7Block Labs’ Standards for Enterprise Key Management in Blockchain

When you’re diving into blockchain technology, making sure your keys are safe is absolutely crucial. At 7Block Labs, we really think that how you manage your keys can totally make a difference in how well your operation runs. Let’s take a closer look at our enterprise key management standards that are designed to keep your blockchain activities secure and worry-free.

Key Management Objectives

To keep everything running smoothly, we've laid out a few important goals. These include:.

• Security: It's all about keeping those private keys safe from anyone who shouldn't have access.
• Accessibility: It's all about ensuring that the right people can effortlessly get to their keys whenever they need them.
• Recovery: It’s super important to have a reliable backup plan in place for when keys go missing. You never know when you might misplace them, so having a solid strategy to recover them can really save the day!
• Compliance: Making sure we tick off all the boxes for the regulations that apply to key management.
• Scalability: This means having the flexibility to expand and adapt as your needs evolve.

Core Principles

At 7Block Labs, we stick to some key principles that really guide us. Here’s what we believe in:

1. Zero Trust Philosophy

We're all about that zero trust vibe, which basically means we don’t just take it for granted that users or devices are safe. Every time someone requests access, we make sure to double-check everything to keep any potential threats at bay.

2. Multi-Factor Authentication (MFA)

To beef up our security, we’ve got MFA in place. This goes beyond just a simple password--it makes sure that only the right folks can get to those important keys.

3. Role-Based Access Control (RBAC)

We use RBAC to ensure that everyone has access only to the keys they really need for their roles. This way, we can keep unnecessary access to a bare minimum.

4. Encrypted Storage

All the keys are kept in encrypted formats, which means that anyone who shouldn't have access to them is pretty much locked out from reading them.

5. Regular Audits and Monitoring

We keep a close eye on access logs and track key usage pretty frequently to spot any unusual activities before they become a bigger issue. This way, everyone stays in the know, and we can jump on anything that seems off pretty quickly.

Best Practices

To make our enterprise key management even better, here are some best practices we think you should consider:

• Get Your Team on Board: It’s super important that everyone gets why key management matters. Take the time to explain it and make sure everyone’s on the same page.
• Set Up a Key Rotation Policy: Switching out your keys regularly is a great way to lower the chances of someone getting unauthorized access. It keeps things fresh and secure!
• Keep Your Backup Keys Safe: It's super important to have a solid backup plan if you ever misplace your keys or if they get compromised. You never know when you might need them!
• Document Everything: Make sure to jot down all the important management processes and any changes that happen. It really helps with keeping things accountable and can be super useful if you need to look back on stuff later!

Conclusion

At 7Block Labs, we're all about making enterprise key management in blockchain super secure while keeping things user-friendly. We know how important security is, but we also want to make sure that using our solutions feels smooth and simple for everyone involved. If you stick to these guidelines and best practices, you’ll be able to keep your blockchain ecosystem safe from any potential threats that might come your way. Want to explore more? Don’t hesitate to drop us a message whenever you’d like! We're here to help!

If you want to learn more, feel free to swing by our website: 7Block Labs. We’ve got plenty of info waiting for you!

Your Specific Headache

"Keys scattered all over the place, but no sign of any evidence." "Alright, so you've got your hot wallets hanging out in a custodial MPC, right? And your cold keys are safely stashed away in an HSM. Plus, those validator BLS keys are just chilling with remote signers. Oh, and don't forget, procurement is on your heels asking for those SOC 2 artifacts." Your auditors are looking for solid proof of custody and rotation from start to finish. Plus, product teams are really pushing for passkeys and account abstraction these days. They’re juggling these demands while also trying to keep that pesky risk of breaches under control.

