Skip to content

47-Day Certificates Are Coming. Are You Ready?

Act Now →

NIST IR 8547 and SP 800-131A: The Algorithm Transition Timeline

NIST New PQC Algorithms

NIST IR 8547 is a NIST draft report that sets out the expected timeline for retiring quantum-vulnerable public-key algorithms, deprecating them after 2030 and disallowing them after 2035, while SP 800-131A is the companion NIST publication that defines the formal approval status of specific algorithms and key lengths.

NIST IR 8547 and SP 800-131A together answer a practical question: when must federal systems stop using RSA, ECDSA, and other classical public-key algorithms? IR 8547 sets the direction, with quantum-vulnerable public-key algorithms deprecated after 2030 and disallowed after 2035. SP 800-131A defines the approval status of algorithms and key lengths in detail. Both are how the abstract quantum threat becomes concrete compliance dates.

Key Takeaways

  • NIST IR 8547, ‘Transition to Post-Quantum Cryptography Standards,’ is an initial public draft released November 12, 2024. It sets NIST’s expected transition timeline but is guidance, not a binding federal standard, and had not been finalized as of mid-2026.
  • IR 8547’s proposed timeline: quantum-vulnerable public-key algorithms (RSA, ECDSA, ECDH, finite-field DH) are deprecated after 2030 and disallowed after 2035.
  • Hybrid modes that combine an approved post-quantum algorithm with a classical one are not caught by the 2035 disallowance, which supports a phased migration.
  • SP 800-131A defines the formal approval status of algorithms and key lengths. The current finalized version is Revision 2 (2019); Revision 3 is an initial public draft (October 2024) that moves the minimum security strength from 112 to 128 bits and folds the asymmetric transition into the post-quantum transition.
  • AES-256 and the SHA-2 and SHA-3 hash families are not on IR 8547’s public-key deprecation schedule. The exposure is concentrated in public-key cryptography, which Shor’s algorithm breaks.

What NIST IR 8547 Is

NIST IR 8547, titled ‘Transition to Post-Quantum Cryptography Standards,’ is a NIST Internal (Interagency) Report that describes NIST’s expected approach to moving federal systems off quantum-vulnerable cryptography and onto the post-quantum standards finalized in 2024. NIST released it as an initial public draft on November 12, 2024, and the public comment period has since closed.

It is important to be precise about its status. As an Internal Report and, as of mid-2026, still a draft, IR 8547 is directional guidance rather than a binding mandate. The dates it proposes may shift in the final version. Even so, it is the clearest signal NIST has given about when classical public-key cryptography must be retired, and it aligns with the broader US federal target of a quantum-resistant posture by 2035. Organizations planning migrations treat its timeline as the working baseline.

The IR 8547 Transition Timeline

IR 8547 proposes a two-stage retirement for quantum-vulnerable public-key algorithms. Understanding the difference between the two stages is the whole point of the document.

StageDateWhat it means
DeprecatedAfter 2030The algorithm is still permitted but its use is discouraged. In practice, no longer acceptable for new deployments on federal systems.
DisallowedAfter 2035The algorithm may no longer be used for the stated purpose. A disallowed signature scheme is treated as forgeable; a disallowed key-establishment scheme is treated as vulnerable to key recovery.

The algorithms on this schedule are the public-key workhorses of today’s internet: RSA and elliptic-curve signatures (ECDSA, EdDSA, RSA-PSS, RSA PKCS#1 v1.5), and key-establishment schemes including RSA key transport, elliptic-curve Diffie-Hellman (ECDH), and finite-field Diffie-Hellman. All are broken by Shor’s algorithm on a sufficiently powerful quantum computer, which is why migrating from RSA to ECC solves nothing here: both fall to the same attack.

Deprecated Is Not the Same as Disallowed
The practical reading: after 2030, RSA and ECDH are no longer acceptable for new deployments on US federal systems, but existing deployed systems have until 2035 to complete migration. The window between the two dates is the migration runway. Treating 2035 as the only deadline misses the point, because procurement, auditing, and cyber-insurance practices tend to tighten around the 2030 deprecation date, not the 2035 disallowance date.

How Hybrid Modes Fit In

IR 8547 explicitly supports hybrid cryptography during the transition. A hybrid scheme combines a classical algorithm with a post-quantum algorithm so the result stays secure unless both are broken. NIST has clarified that the 2035 disallowance of quantum-vulnerable algorithms is not intended to prohibit hybrid modes that incorporate an approved post-quantum algorithm alongside a classical one in a composite scheme.

This matters because it gives organizations a compliant path to deploy post-quantum protection now, while retaining classical algorithms for interoperability, without falling foul of the disallowance date.

CBOM Secure

Gain complete visibility with continuous cryptographic discovery, automated inventory, and data-driven PQC remediation.

What SP 800-131A Adds

If IR 8547 is the strategic timeline, SP 800-131A is the operational rulebook. It defines the formal approval status (approved, acceptable, deprecated, restricted, disallowed, or legacy use) of specific algorithms and key lengths, and it is the document a FIPS-validated implementation is measured against.

The current finalized version is SP 800-131A Revision 2, published in March 2019. NIST released an initial public draft of Revision 3 in October 2024. Rev. 3 proposes moving the minimum classical security strength from 112 bits to 128 bits at the end of 2030, retires ECB confidentiality mode and DSA signature generation, and schedules the retirement of SHA-1 and 224-bit hash functions.

