Browse Skills

Crypto Spec Generator

    NIST CSF Encryption Key Management FIPS 140-3 GRC Data Security
    Get Started with This Skill

    Overview

    Draft and validate a Cryptographic Key Management & Encryption Standard for NIST CSF 2.0 PR.DS (Data Security). The skill helps you document key lifecycle (generation, storage, rotation, destruction), define algorithms and bit-lengths for data at Rest, Motion, and Use per FIPS 140-3, and keep narrative aligned with 2026-era NIST guidance. A built-in validation tool scans the draft for legacy algorithms (e.g. SHA-1, 3DES, MD5, RC4) and reports non-compliance before you finalize.

    Example Conversation

    You: We need a Cryptographic Key Management & Encryption Standard for PR.DS. Define algorithms for data at rest, in motion, and in use, and add key lifecycle. Then run the compliance check.

    Agent: I’ll draft the standard using the skill’s references (FIPS 140-3, Rest/Motion/Use). I’ll specify AES-256-GCM for symmetric encryption, SHA-256+ for hashing, RSA-2048 minimum (RSA-4096 for high assurance), and document key generation, storage, rotation, and destruction. Then I’ll run quantum_readiness_checker on the draft.

    Agent: (Writes the standard and runs the checker.) quantum_readiness_checker found “3DES” in the legacy systems section. I’ll replace that with a note to migrate to AES-256 and re-run.

    Agent: Re-ran the checker — PASS. No legacy algorithms remain in the normative sections. The standard is ready for review.

    Output Excerpt

    A typical standard includes scope, algorithm requirements by data state, and key lifecycle. Excerpt:

    ## Algorithm and key-length requirements

| Data state | Symmetric       | Hashing   | Asymmetric        |
|------------|-----------------|-----------|--------------------|
| Rest       | AES-256-GCM     | SHA-256+  | RSA-2048 min.      |
| Motion     | AES-256-GCM     | SHA-256+  | TLS 1.2+; RSA-2048+|
| Use        | AES-256-GCM     | SHA-256+  | RSA-2048 min.      |

Legacy algorithms (SHA-1, 3DES, MD5, RC4, RSA-1024) must not be used for new systems; existing use must be migrated by [date].

    The quantum readiness checker would FAIL if the document still recommended SHA-1 or 3DES; after replacing them with approved alternatives, the check passes.

    Extension Tools and Validations

    quantum_readiness_checker scans the crypto/key management document for legacy or deprecated algorithm references and reports 2026-era NIST non-compliance:

    • Patterns detected — SHA-1, SHA-224, 3DES/TDEA, DES, MD5, RC4, RSA-1024 (and common variants).
    • Output — For each finding: algorithm label, NIST-aligned recommendation (e.g. “Use AES-256-GCM”), and a short context snippet from the document.
    • Result — PASS when no legacy references are found; FAIL with a numbered list of findings to fix.

    Run this tool after drafting or updating the standard; resolve all findings and re-run until the report shows PASS before finalizing.

    Getting Started

    Add any existing crypto or key-management policy to the project workspace and activate the Crypto Spec Generator skill. The agent will draft or update the standard using the bundled FIPS 140-3 and PR.DS references, then run quantum_readiness_checker so the document is compliant with 2026-era NIST standards.

    Ready to let your expertise drive the workflow?

    Stop wrestling with rigid templates and complex tooling. Write your process in markdown, let the agent handle the rest.

    Get Started