Key Management Guidelines

The following publications provide general key management guidance:

Recommendation for Key Management

• SP 800-57 Part 1, General
  • ​This Recommendation provides cryptographic key management guidance. It consists of three parts. Part 1 provides general guidance and best practices for the management of cryptographic keying material. Part 2 provides guidance on policy and security planning requirements for U.S. government agencies. Finally, Part 3 provides guidance when using the cryptographic features of current systems.
     
• SP 800-57 Part 2, Best Practices for Key Management Organizations
  • ​This Recommendation provides cryptographic key management guidance. It consists of three parts. Part 1 provides general guidance and best practices for the management of cryptographic keying material. Part 2 provides guidance on policy and security planning requirements for U.S. government agencies. Finally, Part 3 provides guidance when using the cryptographic features of current systems.
  • April 6, 2018:  NIST has released a draft revision of Special Publication (SP) 800-57 Part 2, Recommendation for Key Management, Part 2: Best Practices for Key Management Organization. This document introduces key management concepts that must be addressed in key management policies, practice statements and planning documents by any organization that uses cryptography to protect its information. It also provides guidance for the development of organizational key management policy statements and key management practices statements, and identifies key management information that needs to be documented for all federal applications of cryptography.
    • A public comment period for this document is open until May 31, 2018.

• SP 800-57 Part 3, Application-Specific Key Management Guidance
  • ​NIST Special Publication 800-57 provides cryptographic key management guidance. It consists of three parts. Part 1 provides general guidance and best practices for the management of cryptographic keying material. Part 2 provides guidance on policy and security planning requirements for U.S. government agencies. Finally, Part 3 provides guidance when using the cryptographic features of current systems.
     

Key Management Transitions

• SP 800-131A, Transitions: Recommendation for Transitioning the Use of Cryptographic Algorithms and Key Lengths
  • Provides guidance for transitions to the use of stronger cryptographic keys and more robust algorithms by federal agencies when protecting sensitive, but unclassified information.
  • July 19, 2018:  NIST is updating its guidance for transitioning to the use of stronger cryptographic keys and more robust algorithms by federal agencies to protect sensitive, but unclassified, information. This is the second update to NIST Special Publication (SP) 800-131A, Transitioning the Use of Cryptographic Algorithms and Key Lengths, since its initial publication in 2011. These transitions are meant to address the challenges posed by new cryptanalysis, the increasing power of classical computing technology, and the potential emergence of quantum computers.This revision includes a strategy and schedule for retiring the use of the Triple Data Encryption Algorithm (TDEA) specified in SP 800-67, Recommendation for the Triple Data Encryption Algorithm (TDEA) Block Cipher. Other proposed changes are listed in Appendix B.
    • Please provide comments by September 7, 2018 to CryptoTransitions@nist.gov