Advances in computing capabilities, cryptographic research, and cryptanalytic techniques periodically create the need to replace algorithms that no longer provide adequate security for their use cases. For example, the threats posed by future cryptographically-relevant quantum computers (CRQCs) to public-key cryptography are addressed by NIST post-quantum cryptography (PQC) standards. Migrating to PQC in protocols, applications, software, hardware, and infrastructures presents an opportunity to explore capabilities that could allow this cryptographic algorithm migration and future migrations to be easier to achieve by adopting a cryptographic (crypto) agility approach.
Crypto agility describes the capabilities needed to replace and adapt cryptographic algorithms for protocols, applications, software, hardware, and infrastructures without interrupting the flow of a running system to achieve resiliency. NIST Cybersecurity White Paper (CSWP) 39, Considerations for Achieving Crypto Agility: Strategies and Practices, provides an in-depth survey of current approaches and considerations to achieving crypto agility. It discusses challenges, trade-offs, and some approaches to providing operational mechanisms for achieving crypto agility while maintaining interoperability. It also highlights some critical working areas that require additional discussion.
The public comment period is open through April 30, 2025. See the publication details for a copy of the draft and instructions for submitting comments.
NIST also invites discussions among stakeholders to develop sector- and environment-specific strategies for pursuing crypto agility at a future NIST virtual workshop.