The National Institute of Standards and Technology (NIST) and the Cybersecurity and Infrastructure Security Agency (CISA) have published comprehensive migration guidance for transitioning to post-quantum cryptography (PQC), establishing concrete timelines and priorities for federal agencies. The guidance addresses the “harvest now, decrypt later” threat posed by future quantum computers.
Why the urgency
Quantum computers capable of breaking current public-key cryptography don’t exist yet—but adversaries are already collecting encrypted data today with the expectation of decrypting it once quantum capability arrives.
| Threat | Timeline |
|---|---|
| Current data collection | Ongoing |
| Quantum decryption capability | Estimated 10-15 years |
| Data sensitivity lifespan | Often 20+ years |
| Migration timeline needed | 10+ years for complex systems |
This creates a negative time window: organizations must begin migrating now for data that needs protection beyond the quantum horizon.
Finalized PQC standards
NIST finalized its first three PQC standards in August 2024 after an eight-year evaluation process:
| Standard | Name | Type | Primary Use |
|---|---|---|---|
| FIPS 203 | ML-KEM | Key-Encapsulation Mechanism | Key exchange, encryption |
| FIPS 204 | ML-DSA | Digital Signature Algorithm | Code signing, certificates, authentication |
| FIPS 205 | SLH-DSA | Hash-Based Digital Signature | Backup signature standard |
ML-KEM (Module-Lattice-Based Key-Encapsulation Mechanism)
- Derived from CRYSTALS-Kyber algorithm
- Primary standard for general encryption
- Replaces RSA-KEM and ECDH in TLS, VPN, and transport protocols
- Notable for small encryption keys and fast operation
ML-DSA (Module-Lattice-Based Digital Signature Algorithm)
- Derived from CRYSTALS-Dilithium algorithm
- Primary standard for digital signatures
- Replaces RSA and ECDSA in code signing, certificates, authentication
SLH-DSA (Stateless Hash-Based Digital Signature Algorithm)
- Based on SPHINCS+ algorithm
- Conservative backup based on well-understood hash function security
- Larger signatures but simpler security assumptions
Additional standards in development
| Algorithm | Designation | Expected | Purpose |
|---|---|---|---|
| FALCON | FN-DSA | Late 2026 | Smaller signatures for constrained environments |
| HQC | TBD | 2027 | Backup key-encapsulation mechanism |
NIST selected HQC (Hamming Quasi-Cyclic) in March 2025 as a backup for ML-KEM, with draft standard expected in early 2026.
CISA directive (January 30, 2026)
CISA released comprehensive guidance pursuant to Executive Order 14306, mandating federal procurement of quantum-resistant technology products.
Key requirements
| Deadline | Requirement |
|---|---|
| December 1, 2025 | CISA/NSA publish quantum-safe product categories |
| December 31, 2027 | Federal agencies complete cryptographic inventory |
| January 2, 2030 | TLS 1.3 (or successor) adoption required |
| December 31, 2035 | Full PQC migration complete |
Migration timeline
NIST SP 1800-38 establishes a phased migration timeline:
Phase 1: Discovery and inventory (Now through 2027)
| Task | Priority |
|---|---|
| Identify all public-key cryptography usage | High |
| Catalog libraries, key sizes, algorithm dependencies | High |
| Prioritize by data sensitivity | High |
| Assess “harvest now, decrypt later” risk | Critical |
| Submit inventory to CISA | Deadline: Dec 31, 2027 |
Phase 2: Planning and testing (2027-2030)
| Task | Consideration |
|---|---|
| Develop system migration roadmaps | Per-application planning |
| Test PQC integration | Non-production environments |
| Address performance impacts | ML-KEM keys larger than ECDH |
| Engage vendors | PQC-ready product timelines |
Phase 3: Implementation (2028-2035)
| Task | Approach |
|---|---|
| Deploy to highest-priority systems first | Risk-based prioritization |
| Implement hybrid key exchange | Transitional measure |
| Complete full migration | Deadline: Dec 31, 2035 |
NSA requirements for National Security Systems
The NSA issued complementary guidance through its CNSA 2.0 (Commercial National Security Algorithm Suite 2.0) for national security systems (NSS):
| Data Classification | Migration Deadline |
|---|---|
| Top Secret | 2030 |
| Secret | 2033 |
| All NSS | CNSA 2.0 mandatory |
CNSA 2.0 timeline
| Deadline | Requirement |
|---|---|
| January 1, 2027 | All new NSS acquisitions CNSA 2.0 compliant |
| December 31, 2025 | Existing NSS meet CNSA 1.0 or request waiver |
| 2033 | Final mandatory compliance |
The NSA guidance explicitly warns against relying on hybrid approaches as a long-term solution—organizations should plan for full PQC deployment.
