NIST IR 8547: Transition to Post-Quantum Cryptography Standards

ActiveUS FederalStandard

Issuer: National Institute of Standards and Technology(NIST)
Effective date: May 1, 2025
Published date: May 1, 2025
Full text: View full text →

Summary

NIST Internal Report 8547 provides guidance on transitioning from classical public-key cryptographic algorithms (RSA, ECDSA, ECDH, DH) to the post-quantum standards defined in FIPS 203, 204, 205, and 206. It identifies classical algorithms slated for deprecation and establishes a timeline for disallowing their use in federal systems. The final version was published in 2025 following the initial public draft of November 2024.

PKI impact

High riskTLS/SSLCode SigningRoot CAEmail/S-MIMEfirmware Signing

IR 8547 formally deprecates RSA, ECDSA, ECDH, and DH in all federal information systems by 2030, with full disallowance by 2035. This drives re-keying of every federal PKI trust anchor and re-issuance of all certificates relying on classical algorithms — a massive cascading PKI operation with a hard regulatory deadline.

Migration hints

Treat 2030 as the hard re-issuance target for all federal TLS/SSL, code-signing, and email certificates — plan transition windows of 2028–2029 to account for CA lead times and chain re-issuance.
Begin replacing classical Root CA key pairs with ML-DSA equivalents now; re-keying a Root CA requires re-issuance of the entire subordinate hierarchy and distribution of new trust anchors.
Evaluate hybrid certificate issuance (classical + PQC) for TLS/SSL and S/MIME during the transition window to maintain backward compatibility with non-PQC clients and relying parties.
Update procurement language for all new PKI infrastructure (HSMs, CAs, certificate management systems) to require FIPS 203/204/205/206 support.

Trust chain considerations

Federal Root CAs signing with RSA or ECDSA must be re-keyed to ML-DSA before 2030 when classical algorithms are deprecated for new use.
Any intermediate CA using a classical algorithm will become non-compliant at the 2035 disallowance date even if end-entity certificates have already been replaced.

Milestones (2)

Deadline	Label	Type	Hard	Notes
Jan 1, 2030	Classical algorithms deprecated for federal use	Begin Migration		RSA, ECDSA, ECDH, and DH deprecated (no new uses permitted) in federal systems by 2030 per final IR 8547.
Jan 1, 2035	Classical algorithms disallowed in federal systems	Full Compliance		All use of classical public-key algorithms disallowed in federal information systems by 2035 per final IR 8547.

Algorithm references (4)

ML-KEMFIPS 203Required
Replaces: RSA, ECDH
Designated primary PQC KEM for federal use per FIPS 203.
ML-DSAFIPS 204Required
Replaces: RSA, ECDSA
Designated primary PQC signature algorithm for federal use per FIPS 204.
SLH-DSAFIPS 205Required
Replaces: RSA, ECDSA
Alternative PQC signature algorithm for federal use per FIPS 205, preferred where hash-based security properties are desired.
FALCON (FN-DSA)FIPS 206Required
Replaces: ECDSA
FN-DSA standardized in FIPS 206 (October 2024) and added to the approved algorithm set for federal use.

Changelog (2)

Date	Type	Description
May 1, 2025	Status	Final version of NIST IR 8547 published, confirming 2030 deprecation and 2035 disallowance deadlines for classical public-key algorithms in federal systems. FIPS 206 (FN-DSA) added to the approved algorithm set.
Nov 19, 2024	New	Initial Public Draft (IPD) of NIST IR 8547 released for public comment, establishing deprecation and disallowance timelines for classical cryptographic algorithms.

Issuer

National Institute of Standards and TechnologyNIST

Type: STANDARDS BODY

Region: US

Visit website →