NIST still recognizes 3DES (ANSI X9.52-1998) as a secure symmetric-key encryption algorithm when configured to operate as described in NIST SP 800-20. There are still Cryptographic Algorithm Validation Program (CAVP) certificates issued for 3DES in 2016. However, many open source projects (e.g. OpenSSL) and international certification standards (e.g. Common Criteria) already deprecated 3DES.

The reason 3DES is being phased out is due to various vulnerabilities (e.g. collision attacks like sweet32). While there are still ways to compensate (e.g. frequent rekey, disabling CBC mode) to prolong its life, there is no good reason not to switch to AES.

So are you vulnerable RIGHT NOW? Not if you correctly implemented and configured 3DES. Should you be planning your move to AES? Absolutely! It is only matter of time until 3DES is too broken to be considered secure.

Short answer is no, you cannot use 3DES because 3DES is prohibited for usage by regulations.

Long answer:

There are three major DES algorithms. I am gonna cover 3DES, 2-3DES and DES, all prohibited.

Gotta be extra careful when dealing with XXXDES because they're easily confused and misconfigured.

AES 128 bits is the generally accepted replacement.

DES

DES is the basic algorithm, published in 1975, using 56 bits keys.

It laid the foundation of symmetric cryptographic / block cipher a very long time ago.

DES has been insecure and prohibited from usage since the beginning of the 2000's. Computational power has grown over time, to the point where it's easy to crack 56 bits keys.

2-keys 3DES (or 2TDES or 2DES)

2DES is a similar algorithm using two 56 bits keys, providing 112 bits strength encryption.

It's actually 3DES (requiring 3 keys) with the 3rd key not being set. I am gonna call it 2DES to distinguish.

2DES is very tricky because it's virtually indistinguishable from 3DES. They're both defined in the standard and implemented together. It's possible that software claiming to do 3DES is actually doing 2DES or either depending on configuration settings, and that's a problem.

2-keys 3DES is prohibited from usage in applications, as of March 2019.

Quoting the official NIST.SP.800-131Ar2 document, page 13:

Encryption using two-key TDEA is disallowed.

3DES (or TDES or TDEA)

3DES is an evolution of DES using three 56 bits keys, providing 112 bits strength encryption.

Due to construction, this is only as strong as 2^112 + 2^56, rather than 2^168. See meet in the middle attack.

3DES is prohibited from usage in applications, as of 2023.

3DES is prohibited from usage in new applications, as of November 2017.

3DES is prohibited from usage in legacy applications (created before 2017 and in operation before 2023) unless the usage fits within the limitations specified by NIST in which case 3DES is only deprecated (can be used until 2023). There are quite a few disseminated across NIST documents including but not limited to not doing 2key 3DES, blacklisting a set of keys listed in the spec, not encrypting more than 8 MB of data, etc...

The odds to satisfy all the restrictions for legacy status AND be able to evidence it are fairly low. Do yourself a favor and consider that 3DES is simply prohibited generally since 2017. If you're dealing with systems using 3DES in 2020, they're in dire need of an upgrade!

• Recommendation for the Triple Data Encryption Algorithm (TDEA) Block Cipher, from NIST, 2017.
• Transitioning the Use of Cryptographic Algorithms and Key Lengths, from NIST, 2019.

Additional Restrictions

3DES is considered 112 bits strength (it's weak). Anything that restricts the usage of less than 128 bits encryption de-facto affects 3DES.

Software regulations don't specify accepted technical measures (they don't say to use 3DES or any algorithm by name), they usually write to follow the recommended or generally accepted security practices. Sometimes explicitly pointing to NIST or similar agency who emits standards.

There is an interesting conundrum in how regulations combine. For example, there are extra regulations around systems dealing with payments or sensitive information or PII. Depending on interpretation and exact usage, 3DES could be prohibited as soon as it's deprecated by any formal standard (long before the NIST formally terminates it in 2023).

ENISA, The European Union Agency for CyberSecurity (equivalent of NIST in Europe) published official guidelines in 2013 recommending 128 bits minimum for encryption and formally classifying both 3DES and 2DES as legacy.

Legacy: (two-key 3DES and three-key 3DES)

• No known weaknesses at present.
• Better alternatives exist.
• Lack of security proof or limited key size.

Generally speaking we feel the minimum key size for a block cipher should be 128 bits; the minimum for the block size depends on the precise application but in many applications(for example construction of MAC functions) a 128-bit block size should now be considered the minimum in many application. We also consider that the maximum amount of data which should be encrypted under the same key should be bounded by 2n/2, where n is the block size in bits. However, as indicated before some short lived cryptograms may warrant smaller block and key sizes in their constructions; but for general applications we recommend a minimum of 128 bits.

• Recommended cryptographic measures - Securing personal data, from ENISA, 2013.
• Recommended cryptographic measures - Securing personal data, from ENISA, 2014.

No need to panic

While all variants of 3DES need to go away, there is no need to panic about it (unlike RC4 or MD5 for example that really have issues).

The algorithm is not catastrophically broken or vulnerable as long as you follow the guidelines like not encrypting more than 8 MB of data with it (well, gotta admit it is broken somewhat). The fundemental issue is 3DES keys could be cracked in a reasonable human time if one were to put a whole AWS datacenter to the task.

AES-128 is the direct successor to DES. It's a direct replacement and it's a lot faster.

If 3DES can encrypt 100 MB/s on a core, AES-128 can encrypt 300MB/s on the same core, or 1000MB/s if the CPU has AES-NI instructions (most x64 CPU after 2016).