Hybrid approaches
NIST permits hybrid cryptography during transition:
| Approach | Status |
|---|---|
| Hybrid key exchange (ML-KEM + X25519) | Supported |
| Hybrid signatures | Not yet supported |
| FIPS 140-3 validation | Permitted if one component NIST-approved |
Hybrid approaches provide:
- Compatibility with systems not yet PQC-ready
- Downgrade resistance against implementation errors
- Gradual integration path
However, hybrid adds complexity and should be transitional, not permanent.
Enterprise implications
While timelines are mandatory only for federal agencies, NIST strongly recommends private-sector organizations follow the same phased approach.
TLS and web infrastructure
| Development | Status |
|---|---|
| Chrome ML-KEM testing | Hybrid key exchange experiments since 2024 |
| Cloudflare PQC support | Active testing |
| CA/Browser Forum | Developing PQC certificate timelines |
Certificate authorities
Organizations should monitor CA/Browser Forum developments for:
- PQC certificate issuance timelines
- PKI infrastructure impacts
- Root certificate transitions
Embedded and IoT devices
The greatest migration challenge involves:
- Long deployment lifetimes (10-20+ years)
- Limited firmware update capabilities
- Constrained processing power
Recommendation: Procurement policies should require PQC readiness for all new acquisitions.
Long-term data storage
Organizations storing encrypted data for extended periods face immediate “harvest now, decrypt later” risk:
- Prioritize encryption-in-transit migration
- Assess data sensitivity lifespan
- Consider re-encryption of archived data
Getting started
NIST resources
| Resource | URL |
|---|---|
| PQC Migration Portal | pqc.nist.gov |
| Reference implementations | Available on portal |
| Performance benchmarks | Available on portal |
| Interoperability test vectors | Available on portal |
| CBOM template | Cryptographic Bill of Materials |
Available implementations
| Library | PQC Support |
|---|---|
| OpenSSL 3.3+ | NIST standards |
| BoringSSL | NIST standards |
| Open Quantum Safe (OQS) | Comprehensive PQC support |
| liboqs | Reference implementation |
Recommendations
For federal agencies
| Priority | Action |
|---|---|
| Immediate | Begin cryptographic inventory |
| 2026 | Engage vendors on PQC roadmaps |
| 2027 | Submit inventory to CISA |
| Ongoing | Monitor NIST guidance updates |
For enterprises
| Priority | Action |
|---|---|
| Now | Inventory cryptographic usage |
| Now | Assess “harvest now, decrypt later” risk |
| 2026-2027 | Begin testing with available implementations |
| Ongoing | Follow federal timelines as best practice |
For vendors
| Priority | Action |
|---|---|
| Now | Integrate PQC into product roadmaps |
| 2026 | Provide customers with migration timelines |
| 2027+ | Deliver PQC-ready products |
Context
The PQC migration represents one of the largest coordinated technology transitions in history—comparable to Y2K in scope but with a longer timeline and more complex technical challenges.
The “harvest now, decrypt later” threat makes this transition time-sensitive despite uncertain quantum timelines. Adversaries collecting encrypted data today will be able to decrypt it whenever quantum capability arrives—whether that’s 10 years or 20 years from now.
Organizations that begin inventory and planning now will have adequate runway for migration. Those that delay may find themselves scrambling as deadlines approach and vendor resources become constrained.
NIST’s message is clear: “[These standards] can and should be put into use now.”