Considerations for Achieving Crypto Agility | Second Public Draft Available for Comment

Advances in computing capabilities, cryptographic research, and cryptanalytic techniques necessitate the replacement of cryptographic algorithms that no longer provide adequate security. A typical algorithm transition is costly, takes time, raises interoperability issues, and disrupts operations. Cryptographic (crypto) agility refers to the capabilities needed to replace and adapt cryptographic algorithms in protocols, applications, software, hardware, firmware, and infrastructures while preserving security and ongoing operations.

The initial public draft (ipd) of NIST Cybersecurity White Paper (CSWP) 39, Considerations for Achieving Crypto Agility: Strategies and Practices, was released on March 5, 2025. It offered a common understanding of challenges and identified existing approaches related to crypto agility.  The first draft was based on discussions that NIST conducted with various organizations and stakeholders and provided read-ahead material for a virtual Crypto Agility workshop hosted by NIST on April 17-18, 2025.

This second public draft (2pd) reflects the workshop findings and the feedback received during the first draft’s public comment period. It includes sections on crypto agility for security protocols and applications, crypto agility strategic plans, and considerations for future work.

To advance crypto agility, NIST encourages ongoing dialogue among stakeholders to establish strategies, frameworks, requirements, and metrics tailored to specific sectors and environments. This will help inform a maturity model with key performance indicators (KPIs) and facilitate the development of common crypto Application Programming Interfaces (APIs) and tools.

The public comment period for this second draft is open through August 15, 2025. See the publication details for a copy of the draft and instructions for submitting comments.