Use ML-KEM for Secure Key Encapsulation
Ensure encryption keys are protected using recommended ML-KEM-768 or ML-KEM-1024 methods.
Plain language
Using strong methods to protect digital keys that encrypt your data is crucial. If these keys aren't properly secured, your sensitive information could be exposed to hackers, leading to data breaches, financial loss, or damage to your reputation. This control ensures you use the best available methods to keep your encryption keys safe.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
Nov 2024
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for cryptographyOfficial control statement
When using ML-KEM for encapsulating encryption session keys (and similar keys), ML-KEM-768 or ML-KEM-1024 is used, preferably ML-KEM-1024.
Why it matters
Using weaker or non-approved KEMs instead of ML-KEM-768/1024 can enable session key compromise, exposing encrypted data and services.
Operational notes
Verify key encapsulation uses ML-KEM-768 or preferably ML-KEM-1024, and block non-approved KEM parameter sets in crypto policies.
Implementation tips
- The IT team should ensure that ML-KEM-1024 is used for encrypting keys. This involves updating any software or systems that still use older methods. They should start by identifying existing systems and consult with experts if needed to replace outdated practices.
- Managers should schedule regular training sessions for their staff. These sessions should explain the importance of using recommended methods like ML-KEM-1024 to protect digital keys. Managers should coordinate with the IT team to provide easy-to-understand training materials.
- Procurement should ensure that any new encryption-related software purchased is compatible with ML-KEM-1024. During purchasing, they should require vendors to confirm this compatibility and get written assurance.
- The cybersecurity officer should create a policy that mandates the use of ML-KEM-1024 for all new projects. This policy should be shared with all team leaders to ensure everyone is on the same page and avoids using weaker methods.
- System owners should conduct a review of existing systems to identify where encryption keys are not secured using ML-KEM-1024. They can create a checklist to systematically audit each system and liaise with IT to make necessary changes.
Audit / evidence tips
- AskThe encryption method documentation: Request records showing what encryption techniques are employed across systems GoodHas clear documentation showing ML-KEM-1024 as the standard method
- AskTo see recent training material: Request any slides, videos, or documents used to train staff on ML-KEM-1024 GoodShows up-to-date material that staff can understand and apply
- AskProcurement records: Request to see purchase orders or contracts with software vendors GoodIncludes contracts specifying compliance with this standard
- AskPolicy documents: Request to see formal policies regarding encryption methods GoodHas a signed policy dated recently with clear requirements
- AskSystem review reports: Request evidence of the latest system audits for encryption key security GoodIndicates thorough audits aligned with ML-KEM-1024 standards
Cross-framework mappings
How ISM-1995 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| link Related (1) expand_less | ||
| Annex A 8.24 | Annex A 8.24 requires organisations to define and implement rules for effective cryptography use and cryptographic key management | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.