Cryptographic Key Management Policy
Updated 23 September 2025
© Crown copyright 2025
This publication is licensed under the terms of the Open Government Licence v3.0 except where otherwise stated. To view this licence, visit nationalarchives.gov.uk/doc/open-government-licence/version/3 or write to the Information Policy Team, The National Archives, Kew, London TW9 4DU, or email: psi@nationalarchives.gov.uk.
Where we have identified any third party copyright information you will need to obtain permission from the copyright holders concerned.
This publication is available at https://www.gov.uk/government/publications/dwp-procurement-security-policies-and-standards/cryptographic-key-management-policy
Overview
The Department for Work and Pensions (DWP) Cryptographic Key Management Policy and supporting standards are government and industry best practice to meet requirements for the secure delivery of online public services (i.e. to support the Digital Agenda). The overall objective is to protect the confidentiality of sensitive information, preserve the integrity of critical information and confirm the identity of the originator of transactions or communications.
Purpose
The purpose of the policy is to provide a top-level framework for governance and direction to ensure secure cryptography management. This includes the issuance, storage, use, recovery, revocation, and decommissioning of cryptographic products and key material (Keymat) for the Department. It also aims to protect the confidentiality of sensitive information, ensure compliance with legal and regulatory encryption requirements, detect alterations to critical information, provide strong user authentication, and identify the originator of critical transactions or communications using digital signatures for non-repudiation.
The policy aims to provide a level of assurance to the Department in the deployment of online digital services and enables the Department to form effective trust relationships with other UK Government departments and partner agencies.
Scope
This policy applies to:
a. DWP employees (including contractors, consultants and other workers) involved in the provision and lifecycle management of hardware for the DWP.
b. All contracted third-party suppliers whose systems or services store, handle, or process DWP information, or are involved in the provision and lifecycle management of hardware for the DWP; to ensure the appropriate levels of assurance for the confidentiality, integrity and availability of the DWP’s assets.
c. DWP Certificate Authorities and Service Providers acting as DWP Certificate Authorities, who must embed the policy requirements into all technical, procedural and administrative processes.
d. DWP staff engaged in designing and implementing new technology solutions, who must reflect the policy requirements into design and build.
e. DWP suppliers that handle/access/process digital certificates and other key material. Suppliers must provide the security measures and safeguards appropriate to the nature and use of the DWP information, where applicable.
f. All DWP personnel who are involved in advising on, authorising or using cryptographic key material, for use in protecting information at the OFFICIAL classification or above, including those with responsibility for the application of cryptographic methods or for the storage, management and distribution of cryptographic items.
g. The management of all cryptographic devices and materials including commercial encryption products procured from non-UK government third party suppliers. For consistency the policy sets out requirements in accordance with the widely employed international industry standard set by the Internet Engineering Task Force (IETF) (link is external).
h. Data encryption implementation; for approved cryptographic algorithms and key management procedures this policy refers to DWP Security Standard - Use of Cryptography Security Standard (SS-007) and the DWP Approved Cryptographic Algorithms List (available upon request to the Authority); for Public Key Infrastructure (PKI) implementations, the policy refers to DWP Security Standard - Public Key Infrastructure & Key Management (SS-002) for specific requirements on key generation and storage.
i. Certification Requirements; for certificate creation and validation this policy refers to the DWP X.509 Certificate Policy and requires Certificate Authorities to adhere to the standards outlined in IETF RFC 3647 (PKIX Certificate Policy Framework); for certificate lifecycle management this policy refers to DWP Security Standard - Public Key Infrastructure & Key Management (SS-002); and for cryptographic module requirements this policy refers to DWP Security Standard - Use of Cryptography (SS-007).
j. Key Exchange Protocols; for secure transfer methods this policy requires key exchanges to implement key exchange mechanisms as specified in DWP Security Standard - Use of Cryptography (SS-007); for cross-domain key exchanges, this policy refers to the key management procedures in DWP Security Standard - Public Key Infrastructure & Key Management (SS-002); external parties must comply with the key exchange requirements in the DWP X.509 Certificate Policy (available upon request to the Authority).
k. This policy does not replace any legal or regulatory requirements.
