up:: Foundations MOC

NIST

NIST is the U.S. National Institute of Standards and Technology, a non-regulatory federal agency inside the Department of Commerce that develops measurement science and technical standards, and in cryptography it is the body whose published algorithms and guidance the world builds on. When a system uses AES-256 to encrypt a disk, checks a certificate signed with RSA, hashes a file with SHA-256, or deploys the new ML-KEM to survive a quantum computer, it is running a NIST standard. NIST publishes those standards as Federal Information Processing Standards (FIPS), Special Publications (the SP 800 series), and Internal Reports (the IR series), and it ran the multi-year open competition that selected the post-quantum algorithms now replacing the cryptography Shor’s algorithm breaks.

The short version:

  1. NIST is the National Institute of Standards and Technology, a U.S. federal agency inside the Department of Commerce, founded in 1901 and known as the National Bureau of Standards until 1988.
  2. In cryptography, NIST writes the algorithm standards and the how-to-use-them guidance that federal agencies must follow and that the private sector, insurers, and foreign regulators voluntarily align to.
  3. It publishes through three document series: FIPS (mandatory standards), SP 800 (security guidance), and IR (research reports).
  4. NIST ran the open post-quantum cryptography competition from 2016 onward and finalized the first three standards, FIPS 203, FIPS 204, and FIPS 205, on August 13, 2024.
  5. NIST sets the algorithms and the migration deadlines (through NIST IR 8547), so its timeline is effectively the industry’s timeline even for organizations that never touch a government contract.

Think of NIST as the office that defines what a “kilogram” is, except for security. Long before it touched cryptography, its predecessor was standardizing weights, measures, and voltages so a pound in one state matched a pound in another and industry could actually build on shared ground. Cryptographic standards are the same idea applied to trust: a single, public, vetted definition of “this is how you encrypt” or “this is how you sign,” so that a browser built by one company can safely talk to a server built by another. The post-quantum transition is NIST redefining those units after the old definitions stopped being safe.

What is NIST?

NIST is a non-regulatory agency of the U.S. Department of Commerce whose official mission is “to promote U.S. innovation and industrial competitiveness by advancing measurement science, standards, and technology in ways that enhance economic security and improve our quality of life.” Congress established it in 1901 as the National Bureau of Standards, originally to fix an unreliable national measurement infrastructure that was holding American industry back against the United Kingdom, Germany, and other rivals. It was renamed the National Institute of Standards and Technology in 1988 as its mission broadened.

A few features of what NIST is shape how its cryptographic work lands:

  1. It is non-regulatory. NIST does not police anyone or run audits. It develops standards and guidance, and other authorities (Congress, the Office of Management and Budget, the NSA, sector regulators) give those documents their legal force. That division is why a NIST document can be technically authoritative and separately made mandatory by someone else.
  2. It is a technical body. The cryptographic work lives in NIST’s Computer Security Division and its Information Technology Laboratory, staffed by mathematicians and engineers who run public competitions and publish their analysis for the whole field to attack.
  3. Its reach is global by adoption, not by mandate. NIST can only require federal agencies to use its standards, yet browsers, banks, cloud providers, and foreign governments adopt them anyway, because a rigorously vetted public standard is worth more than a private guess.

Source: NIST, “About NIST,” nist.gov/about-nist.

What does NIST do in cryptography?

In cryptography, NIST is the standards body: it defines which algorithms are approved, specifies exactly how to implement and use them, sets the parameter sizes and security levels, and schedules when old algorithms are retired. It has held this role for decades, and almost every cryptographic primitive in the Field Guide traces back to a NIST document.

The work falls into a handful of recurring jobs:

  1. Standardizing algorithms. NIST selects and specifies the primitives everyone uses: AES for symmetric encryption, the SHA-2 and SHA-3 hash families, ECDSA and RSA for signatures, and now ML-KEM and ML-DSA for the post-quantum era. Each is pinned down in a standard precise enough that two independent implementations interoperate.
  2. Writing usage guidance. An algorithm alone is not a secure system. The SP 800 series tells practitioners how to manage keys, choose modes, generate randomness, and configure protocols, so the math is used correctly rather than just correctly specified.
  3. Setting security levels and deprecation schedules. NIST defines the security strength categories that let you compare algorithms, and it publishes the timelines that deprecate and then disallow weakening algorithms, including the post-quantum deadlines in NIST IR 8547.
  4. Validating implementations. Through programs like the Cryptographic Module Validation Program behind FIPS 140-3, NIST tests whether a product actually implements the standard correctly, which is what “FIPS-validated” on a vendor datasheet refers to.
  5. Running open competitions. For its biggest transitions, NIST solicits candidate algorithms from the world’s cryptographers and narrows the field in public, which is how AES and the post-quantum standards were chosen.

Source: NIST, “Cryptographic Standards and Guidelines,” Computer Security Resource Center, csrc.nist.gov.

Which NIST documents set cryptographic standards?

