Secure Controls Framework
Download The SCF
Quantum Security

How do I start a Post-Quantum Cryptography migration?

Direct Answer

A PQC migration begins with a cryptographic inventory - cataloging every system and application using cryptography, especially asymmetric algorithms such as RSA and ECC. Then assess data sensitivity and how long confidentiality must be maintained. Prioritize systems handling long-lived sensitive data first. The SCF cryptographic controls domain provides a framework for documenting and managing this process.

After completing the cryptographic inventory, develop a migration roadmap that sequences systems for PQC adoption based on risk. Systems handling data with long confidentiality requirements should migrate first.

 

Consider interoperability requirements - during the transition period, hybrid cryptography (combining classical and PQC algorithms) may be necessary to maintain compatibility with partners that have not yet migrated.

 

Monitor NIST guidance and vendor support for FIPS 203, 204, and 205 as hardware security module and TLS library implementations mature. CISA and NSA have both published PQC migration guidance that complements NIST standards - check their websites for current roadmap recommendations.

Keep Exploring

Relevant Resources

References

Authoritative Sources