• There’s a lot of confusion about the quickly changing standards out there. Hey, just a heads up: FIPS 140-2 modules are set to be phased out on September 22, 2026. So, if you're still using them, it's time to start thinking about alternatives! Absolutely! There are around 140 different Level-3 options available, but honestly, the way that providers and models are picking them up and testing them is pretty inconsistent. It's a bit of a mixed bag out there! If we screw this up, we’re gonna have to redo a ton of stuff when those 2026 renewals come knocking. (csrc.nist.gov).

Hey there! Just a heads up--any tweaks in the Ethereum protocol might stir up some operational risks for you. Keep an eye on that! So, EIP-7002, which deals with execution-layer exits, is really shaking things up when it comes to how we think about withdrawal control for validators. In the meantime, EIP-3074 has kind of been set aside for now, while EIP-7702 is stepping into the spotlight and getting some love. Hey, just a quick reminder to keep your exit and delegation controls in line with what’s really happening. Let’s not rely on that old memo from 2022, okay? It’s important to stay current! (eips.ethereum.org).

There's actually a pretty interesting difference between MPC and HSM. So, the GG18/GG20 TSS setups had a few known vulnerabilities, and they skipped using ZK checks for the Paillier moduli. The good news is that vendors have fixed those issues, but we still need to figure out a solid standard for picking both the protocol and the vendors. It’s definitely a work in progress! (fireblocks.com).

• You know, identity is a lot like shifting sand. Great news! NIST SP 800-63-4 has just been finalized, and it's packed with some useful updates. One of the key highlights is the inclusion of syncable passkeys, thanks to WebAuthn/FIDO2. This should make things a lot smoother for everyone involved! These days, a growing number of businesses are looking to incorporate passkey-first authentication into their crypto processes. It's becoming a pretty standard expectation! WebAuthn L3 is currently at the Candidate Recommendation stage, so it's the perfect time to get your signing ceremonies prepped and ready to go with this fresh approach! (pages.nist.gov).

The Business Risk

• **We’ve run into some hiccups with missed audits and delays in procurement. ** Check out the latest updates to ISO 27001:2022, specifically Annex A 8. 24 is really shaking things up by combining crypto policy with key management. Auditors are looking for a clear view of the whole process--everything from how data is created and stored to when it gets rotated, revoked, and ultimately destroyed. They want to see this all laid out across different vendors. If you’re missing a traceability matrix, your SOC 2 narratives might end up in a bit of a standstill, and that can really hold up deals. Check out more here.
• Watch out for the compliance cliff coming in 2026! Hey, if you’re relying exclusively on FIPS 140-2 modules, it might be a good idea to take a step back and reconsider your approach. Once those certificates land on the Historical List, you’re going to find yourself in a bit of a rush to get those upgrades sorted out. This can really lead to some downtime, and honestly, nobody likes having to scramble for exceptions at the last minute. Seriously, who needs that kind of stress in their life? If you're curious and want to dive deeper into the topic, you can check out more info here.
• **Custody disclosure exposure. Hey there! Just wanted to share a quick update from NYDFS-- they’ve got some news coming our way for 2025. They’re stressing the point that beneficial interest really needs to remain with the customer. Also, they're rolling out some additional info about sub-custodians. So, you'll want to make sure that your contracts, the way you handle segregation, and those sub-custody attestations all match up with your technical controls. It's a good idea to double-check everything to keep everything in sync! Stay informed here.
• **Be aware, validator funds could be at risk. Hey there! So, EIP-7002 has really thrown us a bit of a curveball with these withdrawal credentials (0x01). This could potentially shake things up in the execution layer and mess with your RACI and revocation plans. Just a heads-up! If your remote signers and slashing protection aren't in sync, you might run into some bumps in the road. Get the details here.
• **The tug-of-war between UX and security. The product team is really aiming for that smooth "sign-in with passkey" vibe and the contract-wallet user experience. But hey, we can't forget about the essentials like non-repudiation and making sure we have those SOC 2 audit trails in place. It’s all about finding that perfect balance! If we don't consistently use ERC-1271/6492 and OpenZeppelin's SignatureChecker, smart accounts can really mess up enterprise authentication processes. This often leads procurement teams to brush them off as “nonstandard.” ” Dive deeper here.

