Section 1 · Business Objective
Domain Business Objective — OR-02 Key Management
Ensure that cryptographic authority over all on-chain protocol operations — including token minting, burning, contract upgrades, and parameter changes — is continuously available to authorized signers, correctly distributed to prevent single-point compromise or collusion, and exercisable within defined impact tolerance timeframes under any foreseeable disruption or threat scenario.
Regulatory foundation: OCC NPR §15.14 requires robust key management policies including generation, storage, rotation, and revocation procedures with documented recovery protocols. GENIUS Act §9 mandates that issuers maintain technical controls sufficient to ensure operational continuity of on-chain governance. NIST SP 800-57 and FFIEC Information Security Handbook provide the cryptographic key management standards baseline. Any key management failure that disrupts minting, burning, or upgrade operations constitutes a reportable incident under GENIUS Act §113.
Section 2 · Business Process Lifecycle
Multi-Signature Governance Lifecycle — 7 Steps
The complete key management operational workflow from initial signer vetting through hardware provisioning, active governance operations, scheduled rotation, and emergency succession.
#
Process Step & Description
Functions Involved
Timing / Frequency
01
Signer Identification, Vetting & Onboarding
Candidate signers are formally identified by the Board or Key Management Committee. Background verification and conflict-of-interest assessment are completed. Signer role, permissions, and geographic assignment are documented. Onboarding requires Board-level approval for any signer with mint/burn authority. Signer count and geographic distribution are validated against the diversity mandate before hardware provisioning proceeds.
Board / Committee
Security Officer
Compliance
Security Officer
Compliance
Per new signer
prior to provisioning
prior to provisioning
02
HSM / MPC Wallet Provisioning & Threshold Configuration
Each signer receives a dedicated Hardware Security Module (HSM) or is enrolled in the Multi-Party Computation (MPC) wallet scheme. Private key material is generated inside the HSM boundary — never in software. For HSM: ceremony conducted under dual-control with witnesses. For MPC: key shares distributed to geographically separated parties. On-chain threshold configuration (e.g., 3-of-5 signers required, or 5-of-8 for treasury operations) is set in the smart contract by the change board and verified by independent Security Officer before activation.
Security Officer
Key Custodians
Change Board
Key Custodians
Change Board
Per signer onboarding
ceremony event
ceremony event
03
Transaction Proposal & Authorization Workflow
Any on-chain operation (mint, burn, upgrade, parameter change) begins with a formal transaction proposal submitted through the governance portal. The proposer role is segregated from the approver and executor roles — the same individual cannot propose and approve. Required signers are notified automatically. Each signer reviews the transaction details independently via their HSM/MPC interface before signing. Signatures are aggregated and the threshold count is verified before execution is submitted to the blockchain.
Proposer (Treasury/Eng)
Signers (multiple)
Security Officer
Signers (multiple)
Security Officer
Per transaction
real-time to 4 hrs
depending on type
real-time to 4 hrs
depending on type
04
Key Rotation — Scheduled & Triggered
All signing keys are subject to mandatory rotation on a maximum 90-day schedule. Rotation is also triggered by: signer departure, suspected compromise, HSM/MPC firmware update requiring re-keying, or Security Officer judgment. Rotation follows a full ceremony: new key generated in HSM, threshold updated on-chain via change board, old key deactivated and archived (never destroyed — retained for forensic purposes). Rotation events are logged with dual-witness attestation.
Security Officer
Key Custodians
Change Board
Key Custodians
Change Board
Every 90 days max
+ trigger-based
+ trigger-based
05
Signer Departure & Access Deprovisioning
Upon signer departure (voluntary or involuntary), Security Officer issues immediate access revocation order. HSM is physically recovered or MPC key share is invalidated within 4 hours. The on-chain threshold configuration is reviewed: if remaining signer count falls below quorum, emergency backup signer activation is initiated concurrently (see Step 6). Departure event triggers accelerated key rotation for all keys the departing signer held. Board notified of any change to approved signer roster.
