up:: The Mandates MOC
NIST SP 800-131A (Transitioning Cryptographic Algorithms and Key Lengths)
NIST SP 800-131A is the NIST Special Publication titled “Transitioning the Use of Cryptographic Algorithms and Key Lengths,” the instrument that sets the schedule for retiring weakening classical algorithms and key lengths and moving federal cryptography to stronger ones. The current final is Revision 2, published March 21, 2019, which establishes 112 bits as the minimum acceptable security strength and defines the approved, deprecated, disallowed, and legacy-use categories that govern the transition. A draft Revision 3, released as an initial public draft in October 2024, proposes the next phase, phasing out 112-bit security (algorithms like RSA-2048) by the end of 2030 and setting a retirement schedule for SHA-1, which aligns SP 800-131A’s classical-deprecation logic with the quantum-transition deadlines in NIST IR 8547. It’s the document that turns “this algorithm is getting old” into dated, categorized federal requirements.
The short version:
- It’s NIST’s transition instrument for classical cryptography, defining when algorithms and key lengths move through the categories approved, deprecated, restricted, disallowed, and legacy-use.
- The current final is Revision 2 (March 21, 2019), which sets 112 bits as the minimum acceptable security strength and, for example, disallows two-key Triple DES and restricts SHA-1.
- A draft Revision 3 (initial public draft, October 21, 2024) proposes the next phase, and it is a draft, not yet final, so its dates are proposed rather than binding.
- Revision 3 proposes phasing out 112-bit security (such as RSA-2048) by December 31, 2030, moving the minimum to 128 bits, and sets a schedule for retiring SHA-1.
- It’s the classical-deprecation counterpart to the quantum work. SP 800-131A retires the weakening classical algorithms on a strength-and-key-length basis, while NIST IR 8547 handles the specifically quantum-vulnerable public-key algorithms, and the 2030 dates line the two up.
Think of it like the building code that quietly condemns old wiring. It doesn’t wait for a fire; it sets dated rules that say a given gauge of wire is fine now, discouraged soon, and prohibited after a certain year, with a grace period where you can still inspect old wiring but not install it new. SP 800-131A is that code for cryptography: it grades each algorithm and key length, publishes the year each one stops being acceptable, and gives a legacy window for reading old data without permitting new use. The draft revision is the code committee’s next update, proposing the year the 112-bit wiring gets condemned, not yet adopted.
What is NIST SP 800-131A?
NIST SP 800-131A is a NIST Special Publication that specifies the transitions in the approval status of cryptographic algorithms and key lengths over time, so federal systems move off weakening cryptography on a defined schedule rather than all at once or never. It’s a companion to SP 800-57 (which sets the key-management recommendations) and it’s the document that assigns each algorithm and key length a status and a date.
The mechanism is a set of status categories that an algorithm or key length moves through:
- Approved (acceptable). Safe to use with no restriction.
- Deprecated. Still usable, but its use is discouraged and carries added risk acknowledgment.
- Restricted. Usable only under specific stated conditions.
- Disallowed. Not permitted for applying cryptographic protection (no new use).
- Legacy use. Permitted only to process already-protected data (for example, to verify an old signature or decrypt old data), never to newly protect.
Source: NIST, “Transitioning the Use of Cryptographic Algorithms and Key Lengths,” SP 800-131A Revision 2, March 21, 2019, NIST SP 800-131A Rev 2.
These categories are the load-bearing idea, and they’re the same distinction the Field Guide draws in deprecation, not deployment: an algorithm being disallowed for new use doesn’t remove it from the estate, and the legacy-use window is exactly where old, unmigrated cryptography lingers. SP 800-131A is the authoritative source for which category an algorithm is in and when it moves.
What does the current final (Revision 2) require?
Revision 2, the current final published in 2019, sets 112 bits as the minimum acceptable security strength for federal cryptography and places specific weakening algorithms into the deprecated, disallowed, and legacy categories. The 112-bit floor is the anchor: an algorithm or key length providing less than 112 bits of security strength is not acceptable for applying new protection.
