Post-Quantum Cryptography: Why CISOs Need to Start Now, Not When Quantum Arrives

The encryption protecting your most sensitive data right now was designed for a world without quantum computers. That world is ending. NIST finalized the first post-quantum cryptography standards in August 2024. The NSA has set a January 2027 compliance deadline for new national security systems. And adversaries are already collecting your encrypted data today with the specific intent to decrypt it once quantum computing reaches sufficient maturity.

If you have been treating post-quantum cryptography as a future problem, something to add to next year's roadmap after the more immediate fires are out, this post is the one that should change that posture. Not because quantum computers capable of breaking current encryption are operational today. They are not. But because the preparation timeline for cryptographic migration is measured in years, the regulatory deadlines are arriving faster than most organizations have planned for, and the threat that your data faces right now from harvest attacks does not require quantum computers to have already arrived. It only requires that they eventually will.

This post covers what post-quantum cryptography actually is, what the specific threats are that make timing matter, what NIST has finalized and what it requires of your organization, and what CISOs should be doing right now to build a credible migration plan.

What Post-Quantum Cryptography Is and Why It Matters

Most of the encryption in use today relies on mathematical problems that are computationally infeasible for classical computers to solve in any practical timeframe. RSA encryption, for example, depends on the difficulty of factoring very large numbers. Elliptic curve cryptography depends on the difficulty of solving the discrete logarithm problem. These algorithms underpin the security of nearly everything: TLS connections, digital signatures, VPNs, authentication systems, code signing, and encrypted communications.

Quantum computers, once they reach sufficient scale, can solve some of these mathematical problems dramatically faster than classical computers using algorithms like Shor's algorithm. A sufficiently powerful quantum computer could break RSA-2048 encryption in hours rather than billions of years. That is not hyperbole. It is established mathematics that has been understood since Peter Shor published his factoring algorithm in 1994. The question has always been when quantum hardware would reach the scale required, not whether the mathematical capability existed.

Post-quantum cryptography refers to cryptographic algorithms designed to be secure against both classical and quantum computing attacks. These are not quantum algorithms requiring quantum hardware to run. They are classical algorithms with different mathematical foundations: lattice problems, hash-based signatures, and other structures for which no efficient quantum attack is currently known. Your existing servers and devices can run post-quantum algorithms. The migration challenge is not hardware. It is identifying and replacing the cryptographic implementations that exist across your entire technology stack.

The Harvest Now, Decrypt Later Threat Is Not Theoretical

Here is the threat that makes the timing of post-quantum migration a present-day concern rather than a future one: adversaries are already collecting encrypted data today with the intent to decrypt it once quantum computing matures. This attack pattern is called “harvest now, decrypt later,” and it requires no quantum computers to execute the collection phase.

Think about the data your organization is protecting with current encryption. Personnel records. Intellectual property. M&A communications. Long-term contracts. Health information. Financial data. Strategic plans. If any of that information has value in five to ten years, it is a potential target for harvest attacks happening right now. Nation-state adversaries, who have both the patience and the storage infrastructure for this approach, are specifically targeting high-value encrypted data on the assumption that future quantum capability will make it decryptable.

This threat is particularly acute for sectors with long data sensitivity horizons: healthcare, defense, financial services, energy, and government. If your organization retains sensitive data for decades, the harvest now, decrypt later timeline is directly relevant to your current exposure. The data being collected today will be the decryption target of tomorrow.

💡 Pro Tip When talking about post-quantum risk with your executive team, the harvest now, decrypt later framing is the one that cuts through the “but quantum computers don’t exist yet” objection. The data being collected today is the asset at risk. The quantum computer is not the present threat. The present threat is the collection phase of an attack that will only be completed in the future. That reframe shifts the conversation from an abstract future risk to a concrete present vulnerability.

What NIST Has Finalized and What It Requires

In August 2024, NIST published the first three finalized post-quantum cryptography standards. Understanding what these are and what they cover is foundational to any migration planning conversation.

FIPS 203 standardizes ML-KEM, derived from the CRYSTALS-Kyber algorithm, for key encapsulation mechanisms. This is the standard that replaces RSA and elliptic curve Diffie-Hellman for key exchange. It is the most broadly applicable of the three standards, covering the mechanism by which two parties establish a shared encryption key over an untrusted channel.