Definitions
Advanced Encryption Standard (AES)
AES is a symmetric block cipher used to encrypt data. Published as Federal Information Standards Publication (FIPS) 197 (link is external). AES is a symmetric encryption method, meaning that it uses the same key to encrypt and decrypt data. It is a recognised and trusted standard for securing digital information. AES is typically used with 128, 192, or 256-bit keys, with AES-256 offering the highest level of security.
Certificate Policy
A formal document that outlines the rules and procedures for issuing, managing, and using digital certificates within an organisation. It defines the level of trust, security requirements, and responsibilities of all parties involved in the certificate lifecycle, including creation, renewal, and revocation.
Certification Practice Statement
A document written by a Certificate Authority (CA) describing its own security controls, processes and procedures; demonstrating how it has met the requirements stated in the corresponding Certificate Policy.
Digital Certificate
An electronic document used to prove ownership of a public key.
Digital Signature
The result of a cryptographic transformation of data that, when properly implemented with a supporting infrastructure and policy, provides services of:
- origin authentication;
- data integrity authentication;
- signer non-repudiation.
x.509
An international standard that defines the format of public-key certificates.
Policy Statements
1. All systems and services utilising cryptography must be used in accordance with the DWP Security Classification Policy and the DWP Information Security Policy. Cryptographic keys must be managed throughout their lifecycle in accordance with DWP Security Standard – Public Key Infrastructure & Key Management (SS-002) and DWP Security Standard - Use of Cryptography Security Standard (SS-007).
1.1. The DWP Approved Cryptographic Algorithms list must be maintained to specify the approved cryptographic algorithms and their intended use cases.
1.2. Documentation must also be maintained recording the locations where cryptographic solutions are applied and information relating to the licensing requirements for use of specific cryptographic solutions.
2. Cryptographic algorithms and key lengths must be derived through those outlined in DWP Security Standard - Use of Cryptography Security Standard (SS-007) and the DWP Approved Cryptographic Algorithms list.
3. Cryptographic keys must be recorded within a key inventory and maintained in accordance with DWP Security Standard – Public Key Infrastructure & Key Management (SS-002).
4. Cryptographic Keys must be securely distributed using established and approved cryptographic protocols and channels, and stored in approved hardware security modules (HSMs) or trusted platform modules (TPMs) as outlined in DWP Security Standard - Use of Cryptography Security Standard (SS-007).
5. Cryptographic hardware and software including HSMs and TPMs must be implemented and utilised in accordance with DWP Security Standard - Use of Cryptography Security Standard (SS-007) and meet an appropriate defined security level of assurance in line with FIPS 140 or NCSC Commercial Product Assurance (CPA), as defined in DWP Security Standard - Use of Cryptography Security Standard (SS-007).
6. All Cryptographic software must be maintained in line with DWP Security Standard – Public Key Infrastructure & Key Management (SS-002) and only be used while active under vendor support.
7. Where symmetric cryptography is not appropriate approved asymmetric cryptography as outlined in the DWP Approved Cryptographic Algorithms list and DWP Security Standard – Public Key Infrastructure & Key Management (SS-002) must be utilised.
8. Cryptographic keys must be immediately revoked if compromised or no longer required. Keys must be securely destroyed when no longer needed, in line with DWP Security Standard - Use of Cryptography Security Standard (SS-007). A key compromise plan must be in place as outlined in DWP Security Standard – Public Key Infrastructure & Key Management (SS-002).
8.1. The DWP Security Incident Response Process (as detailed in the compliance section) must be followed for all key compromise or mis-issuance events.
9. Accountable and responsible parties in Digital are required to have in place resources and processes to manage cryptographic solutions that include:
9.1. approving the use of cryptographic solutions (e.g. by executive management);
9.2. assigning responsibilities for cryptographic solutions;
9.3. handling conflicting laws and regulations (e.g. dealing with licence issues) relating to the use of cryptographic solutions in different jurisdictions (e.g. by obtaining advice from the legal function);
9.4. Ensuring cryptographic solutions up to date.
10. All personnel authorised to handle or process cryptographic material on behalf of DWP must be provided with training appropriate to their role, all certification records maintained by personnel and be ready for audit.
11. Cryptographic Keys must be backed up securely, stored in encrypted form and protected to the same level of operational keys DWP Security Standard – Public Key Infrastructure & Key Management (SS-002).
12. The root CA must be kept securely isolated or segregated for protection, used only for authorised functions and be kept off-line when not required, as specified in DWP Security Standard – Public Key Infrastructure & Key Management (SS-002).