Security Officer
HR / Legal
Board
HR / Legal
Board
Immediate on
departure notice
departure notice
06
Emergency Revocation & Quorum Reconstitution
If a signer is compromised (confirmed or suspected), Security Officer invokes Emergency Revocation Protocol. The compromised key share is immediately invalidated via HSM/MPC administrative command. Remaining signers are polled for availability within 30 minutes. If remaining signers can still meet threshold: operations resume on reduced quorum pending replacement. If threshold is no longer met: transaction queue is placed in holding (minting suspended) while emergency backup signer is activated. Full quorum reconstitution must complete within the 2-hour RTO ceiling. Event triggers GENIUS Act §113 notification assessment.
Security Officer
Board (approval)
Emergency Backup
Signers
Board (approval)
Emergency Backup
Signers
RTO: 2 hrs
Revocation: 1 hr ceiling
Revocation: 1 hr ceiling
07
Signer Succession Planning & Recovery Testing
Signer succession plan is documented and approved annually by the Board. Identifies: minimum two pre-vetted backup signers per role, geographic alternates, and Board-level override authority for emergency appointments. Full quorum reconstitution drill is conducted annually on testnet, measuring actual elapsed time against the 2-hour RTO ceiling. Drill results are documented and presented to the Board and made available for examiner review.
Board
Security Officer
Internal Audit
Security Officer
Internal Audit
Annual plan review
Annual drill
Annual drill
Section 3 · Functions & Roles
Operational Roles & Accountabilities
Board / Key Management Committee
Approves signer roster, succession plan, and threshold configurations. Provides override authority in emergency appointments. Receives notification of all signer changes.
Security Officer
Owns key management procedures. Executes revocations. Verifies threshold configurations. Leads key ceremonies and rotation events. Independent of Treasury Operations.
Key Custodians / Signers
Hold HSM devices or MPC key shares. Independently review and sign authorized transactions. Geographically distributed per diversity mandate. Minimum 5 active signers maintained.
Change Advisory Board
Approves any on-chain threshold configuration change. Reviews and approves rotation ceremonies. Provides second-approval layer for emergency threshold modifications.
Independent Verifier
Verifies on-chain threshold configuration matches approved policy after each ceremony. Provides signed attestation for audit. Independent of Security Officer and signers.
Emergency Backup Signers
Pre-vetted, pre-provisioned individuals who can be activated within the 2-hour RTO ceiling. Minimum two per operational role. HSM/MPC devices kept in pre-activated state under secure storage.
Section 4 · Risk Register
Identified Risks — Key Management Domain
| Risk ID | Risk Statement | Trigger / Source | Inherent Likelihood | Inherent Impact | Inherent Risk Rating |
|---|---|---|---|---|---|
| KM-R01 | Signer unavailability causing quorum failure (illness, travel, termination) | Unplanned absence, sudden departure, incapacitation | MEDIUM | CRITICAL | CRITICAL |
| KM-R02 | Private key or HSM compromise via theft, malware, or physical breach | Device theft, malware on signing device, insider threat | LOW | CRITICAL | HIGH |
| KM-R03 | Signer collusion enabling unauthorized on-chain operations | Internal fraud, external coercion of multiple signers | LOW | CRITICAL | HIGH |
| KM-R04 | Social engineering or phishing attack targeting signer | Spear-phishing, voice phishing, impersonation of governance portal | MEDIUM | CRITICAL | CRITICAL |
| KM-R05 | HSM/MPC vendor failure or firmware vulnerability | Vendor insolvency, critical firmware bug, supply chain compromise | LOW | HIGH | HIGH |
| KM-R06 | On-chain threshold misconfiguration — contract threshold diverges from policy | Configuration error during ceremony, unauthorized parameter change | LOW | CRITICAL | HIGH |
| KM-R07 | Key rotation failure leaving stale or over-privileged access | Process failure, HSM malfunction during rotation ceremony, oversight | MEDIUM | HIGH | HIGH |
| KM-R08 | Jurisdictional signer concentration creating legal seizure risk | All signers in same jurisdiction subject to coordinated legal action | LOW | HIGH | MEDIUM |
