As breakthroughs in quantum computing technology continue to create an urgent vulnerability threat to established cryptographic systems, the National Institute of Standards and Technology (NIST) standardized its Post-Quantum Cryptography PQC algorithm selection — and the response is creating a pivotal milestone for future quantum encryption defense.
Through the discussion, we’ll cover:
- The importance of early adoption, regulatory compliance, and strategic resource planning.
- The evolving security landscape
- The steps organizations should take to future-proof their systems
- The practical steps businesses and governments must take to prepare for the PQC transition
Join us as we break down the full scope of the panel, including key takeaways, the impact on business operations, how businesses can get a head start, and what costs might look like as the transition takes shape.
Understanding NIST’s PQC Standards
The National Institute of Standards and Technology sets fundamental standards for the cryptographic protection of U.S. government systems that do not involve national security functions. The internationally recognized standards shape cybersecurity approaches that the public and private sectors use in their strategies.
As the head of cryptographic technology at NIST, Andy Regenscheid emphasizes that his agency defines security standards both domestically and worldwide beyond U.S. government systems. In the last eight years, NIST assessed 80 cryptographic algorithms before selecting four that resist quantum and classical attack methods.
Key PQC Standards:
- FIPS 203 – ML-KEM (Key Establishment Mechanism)
- FIPS 204 – ML-DSA (Digital Signature Algorithm)
- FIPS 205 – SLH-DSA (Stateless Hash-Based Signature Scheme)
These new standards enable organizations to secure their cryptographic infrastructure against evolving quantum threats.
Impact on Business Operations
Introducing PQC leads to extensive modifications needed in cryptographic systems and protocols. Carlos Aguilar Melchor, Chief Scientist of Cybersecurity at SandboxAQ, mentions that new algorithms' performance characteristics include extended key lengths and longer ciphertexts.
The transitional process brings multiple complications to cryptographic management while demanding protocol modification.
“How long will it take you as an organization to upgrade your cryptography? Is it 8 years? 10 years? 12 years? Some companies took a decade just to move from SHA-1 to SHA-2” – Colin Soutar, Managing Director at Global Quantum Cyber Leader for Deloitte
This adoption of PQC standards introduces several operational challenges for businesses:
- Increased Key Sizes and Encryption Complexity: New cryptographic algorithms require adaptation in existing security protocols.
- Infrastructure Updates: Companies must overhaul their cryptographic dependencies, including third-party integrations and supply chains.
- Board-Level Cybersecurity Awareness: Quantum threats are now a business risk, requiring attention beyond IT and security teams.
Financial services are particularly vulnerable, as transaction integrity is important. If businesses fail to transition quickly, critical systems may need to shut down temporarily, leading to operational and financial losses.
Regulatory Compliance Considerations
Due to its regulatory status as a nonregulatory agency, NIST has substantial influence over worldwide cybersecurity policies.
Under National Security Memorandum 10 NSM10, the US government requires all stakeholders to transition to NIST quantum-resistant cryptography before 2035. Early planning remains essential because the relatively long deadline masks the complexity of the transition process.
Key compliance considerations include the following:
- Automated Inventory of Cryptographic Assets: Businesses will need ongoing monitoring of their cryptographic systems.
- Industry-Specific Regulations: Financial regulators and other industry bodies may introduce additional guidelines.
- Self-Regulation VS. Mandated Compliance: Deloitte’s experts emphasized that companies should proactively prepare rather than wait for regulations.
Carlos Aguilar Melchor emphasized that businesses must proactively integrate PQC into their compliance strategies rather than wait for regulatory mandates.
“Government pressure is increasing — not just for a one-time transition but for continuous inventory tracking and compliance.” – Carlos Aguilar Melchor
How Can Businesses Start Preparing?
Transitioning to PQC requires a strategic approach. As experts from SandboxAQ, Deloitte, and NIST share through the half-hour panel discussion, “Spotlight on Post Quantum Cryptography Migration as NIST Releases PQC Standards,” the transition's implications are poised to be significant and swift.
Carlos Aguilar Melchor emphasized that automated inventory tools play a significant role in identifying cryptographic dependencies. Key steps include:
- Conducting a cryptographic inventory to identify all cryptographic assets and their vulnerabilities.
- Assigning a PQC champion and designating a team or individual to oversee the transition.
