regulatory-watch

NIST IR 8547 Explained: The 2030 and 2035 Algorithm Deprecation Deadlines Every Compliance Officer Must Understand

When NIST published NIST IR 8547 as an Initial Public Draft on November 12, 2024, it did something SP 800-131A had not: it established a firm disallowance date. By 2035, every quantum-vulnerable public-key algorithm-RSA at any key length, ECC at any curve-will be prohibited from use in NIST standards and FIPS guidelines. The compliance exposure is not abstract. Organizations whose systems still rely on RSA-3072 or P-384 in 2035 will be out of conformance with federal standards, and for those operating in the federal supply chain, that translates directly into contract and audit risk.^[^{NIST IR 8547 IPD}^]

What NIST IR 8547 Is and Why It Carries Regulatory Weight

NIST IR 8547 is the technical implementation vehicle for the algorithm transition mandated by National Security Memorandum NSM-10, which established 2035 as the firm federal target for completing the PQC migration.^[^{NIST March 2025 PQC Presentation}^] Where NSM-10 sets policy direction, IR 8547 specifies which algorithms are deprecated, on what schedule, and to what security level threshold. The document applies directly to NIST standards and FIPS guidelines, meaning any system required to conform to FIPS-federal information systems, FedRAMP-authorized cloud services, and systems covered by federal procurement requirements-is in scope. For compliance officers at non-federal organizations, the practical reach extends further: sector regulators routinely adopt NIST frameworks by reference, and federal contractors face flow-down obligations. The March 2025 NIST presentation at Real World Cryptography confirmed that IR 8547's timelines are explicitly aligned with NSM-10, removing any ambiguity about the document's status as forward-looking federal compliance architecture rather than advisory guidance.^[^{NIST March 2025 PQC Presentation}^]

The 2030 Deadline: Deprecation Means No New Deployments

The 2030 milestone applies specifically to algorithms operating at approximately 112-bit security: RSA-2048 and ECC P-256 are the primary examples. NIST IR 8547 designates these algorithms as deprecated by 2030, which carries a precise regulatory meaning distinct from retirement.^[^{NIST IR 8547 IPD}^] Deprecated status means that no new systems may deploy these algorithms after the deadline. Existing legacy systems enter a controlled migration window-they are not immediately disallowed-but they must be on a documented transition path. The audit and procurement implications are concrete: any new system procured, built, or significantly upgraded after 2030 that uses RSA-2048 or P-256 for key establishment or digital signatures will not conform to NIST standards. This accelerates the prior SP 800-131A schedule, which had targeted 112-bit disallowance closer to 2031 without the same structural firmness.^[^{NIST IR 8547 IPD}^] Associated guidance also implies a December 31, 2030 deadline for pre-shared key replacement in civilian networks-a requirement that affects VPN infrastructure, network device authentication, and some PKI trust anchor configurations. Understanding the full scope of federal PQC migration obligations is essential context for interpreting this deadline correctly.

The 2035 Hard Stop: Full Disallowance of All Quantum-Vulnerable Public-Key Algorithms

The 2035 deadline is categorically stricter. NIST IR 8547 specifies that all quantum-vulnerable public-key algorithms will be disallowed in NIST standards and FIPS guidelines by 2035, regardless of key length.^[^{NIST IR 8547 IPD}^] This includes RSA-3072, RSA-4096, ECC P-384, and P-521-algorithms that many organizations treat as a long-term fallback precisely because of their larger key sizes. Post-2035, that fallback disappears from the compliance landscape. The compliance exposure for organizations that have not completed migration by 2035 is significant: continued use of these algorithms in FIPS-scope systems will constitute a standards non-conformance, creating audit findings, potential loss of FedRAMP authorization, and supply chain disqualification risks. NIST explicitly identifies long-term confidentiality systems-VPNs, TLS stacks, PKI infrastructure-as early migration priorities ahead of the general 2035 deadline, a prioritization that security architects should map directly to remediation sequencing.^[^{NIST March 2025 PQC Presentation}^]

Which Algorithms Are Affected, Which Are Safe, and Where the Grey Areas Are

NIST IR 8547 draws a clear line on symmetric cryptography: algorithms with 128-bit security or greater-AES-128, AES-256, SHA-256, SHA-384-remain approved indefinitely and are not subject to the deprecation or disallowance timelines in this framework.^[^{NIST IR 8547 IPD}^] The approved PQC replacements for public-key functions are ML-KEM (FIPS 203) for key encapsulation, ML-DSA (FIPS 204) for digital signatures, and SLH-DSA (FIPS 205) as a stateless hash-based alternative. These are the algorithms organizations should be designing toward now. A fuller treatment of how ML-KEM is structured as a FIPS standard is available for teams beginning algorithm selection. The grey area concerns hybrid schemes-combinations such as ML-KEM-512 paired with P-521. A practitioner-identified open question in the NIST PQC Forum concerns whether such a hybrid would be classified at 128-bit security (Category 1) post-2035, potentially rendering the classical component non-compliant despite its 256-bit classical strength.^[^{NIST PQC Forum - IR 8547 Discussion}^] NIST has not yet issued definitive guidance resolving this categorization question.

