Compliance / NIST
NIST Cryptography Compliance
The NIST channel is the highest-priority baseline source in Korthex: 24 rules curated from SP 800-131A Rev. 2 (algorithm transitions), FIPS 180-4 (secure hash standard) and FIPS 197 (AES), tagged against FIPS 140-3, with the FIPS 203 / 204 / 205 post-quantum successors mapped per NIST IR 8547.
What the NIST transition schedule requires
- 3DES: disallowed for encryption after 2023 (SP 800-131A Rev. 2)
- SHA-1: disallowed for digital signature generation; hash migration to SHA-2 / SHA-3
- RSA below 2048 bit and legacy finite-field parameter sets: disallowed
- AES (FIPS 197) and the SHA-2 family (FIPS 180-4) as the approved symmetric baseline
- Post-quantum: ML-KEM (FIPS 203), ML-DSA (FIPS 204), SLH-DSA (FIPS 205) approved since August 2024; RSA and ECC deprecated after 2030 and disallowed after 2035 per NIST IR 8547
The Korthex NIST channel
The channel's 24 rules are hand-curated from the primary documents through reviewed changes, re-checked on the 24-hour cycle, and shipped as signed updates. NIST sits first in the authority priority order, so when authorities disagree, the NIST stance decides the reported verdict, and every finding graded by a NIST rule carries the FIPS 140-3 framework tag into the report and the CBOM.
From findings to audit evidence
For FIPS-facing audits, the CBOM lists every non-approved algorithm with file, line, severity and the NIST rule that flagged it. The FIPS 140-3 deep dive covers the 140-2 sunset in September 2026 and what Korthex does and does not do around module certification.
Frequently asked questions
Which NIST documents feed the channel?
SP 800-131A Rev. 2 for algorithm transitions, FIPS 180-4 for hashes, FIPS 197 for AES, plus the FIPS 203 / 204 / 205 post-quantum standards and NIST IR 8547 timelines for successor mapping.
Does this cover post-quantum requirements?
Yes. Quantum-vulnerable findings carry their FIPS 203 / 204 / 205 successor and the IR 8547 timeline (deprecated after 2030, disallowed after 2035), and the migration plan orders the replacements.
Why is NIST the highest-priority authority?
Most customers anchor on NIST because FIPS 140-3 has the broadest procurement reach. The priority order is documented and the other authorities' stances stay visible on every finding regardless.