NIST publishes cryptography through three document series, and knowing which is which tells you instantly whether you are reading a binding standard, practical guidance, or a research report. This is the single most useful map for navigating NIST’s cryptographic output:

SeriesFull nameWhat it isBinding?Cryptography examples
FIPSFederal Information Processing StandardsThe core standards themselves, approved by the Secretary of CommerceMandatory for U.S. federal agenciesFIPS 197 (AES), FIPS 180-4 (SHA-2), FIPS 186-5 (signatures), FIPS 203 (ML-KEM), FIPS 204 (ML-DSA)
SP 800Special Publication 800 seriesComputer and information security guidelines and recommendationsGuidance (often made mandatory by reference)SP 800-57 (key management), SP 800-56 (key establishment), SP 1800-38 (PQC migration practice guide)
IRInternal or Interagency ReportsResearch findings and status reports, including the background behind FIPS and SPsInformationalNISTIR 8105 (report on PQC), NIST IR 8413 (PQC round-3 selections), NIST IR 8547 (transition timeline)

The practical read: a FIPS number is a standard you comply with, an SP 800 number is guidance on how to do it well, and an IR number is NIST showing its work. A single topic often spans all three. Post-quantum cryptography has its plan and status in IR documents, its algorithms in FIPS 203 through 206, and its migration guidance in SP 1800-38.

Sources: NIST, “Federal Information Processing Standards (FIPS),” csrc.nist.gov/publications/fips.

NIST, “NIST Special Publication 800 series,” csrc.nist.gov/publications/sp800.

What is the NIST post-quantum cryptography standardization process?

The NIST PQC standardization process is the open, multi-year public competition NIST ran to select the algorithms that replace the public-key cryptography a quantum computer breaks, inviting submissions from cryptographers worldwide and narrowing them through several rounds of public analysis. It began in 2016 and produced its first finalized standards in 2024.

The milestones that matter:

  1. 2016, the plan. NIST published NISTIR 8105, “Report on Post-Quantum Cryptography,” laying out the quantum threat to RSA and elliptic-curve cryptography and announcing its intent to standardize quantum-resistant replacements through an open process.
  2. November 2017, the submissions. 82 candidate algorithms were submitted from teams around the world. NIST accepted 69 of them as complete-and-proper first-round candidates on December 20, 2017.
  3. 2017 to 2022, the public analysis. NIST narrowed the field across three rounds, with the whole world’s cryptographers publicly attacking every candidate. This adversarial phase is the point of an open competition, and it is where the isogeny scheme SIKE was later broken, vindicating the design.
  4. July 5, 2022, the selections. NIST announced its first four algorithms for standardization: CRYSTALS-Kyber for key establishment, and CRYSTALS-Dilithium, FALCON, and SPHINCS+ for signatures (documented in NIST IR 8413).
  5. August 13, 2024, the standards. NIST finalized the first three as FIPS 203 (ML-KEM, from Kyber), FIPS 204 (ML-DSA, from Dilithium), and FIPS 205 (SLH-DSA, from SPHINCS+).
  6. March 11, 2025, the backup. NIST selected HQC, a code-based KEM on different math from ML-KEM, so a future break in lattice cryptography would leave a fallback. The FALCON signature is still in development as FIPS 206.

The reason the process was open and public matters as much as the result. Running the competition in the open, with every candidate published and every attack welcomed, is what lets the world trust the winners, and it is a model NIST had used before.

Sources: NIST, “Report on Post-Quantum Cryptography,” NISTIR 8105, April 2016, csrc.nist.gov/pubs/ir/8105/final.

NIST, “Status Report on the First Round of the NIST Post-Quantum Cryptography Standardization Process,” NIST IR 8240, January 2019, csrc.nist.gov/pubs/ir/8240/final.

NIST, “NIST Releases First 3 Finalized Post-Quantum Encryption Standards,” August 13, 2024, nist.gov.

Has NIST run an open cryptography competition before?

Yes, and the direct precedent is AES. Through the 1990s the aging Data Encryption Standard was running out of margin, so NIST ran an open public competition to replace it: it announced the effort in January 1997, issued a formal call for candidate algorithms in September 1997, and required every submission to be unclassified, publicly disclosed, and royalty-free worldwide. Fifteen algorithms were submitted, the field was narrowed to five finalists in public, and on October 2, 2000 NIST selected the Belgian design Rijndael, published as FIPS 197 on November 26, 2001. That algorithm is the AES protecting almost everything today.

The AES competition established the playbook the post-quantum process reused almost exactly: solicit from the whole world, demand the algorithms be public and free, and let cryptographers everywhere try to break every candidate before anything is standardized. An open competition of that kind is why AES has held up for two decades, and it is the reason to trust the post-quantum winners chosen the same way. This is also the pattern a private vendor pitching a “proprietary quantum-safe algorithm” cannot match, because secrecy is the opposite of the public scrutiny that earns trust.

Source: NIST, “AES Development,” Computer Security Resource Center, csrc.nist.gov.

