| Audience: | CIO, CISO, CTO |
| Primary Sectors: | Government/Public Sector; Utilities / Energy; Financial Services |
| Decision Horizon: | 6–18 months |
Executive Summary
Most organizations still treat post-quantum cryptography (PQC) as a future cryptography problem. That framing is now behind the market. NIST finalized the first three PQC standards in August 2024, NIST is explicitly telling organizations to begin transitioning now, and U.S. federal policy has moved the issue into procurement and migration planning rather than abstract research.1,2,3
Verdict: Monitor → Pilot. For the next 6–18 months, do not launch a broad “replace all crypto” program. Instead, treat PQC as a procurement, inventory, and architecture-readiness program. Pilot cryptographic discovery now, add PQC-readiness to renewals and RFPs, and force vendors to specify where they support ML-KEM, ML-DSA, and SLH-DSA and where they do not.1,2,4
Our Analysis
The important shift is not that a cryptanalytically relevant quantum computer is suddenly imminent. It is that the standards are now published, the buying signals are real, and the migration lead times are long enough that waiting for a dramatic “quantum moment” is a governance error, not a cautious one.1,2,5
The Narrative vs The Reality
The market narrative still says that the quantum threats are years away, so enterprises can wait. A more expensive variation says: buy a “quantum-safe” overlay now, and you are covered. Neither is good executive guidance.
The reality is less theatrical and more operational. NIST approved FIPS 203, FIPS 204, and FIPS 205 on August 13, 2024, which removes the “the standards are not final yet” excuse for the first wave of migration planning.1 NIST is also no longer signaling passive observation; it says organizations should begin transitioning immediately and start by inventorying where public-key cryptography is used across systems, services, and vendors.2
Policy has also moved. The White House order issued on June 6, 2025 directed CISA to publish a list of product categories where PQC-capable products are widely available and required federal action toward TLS 1.3 or a successor by January 2, 2030.3 CISA’s January 2026 guidance then turned that into a market signal: cloud services, collaboration software, web software, and endpoint security already have PQC-capable options in circulation, while networking, SaaS, telecoms, storage, identity, and other enterprise categories are still transitioning.4,6
That distinction matters because many of these products are only partially quantum-resistant. CISA’s own framing, as summarized by enterprise security coverage, is that key establishment is appearing first, while PQC digital signatures and authentication are not yet broadly implemented. In other words, “supports PQC” often means “one major security function is moving,” not “the whole trust chain is done.”4
The awkward part is where large enterprises actually feel the pain: OT, IoT, embedded systems, identity infrastructure, code-signing, software-update chains, and long-tail vendor dependencies. CISA’s early product lists do not fully solve those categories; they mainly signal where procurement pressure is starting. That is especially important for sectors with long asset lives and ugly refresh cycles.4,6
Meanwhile, some of the louder “quantum security” storytelling is still misdirecting buyers. NSA’s public posture remains that post-quantum cryptography on existing platforms is the more cost-effective and maintainable path than quantum key distribution for national security systems. That is a useful filter for CIOs: this is primarily a crypto-agility and migration problem, not a reason to fund exotic infrastructure because it sounds futuristic.7
Why This Matters Now
PQC has crossed the standards threshold and, in government settings, the procurement threshold; however, it has not crossed the "rip and replace everything now” threshold. 1,3
- For Government/Public Sector, this is already an audit, acquisition, and defensibility issue because federal guidance is shaping what “reasonable preparation” looks like in buying decisions.3,6
- For Utilities / Energy, the problem is harder because OT and other long-lived infrastructure sit outside the easiest early wins, so waiting shortens an already difficult transition runway.4,6
- For Financial Services, the issue is not only future decryption risk on long-lived sensitive data, but also the fact that migration depends on a dense mesh of cloud, SaaS, endpoint, identity, and certificate dependencies that must be governed through contracts and architecture standards rather than left to vendor marketing. 4,5
The Signal in the Noise
Vendors in mainstream categories are quietly shipping early PQC support, while networking, SaaS, storage, telecoms, and OT-heavy environments are still behind—so the practical move is to use procurement now, not panic spending later.
What to Watch For Next
First, whether CISA expands category guidance into OT/IoT-heavy environments; second, whether major suppliers start documenting PQC support for signatures, authentication, and software-update paths rather than only for key exchange. 3,4
Recommended Actions
Do This
- Create a crypto-transition working group now. By the next planning cycle, every strategic supplier in cloud, identity, networking, endpoint, and SaaS must state which of FIPS 203, 204, and 205 they support, in which products, and for which functions.
- Run cryptographic discovery before funding broad remediation. If a critical system cannot identify where it uses public-key cryptography, certificates, code-signing, or key exchange, it does not get treated as “migration ready.”
- Use contract renewals as the forcing function. If a product in a critical category cannot show a credible PQC transition path by renewal or next major refresh, it goes on the risk register instead of quietly rolling over.
Avoid This
- Do not treat ML-KEM support alone as full quantum resistance. Key establishment without PQC signatures and authentication leaves a material gap.4
- Do not buy “quantum-safe” positioning without protocol details. Require FIPS names, protocol coverage, update-chain coverage, and dates, not broad marketing language.1,4
- Do not let vendors turn this into a science-project budget. NSA’s own posture is a useful corrective: prioritize maintainable PQC migration and crypto agility over costly quantum-communications narratives.7
Bottom Line
The first PQC decision is not whether to re-encrypt everything. It is whether you will stop buying future cryptographic debt. Start with inventory and procurement language now; leave the panic to vendors with no migration story.
Evidence and Sources
- NIST. 2024. “Announcing Approval of Three Federal Information Processing Standards (FIPS) for Post-Quantum Cryptography.”
- NIST. 2026. “What Is Post-Quantum Cryptography?” and NCCoE. “Migration to Post-Quantum Cryptography.”
- The White House. 2025. “Sustaining Select Efforts to Strengthen the Nation’s Cybersecurity and Amending Executive Order 13694 and Executive Order 14144.”
- Sharma, Shweta. 2026. “CISA Releases Technology Readiness List for Post-Quantum Cryptography.” CSO Online.
- U.S. Government Accountability Office. 2025. “The Next Big Cyber Threat Could Come from Quantum Computers… Is the Government Ready?” and Office of Management and Budget. 2022. “M-23-02: Migrating to Post-Quantum Cryptography.”
- Swayne, Matt. 2026. “CISA Issues Federal Buying Guidance for Post-Quantum Cryptography.” The Quantum Insider.
- National Security Agency. 2026. “Post-Quantum Cybersecurity Resources.”