FIPS 204 standardizes ML-DSA, derived from CRYSTALS-Dilithium, for digital signatures. Digital signatures authenticate the source and integrity of data. They are used in code signing, certificate authorities, document authentication, and secure communications protocols. FIPS 204 is the standard that replaces RSA and ECDSA for signature applications.

FIPS 205 standardizes SLH-DSA, derived from SPHINCS+, as a hash-based digital signature alternative. This provides a backup signature standard with different mathematical foundations, offering cryptographic diversity for high-assurance applications where defense-in-depth across algorithm families is warranted.

Beyond the algorithm standards, NIST published CSWP 39 in December 2025, which defines cryptographic agility as an essential organizational capability and introduces a maturity model for achieving it. Cryptographic agility means your systems are designed to swap cryptographic algorithms without requiring fundamental architectural changes. If you are not building this capability now, every migration you do will be more expensive and more disruptive than it needs to be.

NIST has also published guidance mapping post-quantum migration to the NIST Cybersecurity Framework 2.0 and SP 800-53 controls, which means your existing GRC framework can accommodate PQC migration as a structured program, not an ad hoc initiative.

The Deadlines CISOs Need to Know

This is not purely a long-horizon planning problem. There are near-term deadlines that are already relevant to a significant portion of the organizations reading this post.

On September 21, 2026, NIST's Cryptographic Module Validation Program will move all remaining FIPS 140-2 validated certificates to the Historical list. For organizations selling products or services to the federal government that rely on FIPS 140-2 validated cryptographic modules, this deadline has direct procurement implications. If your technology stack relies on modules with FIPS 140-2 validation and you have not assessed your path to FIPS 140-3 compliance, this deadline is already in play.

The NSA's Commercial National Security Algorithm Suite 2.0 mandates quantum-safe algorithms for national security systems, with a January 2027 compliance deadline for new system acquisitions. If your organization operates in the defense industrial base, works with classified or controlled unclassified information, or provides technology to national security customers, this deadline applies directly to your procurement and development decisions today.

For organizations outside those specific categories, the regulatory timeline is longer but the preparation timeline is not. Cryptographic migration across a complex enterprise technology stack typically takes three to five years from the point of comprehensive discovery. If you have not started the discovery phase, every month you delay is a month added to your exposure window.

🔑 Key Tip CISA, NSA, and NIST have jointly published a six-step post-quantum migration playbook. It is publicly available and it is the right framework to use for structuring your program. The steps are: inventory cryptographic assets, identify the highest-priority systems, assess migration complexity, develop a migration roadmap, execute in priority order, and validate. The playbook is not academically theoretical. It is operationally practical and directly usable for building an internal program.

What CISOs Should Be Doing Right Now

The foundation of any post-quantum migration program is a cryptographic inventory. You cannot migrate what you have not identified. Most organizations significantly underestimate the scope of this problem because cryptography is embedded not just in the systems they think of as “encrypted” but in virtually every modern technology component: TLS libraries in web applications, SSH configurations on servers, digital signatures in code deployment pipelines, certificate authorities, hardware security modules, VPN clients, mobile applications, and more.

Start the inventory with your most sensitive data. Map where that data is stored, transmitted, and processed. Identify every cryptographic algorithm in use on each of those data flows. Prioritize the systems that protect your highest-value data and have the longest sensitivity horizons. Those are your first migration targets.

Assess your vendor landscape in parallel. A substantial portion of your cryptographic exposure will be in software and systems you did not build: enterprise applications, cloud services, security tools, networking equipment, and operational technology. Begin asking your critical vendors about their post-quantum roadmaps now. Vendors who do not have a clear answer to that question are introducing risk to your migration timeline, and you need to know that now rather than when their product becomes a blocker.

Build cryptographic agility into every new system you deploy from this point forward. Systems being designed and built today should use algorithm abstraction layers that allow cryptographic implementations to be replaced without architectural changes. This is far less expensive to build in than to retrofit. Any security architect or engineering team that is not designing for cryptographic agility in 2026 is creating technical debt with a specific, foreseeable cost.

Develop a prioritized migration roadmap with specific timelines. The roadmap should sequence your highest-risk systems first, account for vendor dependencies that are outside your direct control, and include hybrid deployments where you run post-quantum and classical algorithms simultaneously during transition periods. Hybrid approaches are currently recommended by NIST guidance for exactly this reason: they provide quantum resistance while maintaining backward compatibility during the migration window.