Four Compliance Questions NIST Has Not Yet Resolved

Compliance officers should not treat the absence of final guidance as permission to defer decisions. Four open questions are material to planning:

1. Hybrid Algorithm Classification Post-2035

As noted above, the security categorization of hybrid schemes after disallowance takes effect remains an unresolved regulatory question. Organizations deploying hybrid PQC schemes as a transition strategy need to plan for the possibility that the classical component creates a compliance gap after 2035.^[^{NIST PQC Forum - IR 8547 Discussion}^]

2. Non-Federal Sector-Specific Timelines

NIST IR 8547 directly governs NIST standards and FIPS. Sector regulators-OCC, FFIEC, HHS, SEC-have not yet issued aligned guidance that imports these timelines into their own frameworks. Compliance officers in regulated industries should monitor sector-specific rulemaking rather than assume automatic alignment.

3. Legacy System Exception Processes

The document's treatment of legacy systems in the 2030-2035 migration window implies that exceptions or waivers may be available for systems that cannot feasibly migrate by 2030. The process for requesting and documenting such exceptions has not been formally defined in the IPD.

4. Pre-Shared Key Replacement by December 31, 2030

The implied December 31, 2030 deadline for pre-shared key replacement in civilian networks affects a class of infrastructure-network devices, VPN concentrators, out-of-band management channels-that is often overlooked in public-key migration planning. Organizations whose cryptographic inventories do not include pre-shared key usage will discover gaps late.^[^{NIST IR 8547 IPD}^]

Implications for Compliance Officers: Why 2026 Planning Is Not Early

Enterprise cryptographic migrations across complex infrastructure-PKI hierarchies, TLS termination points, HSM fleets, VPN fabrics, and third-party supply chains-routinely require five to ten years from inventory to full cutover. An organization that begins cryptographic planning in 2027 is already operating with compressed margin against the 2030 deprecation deadline, and has less than eight years against the 2035 disallowance. The additional dimension is that adversaries engaged in harvest-now-decrypt-later collection are already acquiring ciphertext from systems that use RSA and ECC today. Long-lived sensitive data-regulated health records, financial transaction histories, multi-year contracts-encrypted under quantum-vulnerable algorithms is already at exposure risk for future decryption. This is not a speculative future state; it is a current data posture decision with a long tail. Building cryptographic agility into systems now reduces the cost and disruption of algorithm transitions as the IR 8547 timelines approach.

Security architects broadly recommend that compliance officers treat the publication of IR 8547's Initial Public Draft as the operational start of the compliance clock, not the publication of the final version. The comment period has closed and revisions are underway; the policy direction is settled even if the exact final text is not. Organizations waiting for a final rule before beginning inventory work are accepting unnecessary schedule risk.

The concrete first step is a complete cryptographic asset inventory, conducted before the final version of IR 8547 is published. This inventory should capture every system that uses public-key cryptography for key establishment, authentication, or digital signatures; the algorithm and key length in use; whether the system is in scope for FIPS conformance; and estimated migration complexity. That inventory is the prerequisite for every subsequent prioritization and remediation decision. A Cryptographic Bill of Materials (CBOM) provides the structured format for capturing and maintaining this inventory in a way that supports ongoing compliance tracking as NIST guidance evolves.

Key Takeaways

NIST IR 8547, published November 12, 2024, establishes a 2030 deprecation deadline for ~112-bit algorithms (RSA-2048, P-256) and a 2035 disallowance deadline for all quantum-vulnerable public-key algorithms, including RSA-3072 and P-384.
Deprecated means no new deployments permitted after 2030; disallowed means full prohibition in NIST standards and FIPS guidelines from 2035.
NIST confirmed at the March 2025 Real World Cryptography session that IR 8547 timelines are aligned with NSM-10's federal mandate.
Symmetric algorithms with ≥128-bit security (AES-128 and above) are not subject to these deprecation timelines.
The post-2035 compliance status of hybrid PQC-classical schemes remains an unresolved regulatory question in the NIST PQC Forum.
Organizations in the federal supply chain face contractual and audit exposure from these timelines well before 2035; waiting for a final rule before beginning inventory work is a high-risk posture.
A cryptographic asset inventory is the prerequisite action before any migration planning or vendor engagement can be meaningfully sequenced.