Key Management Guidelines
The following publications provide general key management guidance:
Recommendation for Key Management
- DRAFT SP 800-57 Part 1 Revision 5 - General
- October 9, 2019: NIST invites comments on Draft SP 800-57 Part 1 Revision 5, Recommendation for Key Management: Part 1 – General. This document provides general guidance and best practices for the management of cryptographic keying material. Among other changes, this revision emphasizes the protection needed for the metadata associated with keys; includes discussions on access control, identity authentication, and inventory management for keys and certificates; and provides guidance consistent with Federal Information Processing Standards (FIPS) Publication 201, Personal Identity Verification (PIV) of Federal Employees and Contractors, and SP 800-63, Digital Identity Guidelines. Appendix C contains a complete list of changes.
- The public comment period for this document is open through December 6, 2019. Email comments to: firstname.lastname@example.org
- SP 800-57 Part 2, Revision 1, Best Practices for Key Management Organizations
- This recommendation provides guidance on how organizations should manage cryptographic keys in accordance with the federal key management policies and best practices described in SP 800-57 Part 1. This revision is consistent with the Cybersecurity Enhancement Act of 2014 and provides direct cybersecurity support for private-sector key management as well as government-focused guidance consistent with OMB Circular A-130. Section 2 has been updated to introduce a more comprehensive set of key management concepts that should be addressed in key management policies, practice statements, and planning documents by any organization that uses cryptography to protect its information.
This revision also broadens the applicability of its recommendations to cover both centralized and decentralized key management structures. Finally, this document’s original centralized infrastructure example has been replaced by explanatory material that reflects SP 800-130 and SP 800-152 and applies to both centralized and decentralized key management structures.
- SP 800-57 Part 3, Application-Specific Key Management Guidance
- NIST Special Publication 800-57 provides cryptographic key management guidance. It consists of three parts. Part 1 provides general guidance and best practices for the management of cryptographic keying material. Part 2 provides guidance on policy and security planning requirements for U.S. government agencies. Finally, Part 3 provides guidance when using the cryptographic features of current systems.
Key Management Transitions
- SP 800-131A Revision 2, Transitioning the Use of Cryptographic Algorithms and Key Lengths
- Provides guidance for transitions to the use of stronger cryptographic keys and more robust algorithms by federal agencies when protecting sensitive, but unclassified information.
Created January 04, 2017, Updated June 22, 2020