Draft guidance calls for hardware-backed key isolation and automated rotation for higher‑impact systems

Andy Rangenschad, lead of NIST's cryptographic technology group, framed keys as "the root of trust" for token systems and said when signing keys are compromised attackers can forge tokens to access downstream resources.

The draft maps key protection recommendations to system impact levels (FISMA low/moderate/high). For moderate and high impact systems the guidance "requires hardware backed, storage and isolation mechanisms for keys," Andy said, citing hardware security modules, TPMs or confidential computing as possible mechanisms. For low impact systems, the document allows software isolation but warns of increased risk.

The report recommends shorter maximum key usage periods tied to hosting model and blast radius: two weeks for multi‑tenant cloud service provider (CSP) keys, three months for tenant‑specific keys, and up to one year for on‑prem agency systems, with an emphasis on automated key rotation to reduce human error and enable shorter crypto periods.

Panelists urged agencies to tailor crypto periods to their operational realities and to assume rotation and detection capabilities when deciding acceptable lifetimes. "Shorter usage periods reduce the temporal blast radius, if a key is exposed," Rangenschad said.

The guidance aligns key protection recommendations with existing NIST key management principles while proposing more aggressive rotation for distributed online services; NIST also signaled an upcoming update to broader key management guidance.