| KM-R09 | Proposer-approver role conflation enabling unilateral governance | Process bypass, system misconfiguration, inadequate role segregation | LOW | CRITICAL | HIGH |
Section 5 · Control Framework
Structural Controls — Key Management
| Control ID | Control Name | Risk(s) | Type | Description | Anchor |
|---|---|---|---|---|---|
| KM-C01 | Geographic & Organizational Signer Diversity Mandate | KM-R01, KM-R03, KM-R08 | PREVENTIVE | Minimum 5 active signers across minimum 3 geographic jurisdictions and minimum 3 organizational units. No single jurisdiction may hold majority of signers. Signer roster reviewed quarterly against diversity policy. Any proposed addition that reduces diversity triggers Board escalation. | OCC NPR §15.14 |
| KM-C02 | HSM / MPC Hardware-Enforced Key Isolation | KM-R02, KM-R04, KM-R05 | PREVENTIVE | All private key material is generated and held exclusively within FIPS 140-2 Level 3 certified HSM or equivalent MPC scheme. Key material never exists in software memory outside the HSM boundary. HSM devices are physically secured per NIST SP 800-57. MPC key shares are encrypted at rest and in transit. Vendor diversity: primary and backup signers may not use HSMs from the same vendor. | NIST SP 800-57 |
| KM-C03 | Role Segregation — Proposer / Approver / Executor | KM-R03, KM-R09 | PREVENTIVE | The governance portal enforces technically that: (1) the transaction proposer cannot be a required approver; (2) no single individual can hold both proposer and executor roles. Role assignments are recorded in access control system and reviewed monthly by Security Officer. Any attempt to bypass role segregation is logged and triggers an alert. | OCC NPR §15.14 |
| KM-C04 | On-Chain Threshold Verification (Contract-Enforced) | KM-R06 | DETECTIVE | The on-chain multisig threshold is enforced by the smart contract — not by off-chain policy. An independent verifier queries the contract state after each ceremony to confirm the threshold matches the approved configuration. Any discrepancy is treated as a Critical finding. Threshold state is included in the monthly Key Management Report to the Board. | GENIUS Act §9 |
| KM-C05 | Mandatory Key Rotation (90-Day Maximum Schedule) | KM-R07 | PREVENTIVE | All signing keys must be rotated on a maximum 90-day schedule. System generates rotation reminder at Day 75 and compliance violation alert at Day 91. Rotation is also triggered by: signer departure, suspected compromise, or HSM firmware update. Rotation ceremonies require dual-witness attestation and independent post-rotation verification of on-chain threshold state. | NIST SP 800-57 |
| KM-C06 | Emergency Revocation Playbook with Tested RTO | KM-R01, KM-R02, KM-R04 | CORRECTIVE | Documented Emergency Revocation Playbook specifies step-by-step procedures for: compromised signer (key invalidation within 1-hour ceiling), unavailable signer (backup activation within 2-hour RTO), and full quorum failure (transaction queue hold + Board emergency session). Playbook is tested annually on testnet with elapsed time documented against RTO ceiling. | OCC NPR §15.14 |
| KM-C07 | Pre-Provisioned Emergency Backup Signers | KM-R01, KM-R02 | CORRECTIVE | Minimum two backup signers per role are pre-vetted, Board-approved, and pre-provisioned with HSM/MPC devices in an activated but dormant state under secure storage. Backup signers can be deployed to active status within the 2-hour RTO without requiring new key generation or ceremony. Backup device integrity verified quarterly. | OCC NPR §15.14 |
| KM-C08 | Annual Signer Succession Drill with RTO Measurement | KM-R01, KM-R06 | DETECTIVE | Annual testnet simulation of full quorum reconstitution scenario. Drill scenario includes sudden unavailability of two signers simultaneously. Actual elapsed time measured against 2-hour RTO ceiling. Drill results, elapsed times, gaps identified, and remediation actions are documented in a Drill Report presented to the Board and retained for examiner review. | GENIUS Act §7 BCP |
Section 6 · Scenario Stress Test
Severe but Plausible Scenario — Recovery Protocol
Scenario KM-S01: Compromised Multisig Signer During Active Transaction Queue
Signer-3 (of 5) reports that their HSM device is missing following international travel. Active transaction queue contains 3 pending mint authorizations. Compromise cannot be ruled out. Current quorum: 4 of 5 required threshold of 3 still met, but compromised signer's signature on pending transactions is suspect.