12.1. Subordinate CAs must be protected using HSMs compliant with DWP Security Standard - Use of Cryptography Security Standard (SS-007).
12.2. CA private keys must be generated and stored securely, with access restricted to authorised individuals.
13. Registration Authorities must verify the identity of individuals requesting PKI certificates and ensure that certificates are issued in accordance with the DWP X.509 Certificate Policy.
14. Any DWP Certificate Authority or Service Provider acting as a DWP Certificate Authority MUST develop a Certification Practice Statement (CPS) as a requirement of the DWP X.509 Certificate Policy.
15. Digital Certificates must be issued with appropriate lifetimes, as defined in DWP Security Standard – Public Key Infrastructure & Key Management (SS-002). Certificate Revocation Lists (CRL) must be used to ensure the validity of certificates.
16. Any DWP PKI certificate deployment (or certificate deployment on behalf of the DWP) MUST comply with the DWP X.509 Certificate Policy and the DWP Security Standard – Public Key Infrastructure & Key Management (SS-002) as applicable.
17. Any on-premise DWP PKI infrastructure, including Certificate Authority (CA) elements, must integrate with DWP’s enterprise Identity and Access Management (IAM) system using secure, standards-based authentication and authorisation protocols.
18. All Certificate issuance on behalf of DWP must enforce strong authentication and access controls in accordance with the DWP X.509 Certificate Policy and Security Standard – Access & Authentication SS-001 (part 1) and Security Standard - Privileged User Access SS-001 (part 2).
19. A PKI must synchronise with a trusted time infrastructure using secure, authenticated time protocols. All time sources must maintain minimal divergence from the authoritative reference clock utilised. Certificate validity periods must be strictly enforced and external providers must implement approved time-stamping mechanisms for all certificate-related operations.
20. All contracts with third-party suppliers involved in cryptographic key management, or handling DWP data requiring cryptographic protection, must include specific clauses covering key ownership, breach notification, audit rights, and adherence to DWP’s cryptographic policies and standards.
Accountabilities and Responsibilities
a. The DWP Chief Security Officer is the accountable owner of the DWP Cryptographic Key Policy and is responsible for its maintenance and review, through the DWP Deputy Director for Security Policy and Data Protection
b. Digital Product Owners/Digital Product Development and Cryptographic Leads will be accountable and responsible for managing services within this governance framework of security policies and standards. This framework will provide the necessary assurance that all key material used within or on behalf of the Department is sufficiently secure according to known risk, industry best practice and UK government policy.
c. Adherence to cryptographic solution management processes, including approval, responsibility assignment, and solution updates, will be subject to regular governance review and audit.
Compliance
a. All DWP employees, whether permanent or temporary (including DWP’s contractors) have security responsibilities and must be aware of, and comply with, DWP’s security policies and standards.
b. DWP must ensure that internal training and education resources for cryptographic key management are developed and integrated into regular security awareness and competency training programs for appropriate staff.
c. Audit of training records must be a component of DWP’s overall compliance assessment framework.
d. Many of DWP’s employees and contractors handle sensitive information daily and so need to be enacting minimum baseline behaviours appropriate to the sensitivity of the information. Most security incidents and breaches relate to information security.
e. Failure to report a security incident, potential or otherwise, could result in disciplinary action and, in the most severe circumstances, result in dismissal. A security incident is the attempted or actual unauthorised access, use, disclosure, modification, loss or destruction of a DWP asset (or a supplier asset that provides a service to the Authority) in violation of security policy. The circumstances may include actions that were actual, suspected, accidental, deliberate, or attempted.
f. DWP’s Security and Data Protection Team will regularly assess for compliance with this policy and may need to inspect physical locations, technology systems, design and processes and speak to people to facilitate this. All DWP employees, agents, contractors, consultants, business partners and service providers will be required to facilitate, support, and when necessary, participate in any such inspection. DWP Collaboration and Communication Services will use software filters to block access to some online websites and services, additional information can be found in the DWP Employee Privacy Notice.
g. An exception to policy may be requested in instances where a business case can be made to undertake an activity that is non-compliant with DWP’s Security Policies. This helps to reduce the risk of non-compliant activity and security incidents. If an individual is aware of an activity that falls into this category, they should notify the DWP Security Policy and Standards Team immediately.