Use ML-KEM for Secure Key Encapsulation
Ensure encryption keys are protected using recommended ML-KEM-768 or ML-KEM-1024 methods.
🏛️ Framework
ASD Information Security Manual (ISM)
🧭 Control effect
Preventative
🔐 Classifications
NC, OS, P, S, TS
🗓️ ISM last updated
Nov 2024
✏️ Control Stack last updated
22 Feb 2026
🎯 E8 maturity levels
N/A
When using ML-KEM for encapsulating encryption session keys (and similar keys), ML-KEM-768 or ML-KEM-1024 is used, preferably ML-KEM-1024.
Source: ASD Information Security Manual (ISM)
Plain language
Using strong methods to protect digital keys that encrypt your data is crucial. If these keys aren't properly secured, your sensitive information could be exposed to hackers, leading to data breaches, financial loss, or damage to your reputation. This control ensures you use the best available methods to keep your encryption keys safe.
Why it matters
Using weaker or non-approved KEMs instead of ML-KEM-768/1024 can enable session key compromise, exposing encrypted data and services.
Operational notes
Verify key encapsulation uses ML-KEM-768 or preferably ML-KEM-1024, and block non-approved KEM parameter sets in crypto policies.
Implementation tips
- The IT team should ensure that ML-KEM-1024 is used for encrypting keys. This involves updating any software or systems that still use older methods. They should start by identifying existing systems and consult with experts if needed to replace outdated practices.
- Managers should schedule regular training sessions for their staff. These sessions should explain the importance of using recommended methods like ML-KEM-1024 to protect digital keys. Managers should coordinate with the IT team to provide easy-to-understand training materials.
- Procurement should ensure that any new encryption-related software purchased is compatible with ML-KEM-1024. During purchasing, they should require vendors to confirm this compatibility and get written assurance.
- The cybersecurity officer should create a policy that mandates the use of ML-KEM-1024 for all new projects. This policy should be shared with all team leaders to ensure everyone is on the same page and avoids using weaker methods.
- System owners should conduct a review of existing systems to identify where encryption keys are not secured using ML-KEM-1024. They can create a checklist to systematically audit each system and liaise with IT to make necessary changes.
Audit / evidence tips
-
Ask: the encryption method documentation: Request records showing what encryption techniques are employed across systems
Good: has clear documentation showing ML-KEM-1024 as the standard method
-
Ask: to see recent training material: Request any slides, videos, or documents used to train staff on ML-KEM-1024
Good: shows up-to-date material that staff can understand and apply
-
Ask: procurement records: Request to see purchase orders or contracts with software vendors
Good: includes contracts specifying compliance with this standard
-
Ask: policy documents: Request to see formal policies regarding encryption methods
Good: has a signed policy dated recently with clear requirements
-
Ask: system review reports: Request evidence of the latest system audits for encryption key security
Good: indicates thorough audits aligned with ML-KEM-1024 standards
Cross-framework mappings
How ISM-1995 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| Partially meets (1) | ||
| Annex A 8.24 | ISM-1995 requires that when ML-KEM is used for key encapsulation, organisations use ML-KEM-768 or ML-KEM-1024 (preferably ML-KEM-1024) to... | |