1
T+0: Detection & Incident Escalation (0–10 min)
Security Officer receives compromise notification from Signer-3. Incident declared. Pending transaction queue immediately placed on administrative hold — no pending transaction is submitted to blockchain until investigation is complete. Security Officer notifies Board Chair and begins Emergency Revocation Playbook.
2
T+30 min: Key Invalidation Execution (within 1-hour ceiling)
Security Officer executes MPC key share invalidation or remote HSM wipe for Signer-3's device via administrative channel. Invalidation confirmed via on-chain state check — Signer-3's address can no longer contribute a valid signature. Remaining 4 signers polled: all available. Threshold (3-of-5, now 3-of-4 effectively) remains operable.
3
T+45 min: Transaction Queue Review & Resubmission
All pending transactions that carried Signer-3's signature are cancelled and requeued. Requeued transactions require fresh signatures from remaining 4 active signers. Independent Verifier confirms on-chain threshold state reflects 4 active signers and threshold remains 3-of-4. Transaction processing resumes on resubmitted transactions.
4
T+2 hr: Emergency Backup Signer Activation (within RTO ceiling)
Emergency Backup Signer B-1 is activated from pre-provisioned dormant state. Board Chair provides verbal authorization (documented within 24 hours). B-1's HSM device is retrieved from secure storage and enrolled in the active signer set. On-chain threshold configuration updated to reflect 5 active signers. Independent Verifier attests to updated on-chain state.
5
T+4 hr: GENIUS Act §113 Notification Assessment
Security Officer and Legal assess whether the incident meets the §113 reportable incident threshold. Key compromise with active transaction queue impact is assessed as reportable. Simultaneous notification to OCC, FDIC, and FinCEN prepared per three-regulator protocol. Notification includes: nature of compromise, scope of impact, remediation steps taken, and current operational status.
6
T+72 hr: Post-Incident Rotation & Root Cause
Accelerated key rotation initiated for all remaining signers (travel companion risk). Root cause analysis completed: was device stolen or simply lost? If stolen: forensic analysis of any unauthorized transaction attempts on-chain. Full Incident Report prepared. Signer succession plan reviewed and updated. Board briefed on lessons learned.
Section 7 · Structural Redundancy Architecture
Redundancy Mechanisms — Key Management
HSM + MPC Dual-Technology Resilience
Primary signing infrastructure uses FIPS 140-2 Level 3 HSMs. Backup signers use MPC key shares on separate infrastructure. This dual-technology approach ensures that a single vendor vulnerability, firmware exploit, or supply chain compromise cannot simultaneously affect all signers. Technology diversity is as important as geographic diversity.
Contract-Enforced Threshold (Not Policy-Only)
The multisig threshold is enforced at the smart contract level. This means the threshold cannot be bypassed by a single administrator overriding a policy document — it requires an on-chain transaction with the required number of valid signatures to change. The contract is the enforcement mechanism, not the procedure manual.
Pre-Provisioned Backup Signers (Zero-Ceremony Activation)
The 2-hour RTO ceiling for quorum reconstitution is only achievable if backup signers do not require a fresh key generation ceremony. Pre-provisioned, dormant HSM devices with pre-enrolled keys eliminate this bottleneck. The backup activation process is a retrieval and enrollment operation — not a key generation event.
Transaction Queue Hold Capability
The governance portal has an administrative hold function that suspends all outbound blockchain submissions without halting the intake of new transaction proposals. This allows the issuer to continue receiving and queuing operations during a signer incident while protecting against unauthorized transactions until the incident is resolved.
Domain Navigation