7Block’s KeyOps Standards (technical but pragmatic)

At 7Block, we're all about simplifying things with our KeyOps Standards. It's our way of making life a little easier for everyone! Our approach is all about finding that sweet spot between the technical specs and what really works for people in the real world.

What are KeyOps Standards?

KeyOps Standards are basically a set of guidelines designed to help you manage cryptographic keys in a smart and effective way. They make sure everything stays secure without complicating things too much.

Why Are They Important?

• Security: Keeping sensitive data safe is super important, and that's where KeyOps Standards come in handy to help reduce risks.
• Staying Compliant: Following these standards really helps simplify the whole process of meeting regulatory requirements.
• Efficiency: These tools really simplify important management tasks, helping to save both time and resources.

Key Components of KeyOps Standards

So, here’s what you can look forward to with our KeyOps Standards:

1. Key Generation:

• Make sure to use solid algorithms and mix in some randomness.
• Keep a record of how the generation process works.

1. Key Storage: Make sure you keep your keys safe by using hardware security modules (HSMs) or secure vaults. They’re great for protecting your sensitive info! Make it a habit to check in on your storage practices every now and then.
2. Key Usage:

• Make sure to give key access only to those who really need it, depending on their roles. Keep an eye on and note down important usage activities.

1. Key Rotation: Make sure to set up regular key rotations to keep exposure low.

• Whenever you can, try to streamline the rotation process and make it automatic.

1. Key Revocation:

• Set up straightforward steps for taking back keys when necessary. Make sure you've got a solid plan ready for dealing with any key compromise situations.

Implementing KeyOps Standards

Alright, let’s dive into how you can start putting these standards into practice:

• Check Out Your Current Methods: Take a moment to really think about how you're handling your keys right now.
• Make a Roadmap: Put together a plan that lays out how you're going to take on these standards.
• Get Your Team on the Same Page: Make sure everyone knows why key management matters. It's super important for keeping everything secure!
• Keep Reviewing Your Practices: It's a good idea to regularly check in on your main management processes. Make it a routine!

Conclusion

If you stick with 7Block’s KeyOps Standards, you'll not only boost your security game but also keep everything nice and easy to handle. Let’s be real--when it comes to navigating the digital world today, having a solid key management strategy is crucial. It's all about staying one step ahead! If you’re interested in exploring our guidelines in more detail, feel free to take a look here!

We’ve rolled out a KeyOps pipeline that you can fully audit. It connects our cryptography decisions directly to compliance documents and our service level objectives (SLOs). We've set this up to be really flexible, so you can adjust it based on how much risk you're comfortable with. Whether you're all about HSM, leaning more toward MPC, or looking for a mix of both, we've got you covered!

1) Cryptographic Baseline and PQC Roadmap

• Algorithms and Modules: So, at the moment, we’re relying on some pretty robust building blocks for our security. We’ve got secp256k1 for ECDSA, BLS12‑381 for staking, AES‑GCM for encryption, and SHA‑2/3 for hashing. And, of course, we’re making sure to use FIPS 140‑3 validated modules wherever it’s possible. Hey there! I've got some exciting news to share! AWS KMS HSM has officially achieved FIPS 140-3 Level 3 certification. Plus, CloudHSM is stepping up too, now offering Level 3 on the hsm2m.medium instance. How cool is that? Oh, and by the way, the YubiHSM 2 is a great little Level 3 choice if you're looking for something compact. Just a heads-up though--the 140-2 version will still be around until 2026, so you've got some time with that one! If you want to dive deeper into that, just click here. Enjoy exploring!

