The National Institute of Science and Technology (NIST) is officially sunsetting the use of the old DES Data Encryption Algorithm (DEA). Although the single-key version of it was withdrawn almost 20 years ago, the stronger three-key versions (2TDEA and 3TDEA) have been permitted to give organizations a chance to transition. That transition period is now officially over and the withdrawal of the special publication will be effective on January 1, 2024.
DES is an outdated encryption algorithm developed by IBM that was the standard (unclassified) encryption algorithm adopted by U.S. government agencies in the mid-late 1970's (FIPS Pub. 46) but has largely been replaced with the "Advanced Encryption Standard" generally known as AES. The move comes after multiple revisions of NIST's guidance in SP8--67, which successively added additional limitations on this old algorithms use. The withdrawal of the standards means that DEA will only be permitted for limited purposes, like decryption and continued functionality with data that already used DEA, but not used to protect any new data after December 31, 2023.
While few businesses, if any, should still be using DES in any form, businesses should verify that legacy systems (and systems used by their vendors) have transitioned off of it. This is especially important for businesses that may be in the supply chain for products and services used by the United States federal government, as these services will need to be updated prior to the effective date of the withdrawal.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