Concrete examples from Revision 2:
- The 112-bit minimum. 112 bits is the minimum acceptable security strength, which is why RSA-2048 (estimated at 112-bit strength) remains acceptable under Revision 2 while shorter keys are not.
- Triple DES. Two-key Triple DES is disallowed for encryption, and three-key Triple DES is restricted, with the DRBG built on it deprecated through the end of 2023.
- SHA-1. SHA-1 is disallowed for generating digital signatures (it can be used only for legacy verification and a narrow set of non-signature applications), reflecting the collision weaknesses that made it unsafe for new signatures.
Source: NIST SP 800-131A Revision 2, §Security Strengths and §Digital Signatures, March 21, 2019, NIST SP 800-131A Rev 2.
The reason Revision 2 is worth reading closely is that it’s the settled, binding baseline. When a federal system’s compliance turns on whether an algorithm is still acceptable, Revision 2 is the current answer, and its 112-bit floor is what today’s classical cryptography is measured against.
What does the draft Revision 3 propose?
The draft Revision 3 proposes raising the minimum security strength from 112 bits to 128 bits by phasing out 112-bit security at the end of 2030, and setting a retirement schedule for SHA-1, and it is important to be precise that this is a draft, not a final requirement. It was released as an initial public draft on October 21, 2024, with the comment period closed, and until it’s finalized its dates are proposed rather than binding.
What Revision 3 proposes:
- The 112-to-128-bit transition. The central update is moving the minimum acceptable security strength from 112 bits to 128 bits. Algorithms providing 112-bit strength, notably RSA-2048 and similar, would be deprecated for new use starting at the end of 2030 (December 31, 2030) and permitted only for legacy processing (decryption and verification) after that.
- A SHA-1 retirement schedule. Revision 3 lays out a schedule to fully retire SHA-1 across its remaining permitted uses.
- Alignment with the quantum deadlines. The end-of-2030 date is not a coincidence, it matches the milestone in NIST IR 8547 and the broader federal 2030-2035 window, so the classical-deprecation clock and the quantum-transition clock are being brought into step.
Source: NIST, “Transitioning the Use of Cryptographic Algorithms and Key Lengths,” SP 800-131A Revision 3 (Initial Public Draft), October 21, 2024, NIST SP 800-131A Rev 3 ipd.
The distinction between Revision 2 and the draft Revision 3 is the single most important thing to get right about this document. Revision 2 is what binds today; Revision 3 is the proposed next step whose 2030 dates are draft. Treating the draft’s dates as final is the exact overstatement the standards discipline warns against.
How does SP 800-131A relate to the quantum-vulnerable algorithm deadlines?
SP 800-131A handles the deprecation of weakening classical algorithms on a security-strength basis, while NIST IR 8547 handles the specifically quantum-vulnerable public-key algorithms, and the draft Revision 3’s end-of-2030 date is what aligns the two into a single coherent schedule. They’re complementary instruments pointing at overlapping algorithms for partly different reasons.
The two logics differ in why an algorithm is retired. SP 800-131A retires RSA-2048 because at 112-bit strength it’s simply the weakest still-acceptable tier and the floor is rising, which is a classical-cryptography-aging reason. NIST IR 8547 flags RSA and elliptic-curve algorithms because they’re quantum-vulnerable, broken outright by Shor’s algorithm, which is a quantum reason. The algorithms overlap heavily, so the two documents converge on retiring the same public-key cryptography around the same window, and the shared 2030 milestone is deliberate.
| Instrument | What it governs | The 2030 role |
|---|---|---|
| SP 800-131A Rev 2 (final) | Classical algorithm and key-length transitions | Sets 112-bit as today’s minimum acceptable strength |
| SP 800-131A Rev 3 (draft) | The proposed next transition | Proposes phasing out 112-bit strength by end of 2030 |
| NIST IR 8547 | Quantum-vulnerable algorithm transition | Deprecates quantum-vulnerable public-key by 2030, disallows by 2035 |
| NSA CNSA 2.0 | National-security systems | Its own CNSA 2.0 timeline for NSS, generally ahead of the civilian schedule |
The practical read is that SP 800-131A and IR 8547 together are why the same RSA and elliptic-curve keys are on borrowed time for two reinforcing reasons, and the end-of-2030 date shows up in both. A migration planned against IR 8547’s quantum deadlines is, conveniently, also on schedule for SP 800-131A’s classical-strength deprecation.