The Meet-in-the-Middle attack was (first?) exposed publicly in the context of DES by Whitfield Diffie and Martin E. Hellman, in Exhaustive Cryptanalysis of the NBS Data Encryption Standard (published in IEEE Computer magazine, 1977). In this attack, if we count only the time spent doing DES computations (thus discount the time and cost of memory and memory accesses), then we can find the 112-bit key of 2DES from a few known plaintext/ciphertext pairs using only a little more than twice the time it takes to find the key in DES. The factor is actually closer to 17/8 for worst-case time; and closer to 3 for average time.

That's a strong indication that 2DES is over twice as safe against key search as DES is, given a few plaintext/ciphertext pairs. That's (slightly over, but most importantly only) 1 useful extra key bit out of 56 (or over 55 under CPA due to the complementation property), when examination of the key space would (wrongly) conclude 56 extra key bits.

But the question can be understood as asking to confirm that 2DES can be broken with about twice the time it takes for DES. That's a broader statement, and very wrong in practice. Fact is, cost of memory and cost and time of memory accesses make a straight MitM attack impractical.

There are practical alternatives to straight MitM, but the increase in time is much larger than a factor 2. As far as I know, the best reference on that is section 5.3 in Paul C. van Oorschot and Michael J. Wiener's Parallel Collision Search with Cryptanalytic Application (1996), published in Journal of Cryptology, 1999. They state that 2DES offers "only 17 more bits of security" than DES does (that would still be over a hundred thousand times more).

Additionally: key search is far from being the only cryptanalytic attack. Sometime the 64-bit block size is the weak spot, and 2DES is just as weak as DES from that standpoint (see Sweet32 attack pointed by Lery in comment). Also, a DES key can sometime be found other than by key search, e.g. by compromise of a device holding the key (in which case the duration of the attack is often essentially independent of the number of chained DES), or Differential Power Analysys (in which case 2DES or 3DES often are only marginally more secure that DES).

Arguably the most serious security issues with DES is it's small key of 8 bytes with only $2^{56}$ effective keys¹, which makes it vulnerable to brute force key search. This is a deliberate design choice.

A standard way to improve on this issue while still using DES is TDEA, also known as 3DES. The key is extended to 2 or 3 keys of 8 bytes $(K_1,K_2)$ or $(K_1,K_2,K_3)$. These modes are designated TDEA with keying option 2 (16-byte key) and keying option 1 (24-byte key). Encryption of an 8-byte plaintext block $P$ or ciphertext block $C$ becomes $$\begin{align} \operatorname{TDEA-ENC}_{(K_1,K_2)}(P)&\underset{\text{def}}=\operatorname{DES-ENC}_{K_1}(\operatorname{DES-DEC}_{K_2}(\operatorname{DES-ENC}_{K_1}(P)))\\ \operatorname{TDEA-DEC}_{(K_1,K_2)}(C)&\underset{\text{def}}=\operatorname{DES-DEC}_{K_1}(\operatorname{DES-ENC}_{K_2}(\operatorname{DES-DEC}_{K_1}(C)))\\ \operatorname{TDEA-ENC}_{(K_1,K_2,K_3)}(P)&\underset{\text{def}}=\operatorname{DES-ENC}_{K_3}(\operatorname{DES-DEC}_{K_2}(\operatorname{DES-ENC}_{K_1}(P)))\\ \operatorname{TDEA-DEC}_{(K_1,K_2,K_3)}(C)&\underset{\text{def}}=\operatorname{DES-DEC}_{K_1}(\operatorname{DES-ENC}_{K_2}(\operatorname{DES-DEC}_{K_3}(C)))\\ \end{align}$$

That largely solves the issue of brute force key search, which becomes economically infeasible for 24-byte keys, and arguably still for 16-byte keys. The next worrying issues become

1. The small 8-byte block size of 64 bit, which is an issue when the amount of data encrypted with the same key is in gigabytes.
2. Low speed, worsened by a factor close to three by using TDEA/3DES.
3. Side channel and fault attacks.
4. The complementation property: $\operatorname{DES-ENC}_{\overline K}(\overline P)=\overline{\operatorname{DES-ENC}_K(P)}$, which also applies to TDEA/3DES.

While there are solutions to 1 and even 4 usign DES as a building block, those that are secure are complex, seriously worsen 2, and are not standardized. I'd recommend to go AES or ChaCha.

In order to improve on 2, Ronald Rivest proposed DESX, an alternative to TDEA/3DES. It's studied by Joe Killian and Phillip Rogaway: How to Protect DES Against Exhaustive Key Search, in proceedings of Crypto 1996 then Journal of Cryptology (2001). It's defined by $$\begin{align} \operatorname{DESX-ENC}_{(K,K_1)}(P)&\underset{\text{def}}=K_1\oplus \operatorname{DES-ENC}_K(K_1\oplus P)\\ \operatorname{DESX-DEC}_{(K,K_1)}(C)&\underset{\text{def}}=K_1\oplus \operatorname{DES-DEC}_K(K_1\oplus C)\\ \operatorname{DESX-ENC}_{(K,K_1,K_2)}(P)&\underset{\text{def}}=K_2\oplus \operatorname{DES-ENC}_K(K_1\oplus P)\\ \operatorname{DESX-DEC}_{(K,K_1,K_2)}(C)&\underset{\text{def}}=K_1\oplus \operatorname{DES-DEC}_K(K_2\oplus C)\\ \end{align}$$ It largely has the advantages of TDEA/3DES in term of resistance to strictly brute-force key search, with very little extra cost compared to DES. However some caveats apply, as this construction (now known as the FX construction when generically applied to a block cipher) allows specific time-memory tradeoffs, see Itai Dinur, Cryptanalytic Time-Memory-Data Tradeoffs for FX-Constructions with Applications to PRINCE and PRIDE, in proceedings of Eurocrypt 2015; and it's references.

¹ Down to $2^{55}$ when the complementation property applies, which includes chosen plaintext attack.