Why does NIST’s timeline set the industry’s timeline?

NIST can only compel federal agencies to use its standards, yet its cryptographic deadlines function as the practical schedule for the whole economy, because the rest of the market aligns to NIST by choice and by contract. Three forces turn a federal standard into a de facto global one:

  1. Procurement pull. Any vendor selling to the U.S. government has to meet NIST standards, so they build to NIST once and ship the same product to everyone. Federal requirements propagate through supply chains into commercial software.
  2. Insurer and regulator alignment. Cyber-insurance underwriters, sector regulators, and auditors lean on NIST as the neutral technical reference, so “follows NIST guidance” becomes the defensibility bar in insurance and compliance far outside government.
  3. International adoption. Foreign standards bodies and agencies frequently adopt or mirror NIST’s algorithm choices rather than duplicate the analysis, which is how AES and now ML-KEM became worldwide defaults.

For the post-quantum transition specifically, this is why the dates in NIST IR 8547 (deprecating 112-bit-strength classical algorithms by 2030 and disallowing them by 2035) are the numbers a private-sector board should plan against, even though NIST has no authority over that board. Where those dates come from and how they bind different sectors is the subject of the mandates.

Source: NIST IR 8547 (Initial Public Draft), “Transition to Post-Quantum Cryptography Standards,” November 2024, csrc.nist.gov/pubs/ir/8547/ipd.

Common misconceptions

  1. “NIST is a regulator that enforces the rules.” It is a non-regulatory agency that writes standards. The legal force comes from elsewhere: Congress, the Office of Management and Budget, the NSA for national-security systems, and sector regulators. NIST defines the standard; others make it mandatory.
  2. “NIST invents the algorithms itself.” For its major cryptographic standards, NIST runs open competitions and standardizes the best submissions from the worldwide research community. Rijndael (AES) came from Belgian academics, and the post-quantum winners came from international teams.
  3. “A NIST standard only matters to the U.S. government.” Federal procurement, insurers, and foreign regulators align to NIST voluntarily, so its standards and deadlines set the practical timeline for private companies everywhere.
  4. “FIPS, SP 800, and IR are interchangeable NIST publications.” They are three different things. FIPS documents are the binding standards, SP 800 documents are usage guidance, and IR documents are research and status reports.
  5. “NIST already broke RSA, so quantum is here.” NIST standardized replacements ahead of the threat. A quantum computer capable of breaking RSA does not yet exist publicly; NIST published the post-quantum standards early so the years-long migration can finish before one does, per Mosca’s theorem.
  6. “If it isn’t from NIST, it can’t be trusted.” NIST is the most influential cryptographic standards body, and other credible authorities exist, including the German BSI, French ANSSI, and the IETF for internet protocols. They often agree with NIST and sometimes add their own requirements.

Questions people ask

Is NIST part of the NSA? No. NIST is a civilian agency in the Department of Commerce, and the NSA is a defense/intelligence agency. They are separate, though they cooperate on cryptography. The NSA sets its own requirements for national-security systems through CNSA 2.0, which selects among NIST’s algorithms and mandates the strongest parameter sets.

What does “FIPS-compliant” or “FIPS-validated” mean? FIPS-validated means a product’s cryptographic module was tested and certified under NIST’s Cryptographic Module Validation Program against FIPS 140-3, confirming it implements the approved algorithms correctly. It is a formal lab certification, not a vendor’s self-claim, which is why regulated buyers ask for it.

Are NIST standards mandatory? For U.S. federal agencies, FIPS standards are mandatory (approved by the Secretary of Commerce and required under federal information-security law). For everyone else they are voluntary, but so widely adopted through procurement, insurance, and regulation that they operate as the default in practice.

Who actually writes NIST’s cryptography standards? NIST’s Computer Security Division, inside its Information Technology Laboratory, leads the work, drawing on the global cryptographic research community through open competitions, public comment periods, and workshops. Standards are published in draft, attacked and revised, and only then finalized.

What is the difference between a FIPS and an SP 800 document? A FIPS is a binding standard (the algorithm itself, like FIPS 203 for ML-KEM). An SP 800 is guidance on how to use cryptography well (key management, protocol configuration, migration practice). You comply with a FIPS; you follow an SP for the how.

Did NIST pick just one post-quantum algorithm? No. It standardized ML-KEM for key establishment and three signature options (ML-DSA, SLH-DSA, and the in-development FN-DSA), plus HQC as a code-based backup KEM, deliberately spreading across different math families so a single break is survivable.

Where do I find the official NIST post-quantum standards? They are published on NIST’s Computer Security Resource Center as FIPS 203, 204, and 205, finalized August 13, 2024, with the standardization project page carrying the full history and the ongoing work on FIPS 206 and HQC.


Everything here is the map, given freely. When your team needs its own cryptography sorted against these standards and sequenced onto a post-quantum path, that’s the work I do. Request an alignment briefing.

Last verified 2026-07-09 · Maintained by Addie LaMarr, LaMarr Labs.