Common misconceptions
- “SP 800-131A already disallows RSA-2048 in 2030.” The end-of-2030 phase-out of 112-bit security (which includes RSA-2048) is in the draft Revision 3, not the current final. Revision 2 still lists 112 bits as the minimum acceptable strength, so treat the 2030 date as proposed until Revision 3 finalizes.
- “Deprecated means you can’t use it anymore.” In SP 800-131A’s categories, deprecated means discouraged but still usable, while disallowed means no new use and legacy-use means processing old data only. The distinctions are precise and load-bearing, which is the deprecation point.
- “SP 800-131A is about the quantum threat.” It’s primarily about classical algorithm and key-length aging on a security-strength basis. The quantum-vulnerable public-key transition is NIST IR 8547’s job, and the two align at 2030, but SP 800-131A’s logic is classical strength, not Shor.
- “Revision 3 is the current requirement.” Revision 3 is an initial public draft. Until it’s finalized, Revision 2 (2019) is the binding version, so compliance today is measured against Revision 2’s 112-bit floor.
- “SHA-1 is fully retired under the current final.” Revision 2 disallows SHA-1 for new signature generation while permitting narrow legacy and non-signature uses. The full retirement schedule across its remaining uses is proposed in the draft Revision 3.
Questions people ask
What is NIST SP 800-131A? It’s NIST’s “Transitioning the Use of Cryptographic Algorithms and Key Lengths,” the instrument that assigns each classical algorithm and key length a status (approved, deprecated, disallowed, legacy-use) and a date. It’s how federal cryptography moves off weakening algorithms on a defined schedule.
Which revision is current? Revision 2, published March 21, 2019, is the current final and binding version. Revision 3 exists only as an initial public draft (October 21, 2024), so its proposed dates aren’t yet requirements.
Does SP 800-131A ban RSA-2048 in 2030? The draft Revision 3 proposes phasing out 112-bit security, which includes RSA-2048, by the end of 2030 (December 31, 2030), moving to legacy use after. That’s a proposal in a draft, not a current binding requirement, so it should be cited as proposed until Revision 3 is final.
What’s the minimum security strength today? Under the current final, Revision 2, 112 bits is the minimum acceptable security strength, which is why RSA-2048 (roughly 112-bit strength) is still acceptable now. The draft Revision 3 proposes raising that floor to 128 bits by the end of 2030.
How does this relate to IR 8547? NIST IR 8547 deprecates quantum-vulnerable public-key algorithms by 2030 and disallows them by 2035 for the quantum reason, while SP 800-131A retires weakening classical algorithms on a strength basis. They overlap on the same RSA and elliptic-curve keys, and the end-of-2030 date aligns the classical and quantum clocks.
What does “legacy use” mean here? Legacy use permits an algorithm only for processing data that was already protected, such as verifying an old signature or decrypting old data, never for applying new protection. It’s the category that lets old cryptography be read without letting it be freshly deployed, which is exactly where unmigrated systems sit.
Is SP 800-131A a law? It’s NIST guidance, binding on federal systems through FISMA and the FIPS framework rather than a statute on its own. Its force in practice comes from federal compliance obligations and from procurement propagating the requirements outward, the same way the rest of the mandate landscape reaches even non-federal organizations.
Everything here is the map, given freely. When your team needs its estate measured against the current 112-bit floor, its RSA and elliptic-curve surfaces sequenced against both the classical-deprecation and the quantum deadlines, and the draft-versus-final dates read correctly, that’s the work I do, and there’s an alignment briefing for it.
Last verified 2026-07-14 · Maintained by Addie LaMarr, LaMarr Labs.