So, when it comes to the whole post-quantum transition thing, we’ve got a dual-stack strategy in the works. This plan is designed to work perfectly with FIPS 203 (that's the ML‑KEM), 204 (the ML‑DSA), and 205 (the SLH‑DSA). The schedule for this will be connected to the updates in SP 800-131A and SP 800-57 Rev. 6 (draft). We’re gradually rolling out PQC for key establishment and signatures when it makes sense to do so. At the same time, we're keeping an eye on how things are going with FN‑DSA/FALCON. If you want to dive deeper into the details, check it out here.

• MPC/TSS Selection: We're really big on picking out modern, audited ECDSA TSS solutions, like CGGMP21 or even newer ones if they’re available. It’s super important to us that these solutions have clear abort mechanisms and proactive refreshing capabilities. We’ve got to get ZK proofs for the Paillier parameters to sidestep those annoying GG18/20 class issues, often referred to as “BitForge.” If you’re diving into Schnorr-based setups--like cross-chain or custodial services that play with Ed25519/ristretto--definitely think about using FROST (check out RFC 9591). It’s a great option for those 2-round threshold signatures! If you want to dive deeper into this topic, take a look at the details here.
• Policy Linkage: It's really important to link every cryptographic control to the ISO 27001:2022 Annex A 8. We’ve got some documentation for 24 and the SOC 2 Trust Services Criteria evidence. This covers important stuff like the key inventories, rotation logs, HSM attestations, MPC transcripts, and incident runbooks. If you want to dive deeper into this, check out this link. It’s a great resource!

Hardware-backed Root of Trust with “Zero‑Downtime Rotation”

• HSM Tiering: So, we like to sort our keys into different tiers. At the top, we have Tier-0, which is where the crucial root keys for things like CA and attestation hang out. These keys are kept safe in FIPS 140-3 Level 3 HSMs, ensuring they're really well protected. On the flip side, when it comes to Tier-1 application keys, we have a couple of options. They can either be stored in HSMs or in MPC, depending on how urgently we need access and what the custody guidelines are. We take security pretty seriously, so we stick to split-knowledge and quorum approvals. To keep things tight, we use short-lived signing “leases” that help us maintain that security.
• Rotation SLOs: We're all about achieving "zero-downtime rotation." To do this, we utilize shadow key deployments and phased cutovers. What this means is that we keep everything connected at the transaction level, and we also run acceptance tests on our smart accounts using SignatureChecker. To stay transparent, we give auditors thorough rotation manifests and logs that are linked to change tickets.
• Procurement-ready Details: We make sure to include the CMVP certificate IDs in our SBOMs and architectural documents. For example, you'll find things like AWS KMS HSM CMVP #4884 and YubiHSM 2 CMVP #3916 listed there. This way, vendor reviews go a lot faster and smoother, which is always a win! If you want to learn more about these certifications, feel free to swing by csrc.nist.gov. There's a ton of useful info waiting for you there!

3) Enterprise Authentication Meets On-chain Authorization

• Passkeys for operators: Hey team, let’s start including some WebAuthn L3-compatible authenticators and those syncable authenticators from NIST SP 800-63-4 in our key ceremonies. It’ll really enhance our security measures! So, when we give the green light for HSM/MPC operations, we'll have them secured with passkeys. This means we’ll have a way to track everything, plus it makes it tougher for phishing attempts to succeed. It’s a solid control measure! According to the FIDO Alliance, there's a pretty exciting trend happening right now--87% of companies are jumping on the passkey bandwagon! This shift is really streamlining how businesses handle changes, making everything a bit smoother. (w3.org).
• Smart account standards:
• It's time to take advantage of ERC‑1271 for those contract-wallet signatures!
  We're excited to let you know that we're on board with ERC-6492 for those counterfactual accounts, especially during the predeploy phase. Plus, we'll be using OpenZeppelin's SignatureChecker to help connect the dots between externally owned accounts and contract verification. With these changes, we're really working to smooth out those tricky edge cases that pop up with stuff like document signing, off-chain orders, and the different versions of SIWE. (eips.ethereum.org).
• Account abstraction roadmap: Hey! Just wanted to let you know that EIP-3074 is no longer in the running. But don't forget to keep an eye on EIP-7702 (Set Code for EOAs). It's definitely worth watching! This will help us come up with some "delegate-code" patterns and make sure we don’t let privilege creep get out of hand. We're going to implement a deny-by-default policy for any wallet UI that shows raw delegation signing. This will stay in effect until we can ensure that version 7702 is stable in the clients. (eips.ethereum.org).

