[2/27/24, 11:00 AM EST] CSRC has been experiencing technical issues. If you are unable to access a CSRC page or resource, or get a 503 error, please try reloading the page several times--it may help to wait a few minutes before trying again. We apologize for the inconvenience, and hope to have a solution in place next week.
Key Management Guidelines
The following publications provide general key management guidance:
Recommendation for Key Management
- SP 800-57 Part 1 Revision 5 - General
- This Recommendation provides cryptographic key-management guidance. It consists of three parts. Part 1 provides general guidance and best practices for the management of cryptographic keying material, including definitions of the security services that may be provided when using cryptography and the algorithms and key types that may be employed, specifications of the protection that each type of key and other cryptographic information requires and methods for providing this protection, discussions about the functions involved in key management, and discussions about a variety of key-management issues to be addressed when using cryptography. Part 2 provides guidance on policy and security planning requirements for U.S. Government agencies. Part 3 provides guidance when using the cryptographic features of current systems.
- SP 800-57 Part 2, Revision 1, Best Practices for Key Management Organizations
- This recommendation provides guidance on how organizations should manage cryptographic keys in accordance with the federal key management policies and best practices described in SP 800-57 Part 1. This revision is consistent with the Cybersecurity Enhancement Act of 2014 and provides direct cybersecurity support for private-sector key management as well as government-focused guidance consistent with OMB Circular A-130. Section 2 has been updated to introduce a more comprehensive set of key management concepts that should be addressed in key management policies, practice statements, and planning documents by any organization that uses cryptography to protect its information.
This revision also broadens the applicability of its recommendations to cover both centralized and decentralized key management structures. Finally, this document’s original centralized infrastructure example has been replaced by explanatory material that reflects SP 800-130 and SP 800-152 and applies to both centralized and decentralized key management structures.
- SP 800-57 Part 3, Application-Specific Key Management Guidance
- NIST Special Publication 800-57 provides cryptographic key management guidance. It consists of three parts. Part 1 provides general guidance and best practices for the management of cryptographic keying material. Part 2 provides guidance on policy and security planning requirements for U.S. government agencies. Finally, Part 3 provides guidance when using the cryptographic features of current systems.
Key Management Transitions
- SP 800-131A Revision 2, Transitioning the Use of Cryptographic Algorithms and Key Lengths
- Provides guidance for transitions to the use of stronger cryptographic keys and more robust algorithms by federal agencies when protecting sensitive, but unclassified information.
Created January 04, 2017, Updated August 19, 2022