees or compliance statements
-
Askaudit trail logs for digital signature application: Request access to logs that document when and how digital signatures are applied in the organisation
Cross-framework mappings
How ISM-1991 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 8.24 | ISM-1991 requires organisations that use ML-DSA for digital signatures to select specific approved parameter sets (ML-DSA-65 or ML-DSA-87... | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.