4) Validator Key Management with EIP‑7002 in Mind

Separation of concerns:

Hey, just a heads up--let's make sure we keep the active (hot) BLS keys on our remote signers, and don’t forget about the slashing protection! Make sure that the withdrawal credentials are linked to 0x01 execution-layer addresses, and just a heads up, these should be managed by HSM/MPC governance. Now that EIP-7002 is on the table, the people holding those withdrawal credentials can start the exit process from the execution layer (EL). That's why it's really crucial for our RACI and SOAR runbooks to have this capability covered. (eips.ethereum.org).

Exit/withdrawal governance:

• How about we set up some approvals for withdrawals using passkeys along with a quorum? Let’s make sure we keep track of those SSZ-encoded requests, and it’d be a good idea to double-check everything with the chain events after every block. It’ll help us stay on top of things! By doing this, we cut down on the chances of any hostage situations where an operator could potentially block exits. Plus, it helps us stick to the NYDFS principles, which ultimately benefit our customers. (dfs.ny.gov).

5) Custody and Sub‑custody Controls (NYDFS‑ready)

• Technical Segregation: We're working with special on-chain vault contracts that come with ERC‑1271 policy modules. These let us set limits for each asset and also use time-locks to add an extra layer of security. On top of that, we've got all the sub-custodian controls laid out and documented, complete with attestations. This means we’re all about that transparency when it comes to where the signers are based. Hey, just wanted to give you a quick heads up! So, the latest DFS guidance that came out on September 30, 2025, is telling us that we really need to nail down our segregation and sub-custody practices. Let's make sure we're on top of that! Feel free to take a look at it here. It's got some useful info!
• Disclosures: Let’s make sure our disclosures for clients are consistent across the board. It's important to make it clear that the customer retains their equitable or beneficial interest. Plus, we handle all the important stuff using FIPS-validated modules or MPC, and we have documented zero-knowledge checks to back it up.

6) Evidence by Design (SOC 2 / ISO 27001:2022)

• What we gather automatically: So, we collect a ton of important lifecycle logs, right? This includes stuff like generating, importing, rotating, and destroying keys. We also keep track of HSM/MPC transcripts, those ERC-1271 signature verifications, WebAuthn attestation events, and validator exit submissions. Oh, and let's not forget about any weird issues that might arise along the way!
• Auditor-ready mapping:
• Picture it like a straightforward matrix that links to Annex A 8. We've incorporated 24 and the SOC 2 Trust Services Criteria into our operational evidence. Plus, we’ve included RTO and RPO statements for every major category. The AICPA has shifted its attention to new tech risks, and we’ve worked hard to ensure our evidence pack is staying ahead of the game. If you're looking for more info, feel free to check it out here. It's got all the details you might need!

“Production AA without auth regressions”

• Problem: So, I hear your CRM dapp wants to take on session keys and manage batched transactions? That’s awesome! But let’s not forget, security is super important. We really need to focus on making sure we’ve got non-repudiation locked down and have strong audit trails set up.
• Implementation: We're going to use a smart account that leverages ERC-1271 for checking signatures. We're excited to let you know that we're bringing in OpenZeppelin's SignatureChecker! This means we'll be able to consistently work with both EOAs and contract wallets. The server will take a moment to double-check the 1271 before proceeding. If you want to dive deeper into the details, you can find more info right here. Enjoy exploring!
• Operators are going to manage those riskier policy changes using passkeys. And the cool part? Each approval will be tied to specific change tickets. So, when it comes to those counterfactual accounts we set up ahead of time, we’ll go ahead and accept ERC‑6492 signatures during the onboarding process. After everything’s up and running, we’ll take care of filling in the attestations. If you're curious and want to dive deeper into that, just check it out here. Happy reading!
• Value: By simplifying this process, we’re going to reduce integration issues since we’ll only have one verification path to follow. Plus, we’ll avoid all those annoying back-and-forths with procurement about “unsupported wallet signatures.” That’s definitely a win in my book! ”.

