I am reviewing this for the Operations Directorate. The intention is to provide input to the Area Director in his balloting. I consider the document to be mostly ready, but has issues that need to be resolved before being passed.

My first concern is a statement in the abstract that "This document obsoletes RFC 7321 on the cryptographic recommendations only," but the header says that it obsoletes 7321. Later, in the second paragraph of 1.2, it states that "This document only provides recommendations for the mandatory-to-implement algorithms and algorithms too weak that are recommended not to be implemented. ", but a diff against 7321 would suggest it is largely rewritten. Does it obsolete the entire RFC, or only those portions that relate to cryptography (leaving the rest intact)?  Is an implementor expected to read both documents, or just the resulting one? I'm not sure what sections of 7321 are intended to remain normative and which have been obsoleted, since this document states both directions. I would recommend a text change clarifying the point.

Second, 7321 states that it contains text that is older than a certain date and the relevant permissions may not have been obtained. The draft lacks that statement. The IESG should determine the status: does the document contain old text, and if so, has the relevant permission been obtained?

From an operational perspective, what this document mostly does is change recommendations regarding cypher suites and make comments regarding IoT. I'm not sure that it changes the way an implementation would be used or managed operationally, apart from the crypto algorithms in question. Hence, I would guess that the update has no direct operational impact beyond the usual issues of deploying new or updated products in one's network.