The purpose of cryptography is to provide confidentiality, integrity, authentication and non-repudiation of data. In doing so, confidentiality protects data by making it unreadable to all but authorised entities, integrity protects data from accidental or deliberate manipulation by entities, authentication ensures that an entity is who they claim to be, and non-repudiation provides proof that an entity performed a particular action.
Encryption of data at rest can be used to protect sensitive or classified data stored on information technology (IT) equipment and media. In addition, encryption of data in transit can be used to protect sensitive or classified data communicated over public network infrastructure. However, when an organisation uses encryption for data at rest, or data in transit, they are not reducing the sensitivity or classification of the data, they are simply reducing the immediate consequences of the data being accessed by malicious actors.
International Organization for Standardization (ISO)/International Electrotechnical Commission (IEC) 19790:2025, Information security, cybersecurity and privacy protection – Security requirements for cryptographic modules, and ISO/IEC 24759:2025, Information security, cybersecurity and privacy protection – Test requirements for cryptographic modules, are international standards for the design and validation of hardware and software cryptographic modules.
Federal Information Processing Standard (FIPS) 140-3, Security Requirements for Cryptographic Modules and National Institute of Standards and Technology (NIST) Special Publication (SP) 800-140, FIPS 140-3 Derived Test Requirements (DTR): CMVP Validation Authority Updates to ISO/IEC 24759 are United States standards based upon earlier versions of ISO/IEC 19790 and ISO/IEC 24759.
Further information on cryptographic key management practices can be found in ASD’s Managing cryptographic keys and secrets publication.
Further information on cryptographic key management practices for HACE is available from ASD.
Further information on general cryptographic key management practices can be found in NIST SP 800-57 Part 1 Rev. 5, Recommendation for Key Management: Part 1 – General.
Further information on cyber supply chain risk management can be found in the ‘Cyber supply chain risk management’ section of the Guidelines for procurement and outsourcing.
Further information on evaluated products can be found in the ‘Evaluated product procurement’ section of the Guidelines for evaluated products.
Further information on the evaluation of cryptographic modules, including testing requirements, is available as part of the Cryptographic Module Validation Program which is jointly operated by NIST and the Canadian Centre for Cyber Security.
Further information on the evaluation of the implementation of cryptographic algorithms, including testing requirements, is available as part of the Cryptographic Algorithm Validation Program which is jointly operated by NIST and the Canadian Centre for Cyber Security.
Further information on the protection of IT equipment and media can be found in the Department of Home Affairs’ Protective Security Policy Framework.
15 controls