Validator Exits That Don’t Rely on the Node Operator

• The Problem: So, if you're staking from a treasury and depending on an outside validator to handle your nodes, you could face some timing issues. You should be able to leave when it’s right for you, not just when it’s convenient for them.
• How We Make It Happen: So, we've got the withdrawal credentials lined up with an execution-layer address that’s being handled by our HSM/MPC governance. 7Block is stepping in to set up an exit precompile call runner along with an approval workflow that aligns perfectly with EIP‑7002. Oh, the slashing protection? Yeah, that’s tied to the operator’s remote signer. If you want to dive deeper into the details, just head over here. It's got everything you need!
• What You’ll Get Out of It:
• You’ll have "hostage-resistant" exits, which really helps cut down on contractual risks. Plus, it makes everything way easier when it comes to your SOC 2 audits, especially around how you manage your staked assets.

MPC Done Right

Problem

So, here’s the deal: you’ve just taken over an MPC setup, but there’s a bit of a puzzle when it comes to the protocol lineage--like, is it GG18 or GG20? And on top of that, you can’t quite confirm if the ZK parameter checks are actually being implemented. It’s a bit tricky, to say the least!

Implementation

Alright, let’s kick things off with a health check, BitForge style! If you notice anything that feels a bit off, it might be a good idea to switch to a more up-to-date TSS. Look for one that has clear abort features and reliable ZK checks. It could really make a difference! Be sure to keep track of all those MPC transcripts and range proofs as you go. It's really important to have everything documented! If you want to dive deeper into the details, just click here. There's a lot of good info waiting for you!

Value

By following these steps, you can avoid the risk of a single party being able to extract your key, all while keeping your ability to operate flexibly. On top of that, your procurement team will receive a straightforward set of guidelines to follow.

Emerging Best Practices We Recommend in 2026

When you're rolling out new HSMs, definitely aim for FIPS 140‑3 Level 3. It's a solid choice! Now's a great time to start easing off those 140-2 dependencies, aiming for a complete transition by September 2026. Just a quick reminder to make sure you include the CMVP IDs in your RFP/RFI responses. It’s super important! For more info, head over to the NIST website. You'll find all the details you need there!

• Let's prioritize using passkeys for operator authentication when it comes to key ceremonies. So, SP 800-63-4 has introduced synced authenticators, and that's pretty cool! This should definitely help ease the pressure on your help desk a bit. Get the scoop here.

Let’s get ready for EIP‑7702 by embracing "delegate-code" governance for EOAs! Hey there! Just a quick heads-up--until we’ve got solid client support and some good guardrails set up, it’s best to avoid using raw delegation prompts in the wallet UIs. Trust me, it's safer that way! Hey, just wanted to give you a heads-up that EIP-3074 has been pulled back. So, it’s probably a good idea not to rely on it moving forward. If you want to dive deeper, check out more details on EIP's site. There’s a ton of info waiting for you!

• So, if you're using Schnorr curves (like when you're working with Ed25519 services or any cross-chain tools), it's a good idea to stick with FROST for your two-round threshold signing. It just makes everything smoother! This will definitely help reduce latency and simplify the rounds. If you’re looking for the relevant RFC, you can check it out right here.
• Put together a PQC migration plan that aligns with ML-KEM, ML-DSA, and SLH-DSA. Don’t forget to check out NIST SP 800-57 Rev. when you’re diving into the details! You're looking at Draft 6 and SP 800-131A when it comes to those crypto-agility thresholds. Check it out over on NIST's site for more details! Just click here to dive deeper into the topic.