- Creating a roadmap for phased implementation to prioritize critical infrastructure before addressing less sensitive systems.
- Collaborating with vendors to ensure third-party providers support quantum-resistant encryption.
Colin Soutar noted that companies should identify high-priority data and systems before fully upgrading. This includes the information that, if compromised, could significantly impact your organization's operations, reputation, or compliance status.
For instance, health records, national security information, banking data, trade secrets, industrial control systems, telecom networks, stock trades, pre-public earnings reports, and energy grids are high-priority sensitive data that require immediate — if not within a few weeks, then certainly within a few months.
Why Start Now?
“We advocate that organizations start by identifying a champion and understanding their exposure. This is not a 12-month project — it’s a multi-year effort that requires careful planning.” – Colin Soutar
The transition will take years, and delaying action could leave organizations vulnerable to quantum attacks. Early preparation allows businesses to integrate PQC into their normal technology refresh cycles, minimizing disruption.
Resource Planning and Cost Estimation for PQC Migration
Transitioning to PQC requires a multi-year strategic plan. Colin Soutar advised businesses to establish a dedicated quantum security champion to oversee the transition.
Steps for a smooth transition:
- Establish a PQC Champion: A CISO team leader should spearhead PQC integration.
- Prioritize Critical Assets: Identify and secure high-value data and transactions first.
- Implement Hybrid Cryptography: Combine classical and quantum-resistant algorithms to ensure security redundancy.
- Budget for Long-Term Implementation: PQC adoption is a multi-year effort requiring sustained investment.
“Today’s cryptography is outdated. PQC transition presents a chance to improve efficiency, reduce costs, and enhance security.” – Carlos Aguilar Melchor
Carlos Aguilar Melchor added that while PQC migration is a significant challenge, it’s also an opportunity to modernize cryptographic infrastructures. He emphasized that companies approach this transition in two ways:
- Reactive Companies: These companies wait until mandated to comply, leading to rushed implementation.
- Proactive Companies: Those integrating PQC into a broader cryptographic upgrade strategy, reducing costs and improving security.
Case Studies: Early Adoption of PQC
Companies like Google and Apple have already started transitioning to PQC, leveraging the opportunity to refine their cryptographic workflows. These organizations have enhanced their security posture and streamlined cryptographic management processes.
Recommendations for Government Entities
Given the scale and complexity of their systems, government agencies face unique challenges when transitioning to PQC. The lack of clear guidance on processing the shift hinders the transition and leads to hesitation and fragmented approaches.
According to a GDIT survey, some other key barriers include PQC integration into the cybersecurity supply chain (24%), managing enterprise-wide cryptography (17%), and the lack of automation (14%).
These challenges indicate that agencies risk falling behind without a structured, government-wide roadmap, leaving critical infrastructure vulnerable.
“Agencies need to start acting now. This is a technology modernization problem, and we have time to prepare — but we need to act quickly.” – Andy Regenscheid
Andy Regenscheid recommended that agencies start by identifying systems that need to be migrated and integrate PQC requirements into their acquisition and modernization plans.
Key Steps
- Conduct a Comprehensive Inventory: Identify cryptographic assets and prioritize systems for migration.
- Update Procurement Processes: Require vendors to support PQC-compliant products and services.
- View PQC as an Opportunity: Use the transition to improve cryptographic resilience and modernize infrastructure.
- Implement PQC-based Systems Before 2035: Implement PQC-based systems to meet national security goals and maintain compliance.
- Clear Governance Framework: Public entities must partner with industry stakeholders and regulatory organizations to establish clear governance frameworks.
According to Colin Soutar, the transition works better when viewed as an advantage in strengthening governance systems, developing better policies, and improving key management.
Conclusion
Post-quantum cryptography is both a challenging task and an advantageous development that affects business operations and government agencies.
Key takeaways from the discussion:
- The PQC standards issued by NIST create precise guidelines through which organizations attain quantum-resistant encryption methods.
- Organizations need to assess their cryptographic components in advance to build improvement strategies.
- Compliance requirements are intensifying across different sectors, so many organizations must soon comply with regulations.
- The cost and resource planning process should be an extended strategic formula because one-time costs do not work.
- Government entities must first move forward with implementation to set an example for enterprises to follow.
Ultimately, organizations that prepare before deadlines will achieve more effortless protocol integration while reducing compliance risks and strengthening their security systems in the quantum computing age.