To avoid forcing organizations through two separate transitions, NIST plans to fold the asymmetric-algorithm transition into the post-quantum transition rather than enforcing a separate 128-bit step for public-key algorithms. As of mid-2026, Revision 3 remains a draft, so Revision 2 is the version currently in force.

What Is Not on the Schedule

A common misreading is that everything cryptographic must change. It does not. The deprecation and disallowance timeline targets public-key cryptography specifically.

AES-256 is not on the schedule: Grover’s algorithm offers only a quadratic speedup against symmetric ciphers, leaving AES-256 with roughly 128 bits of effective quantum security, which is acceptable for the foreseeable future.

SHA-2 and SHA-3 are not on the public-key schedule: These hash families remain secure against quantum attacks at appropriate output sizes. (SHA-1 and 224-bit hashes are being retired for unrelated classical-strength reasons.)

The exposure is public-key: RSA, ECC, and Diffie-Hellman key establishment and signatures are where the quantum risk and the transition deadlines actually live.

Why This Is Hard to Comply With: You Have to Find It First

The deadlines are only half the problem. The harder half is knowing where quantum-vulnerable algorithms are actually used across an enterprise. RSA and ECDSA are embedded in TLS configurations, VPNs, code-signing pipelines, certificate authorities, databases, application libraries, and hardware. Most organizations do not have a current, accurate inventory of where each algorithm and key length is in use.

This is where compliance with IR 8547 and SP 800-131A begins in practice. You cannot deprecate what you cannot see, and you cannot report progress against a 2030 or 2035 date without a cryptographic inventory to measure against. A Cryptography Bill of Materials (CBOM) that catalogs algorithms, key sizes, certificates, and protocols is the foundation that makes the rest of the transition auditable.

How Encryption Consulting Helps

Encryption Consulting’s CBOM Secure service maps directly to the compliance problem IR 8547 and SP 800-131A create. It scans your environment and builds a Cryptography Bill of Materials of every algorithm, key length, certificate, and protocol in use, then flags the quantum-vulnerable public-key algorithms that fall under the 2030 deprecation and 2035 disallowance timeline.

That inventory turns an abstract deadline into a concrete, prioritized worklist: which systems use RSA-2048 or ECDSA, where they are, and which must migrate first. It is the measurement layer that makes transition planning, progress reporting, and audit responses possible. Backed by ISO/IEC 27001:2022 and SOC 2 certified practices.

CBOM Secure

Gain complete visibility with continuous cryptographic discovery, automated inventory, and data-driven PQC remediation.

Frequently Asked Questions

What is NIST IR 8547?

NIST IR 8547, ‘Transition to Post-Quantum Cryptography Standards,’ is a NIST Internal Report that lays out NIST’s expected timeline for retiring quantum-vulnerable public-key algorithms such as RSA and ECDSA and moving to post-quantum standards. It was released as an initial public draft on November 12, 2024. It is directional guidance rather than a binding mandate, and as of mid-2026 it had not been finalized, though organizations widely treat its 2030 and 2035 dates as the planning baseline.

What is the difference between deprecated and disallowed in NIST guidance?

In NIST terms, a deprecated algorithm is still permitted but its use is discouraged, so in practice it is no longer acceptable for new deployments. A disallowed algorithm may no longer be used for its stated purpose at all: a disallowed signature scheme is treated as forgeable, and a disallowed key-establishment scheme is treated as vulnerable to key recovery. Under NIST IR 8547, quantum-vulnerable public-key algorithms are deprecated after 2030 and disallowed after 2035.

What are the NIST 2030 and 2035 deadlines?

Under the NIST IR 8547 draft timeline, quantum-vulnerable public-key algorithms (RSA, ECDSA, ECDH, finite-field Diffie-Hellman) are to be deprecated after 2030, meaning they are no longer acceptable for new federal deployments, and disallowed after 2035, meaning they can no longer be used for their stated purpose. The window between the two dates is the intended migration runway. These dates are proposed in a draft and could change in the final version.

Is SP 800-131A Revision 3 in effect?

Not yet. The current finalized version is SP 800-131A Revision 2, published in March 2019. Revision 3 was released as an initial public draft in October 2024 and remains a draft as of mid-2026. Revision 3 proposes moving the minimum classical security strength from 112 to 128 bits at the end of 2030 and folds the asymmetric-algorithm transition into the post-quantum transition. Until Revision 3 is finalized, Revision 2 is the version in force.

Do I need to replace AES and SHA-256 to comply?

No. The IR 8547 deprecation and disallowance timeline targets public-key cryptography (RSA, ECC, Diffie-Hellman), not symmetric encryption or the main hash families. AES-256 remains secure against quantum attacks because Grover’s algorithm only halves its effective security. SHA-2 and SHA-3 remain acceptable at appropriate sizes. SHA-1 and 224-bit hashes are being retired, but for classical-strength reasons unrelated to the quantum public-key transition.

How do I start complying with NIST IR 8547 and SP 800-131A?

Start with a cryptographic inventory. You cannot deprecate or disallow algorithms you cannot see, and you cannot measure progress against the 2030 and 2035 dates without knowing where RSA, ECDSA, and other quantum-vulnerable algorithms are used. Build a Cryptography Bill of Materials (CBOM) that catalogs algorithms, key lengths, certificates, and protocols, then prioritize migration by data longevity and system criticality. The inventory is what makes the transition auditable.

Turn the 2030 and 2035 Deadlines Into a Worklist

Compliance with NIST IR 8547 and SP 800-131A starts with knowing where your quantum-vulnerable cryptography lives. See how CBOM Secure builds your cryptographic inventory and turns the transition timeline into a prioritized, auditable migration plan.