Hey there! If you’re handling custody for clients in New York, just a quick reminder: double-check that your sub-custodian contracts align with the DFS 2025 guidelines and that your on-chain control separation is in sync, too. It’s super important to stay compliant! Feel free to check it out here for more details!

How 7Block Executes (And How It Fits into Services)

• Strategy and Architecture: We’re focused on building a strong foundation for crypto management and laying out our plan for Post-Quantum Cryptography (PQC). Plus, we're making sure everything fits nicely with SOC2 and ISO standards. If you’re curious about our custom blockchain development services or want to learn more about blockchain integration, feel free to check them out! We’ve got some great info waiting for you.
• Build and Integrate: We really get into the nitty-gritty of things like ERC-1271 modules, checking signatures with verification layers, and handling the coordination of MPC and HSM. It's a lot of fun to piece all of this together! Also, we’re all over the EIP‑7002 exit tools and getting those passkey approvals sorted out. If you want to dive deeper, check out our smart contract development and web3 development services. You won't want to miss what we have to offer!
• Security Validation: We really prioritize security here! We conduct thorough reviews of the MPC protocol (that includes those important zero-knowledge checks), hold HSM key ceremonies, and put together SOC 2 evidence packs. It's all about keeping everything safe and sound! We also make sure to follow the guidelines set out in ISO 27001 Annex A 8. 24 for traceability. If you want to dive deeper into this topic, feel free to take a look at our security audit services. You'll find some great info there!
• DeFi/Validator Operations (If It Fits Your Portfolio): We really emphasize rolling things out with a risk-controlled approach. That includes managing validator key governance and making sure we’re on point with cross-chain policy enforcement. Curious to dive deeper? Check out our cross-chain solutions development and dapp development offerings. There’s a lot you can explore!

GTM Metrics We’re Committing to Track in a 90-Day Pilot

• Audit Readiness We're working on cutting down the “time to evidence” for Annex A 8. You can boost your efficiency on the 24 and SOC 2 CC-series by about 30-50% by using automated logs along with a traceability matrix. It’s a smart combo that really streamlines the whole process! We'll make sure to cover all the important lifecycle records--like generation, import, rotation, and destruction--so that everything is tied to the right tickets and reviewer identities. You can count on us to have it all sorted!
• Operational Resilience We're currently running a trial for a "zero-downtime rotation" in both our staging and production environments. This involves two important classes: the hot wallet and the smart-account signer. Plus, we're using on-chain verification to make sure everything's solid. We're planning to run a validator exit drill using the EIP-7002 process. The goal is to do a full run-through, including reconciliation, and we’re aiming to wrap it up in under 60 minutes. We'll keep everything in controlled conditions to make it smooth and efficient.
• Identity and UX We're aiming for at least 80% of our approvers to get on board with passkeys, and we want to make sure this doesn’t slow down our approval process. Also, we'll keep an eye on SIEM visibility for passkey events during all our ceremonies--just to stay on top of things!
• Compliance Posture We're going to maintain an inventory of our FIPS posture, which will have the CMVP IDs for each module. Plus, we'll lay out a plan for retiring any 140-2 dependencies that we need to kick to the curb before September 2026.
• When it comes to NYDFS custody mapping (if it applies), we'll make sure to cover all the bases. This means documenting everything--from how we handle segregation to getting those sub-custodian attestations, and we’ll also include the story of customer beneficial interest.

What You’ll Get at Pilot End

You’ll get a complete “audit-ready cryptography” package that’s fully signed and loaded with everything you need. Inside, you'll find architecture diagrams, CMVP references, key inventories, rotation manifests, SOC 2/ISO mappings, and operational runbooks--all the essentials wrapped up in one neat bundle! You’ve got a robust production-ready ERC-1271 setup here, and if you're interested, there's also the option to add ERC-6492 onboarding. Plus, we’ve made sure to incorporate passkey-gated approvals into your MPC/HSM workflows for extra security. We’ve got some validator exit tools that are built around EIP-7002. They come with RACI updates, some simulated tabletop exercises, and even scripts for on-chain reconciliation. It’s a pretty thorough package!

Brief Technical Appendix (Deep Dive Details)

• FIPS Transition: Just a heads up! The CMVP has officially announced that the older 140-2 modules are set to transition by September 22, 2026. Mark your calendars! If you can swing it, try to move over to the 140-3 Level 3 setup. You might want to check out options like AWS KMS HSM #4884 or the CloudHSM hsm2m.medium Level-3.
  Just a friendly reminder to make sure you're keeping those certificate numbers in your SBOMs! You can check out more info at csrc.nist.gov.
• PQC Updates: So, NIST has officially completed work on FIPS 203, 204, and 205 (which are all about ML-KEM, ML-DSA, and SLH-DSA). They've also wrapped up the draft for 800-57 Rev. Version 6 now has some coverage for PQC! Alright, it's time to dive into hybrid key exchange! We're focusing on ECDH combined with ML-KEM for those new inter-service channels. And while you’re at it, don't forget to keep an eye on FN-DSA--it’s definitely worth watching! (nist.gov).
• MPC Guardrails: Just a heads-up, don’t forget to implement ZK checks to confirm that the Paillier modulus is valid! When you're choosing protocols, make sure to steer clear of those that don't have clear abort options. And if you're working with Schnorr curves, definitely check out FROST (RFC 9591) - it's a solid choice! Don’t forget to keep your protocol-implementation BOMs up to date! Make sure you’ve got version pinning sorted out and include those audit links too. It really helps keep everything organized and secure. (fireblocks.com).
• AA and Signature Standards: Let’s get on the same page with ERC-1271 and SignatureChecker. This will help us keep things consistent between externally owned accounts (EOA) and smart contract wallets (SCW), making sure there’s no confusion down the line. If you're working with counterfactual flows, make sure to go with ERC-6492. Hey, just a quick update: 3037 has been withdrawn. So, let’s take a good look at 7702 gating. Remember, we need to analyze it logically since there aren’t any raw delegation surfaces in the user experience. (eips.ethereum.org).
• Validator Exits: Once EIP-7002 rolls out, make sure to refresh your withdrawal-credential governance. Just a quick reminder: the CL will be taking care of any EL exit messages, so make sure you’ve got your fee handling and queue details all sorted out in your runbooks. It’ll make everything run a lot smoother! (eips.ethereum.org).

Hey there! Just a heads-up: SP 800-63-4 is rolling out some new syncable authenticators, and WebAuthn L3 is currently in Candidate Recommendation. So, it's a good idea to start thinking about how you'll handle passkey approvals across different devices. Don't forget to focus on capturing those attestations as well! (pages.nist.gov).

• Custody Regulation: So, the DFS 2025 guidance has really spelled out what sub-custodians need to do. They’ve emphasized that the beneficial interest should always remain with the customers. Make sure your on-chain controls and disclosures line up with this guidance. (dfs.ny.gov).

If you're on the hunt for a partner that can effortlessly bridge the gap between Solidity, ZK details, and procurement results--while also helping you boost your audit readiness and resilience--you're in the right place! That's our jam, and we make it a point to focus on this every quarter.

Internal links used above:

• web3 development services Check out our custom blockchain development services. We’ve got you covered!
• security audit services
• blockchain integration
• cross-chain solutions development
• dapp development
• smart contract development

Quick heads up: Just so you know, all the references to standards and the status of protocols are current as of January 27, 2026. You can count on the citations I’ve included to back that up!