Getting Organizational Support: Framing PQC for Leadership

Post-quantum cryptography is genuinely harder to communicate to boards and executives than most security topics, because the primary threat is not present-tense. The attack happens today but the consequence materializes in the future, and the timeline feels abstract. Here is how I approach that conversation.

Start with the harvest attack, not the quantum computer. Ask your board this question: how much of our most sensitive data, if it were decrypted and published five years from now, would create material business, legal, or regulatory harm? If the answer is “a significant amount,” then the threat is not hypothetical. It is current. Adversaries are collecting that data now. The quantum capability to decrypt it is not yet available, but the collection phase of the attack is already happening, and there is no way to reach back in time to re-encrypt data that has already been exfiltrated.

Frame the investment as risk reduction with a defined timeline. The cost of post-quantum migration is highest when it is treated as an emergency and lowest when it is treated as a structured multi-year program. Organizations that start now, build cryptographic agility into new systems, and execute migration in a prioritized sequence will spend dramatically less than organizations that wait until regulatory deadlines force a compressed, disruptive transition. That cost comparison is a legitimate basis for investment approval.

Reference the regulatory trajectory explicitly. Federal mandates are already in place for national security systems. Regulatory expansion to other sectors is the expected trajectory. Organizations that have a head start on PQC migration will find regulatory compliance straightforward. Organizations that have not started will face the double burden of accelerated migration and compliance remediation simultaneously. Boards generally prefer to avoid that situation when the path to avoidance is clear and affordable.

Key Points

• The encryption protecting your sensitive data today is vulnerable to quantum computing. NIST finalized the replacement standards in August 2024: FIPS 203, FIPS 204, and FIPS 205. The migration from current encryption to post-quantum algorithms is a multi-year program that most organizations have not yet started.
• Harvest now, decrypt later attacks are happening today. Nation-state adversaries are collecting encrypted data now with the intent to decrypt it when quantum computing matures. If your organization holds sensitive data with value over a five to ten year horizon, this threat applies to you right now, regardless of when quantum computers become operational.
• Near-term regulatory deadlines are already relevant. The NIST CMVP FIPS 140-2 sunset hits in September 2026. NSA CNSA 2.0 mandates apply to new national security system acquisitions in January 2027. The federal regulatory trajectory points toward broader mandates in subsequent years.
• The foundation is a cryptographic inventory. You cannot migrate what you have not identified. Start with your highest-value data and the systems that protect it. Inventory every cryptographic algorithm in use across those data flows before building a migration roadmap.
• Cryptographic agility is not optional for new systems. Every system being designed and deployed today should be built with the ability to replace cryptographic algorithms without architectural changes. This is the minimum standard for responsible system design in 2026.
• The CISA-NSA-NIST six-step migration playbook is your framework. It is publicly available, practically oriented, and directly applicable to building an enterprise PQC migration program.

Pro Tips

• Focus your initial inventory on long-lived data first. Data that will retain sensitivity for ten or more years is your highest-priority harvest attack target. Personnel records, health information, intellectual property, long-term contracts, and strategic communications all qualify. Identify where that data lives and what encryption protects it before you prioritize anything else.
• Put PQC requirements in your vendor procurement language now. Add post-quantum migration roadmap disclosure to your vendor assessment process immediately. Ask existing critical vendors for their post-quantum plans in writing. Vendors without a clear answer represent a risk to your migration timeline, and knowing that now gives you time to plan alternatives before it becomes a dependency blocker.
• Pilot hybrid cryptography on a non-critical system. Hybrid deployments that run post-quantum and classical algorithms simultaneously are the recommended transition approach. Running a pilot on a lower-risk system lets your team build operational familiarity with hybrid configurations before deploying them to your most sensitive systems. It also surfaces performance impacts and integration challenges in a lower-stakes environment.
• Use the maturity model from CSWP 39 to benchmark your current state. The NIST cryptographic agility maturity model gives you a structured way to assess where your organization sits and what the next level of maturity requires. It is a useful input for board-level reporting because it translates a complex technical program into a progression that non-technical stakeholders can understand and track.

Pitfalls to Avoid

• Do not wait for quantum computers to arrive before starting the migration. By the time cryptographically relevant quantum computers are operational, the window for orderly migration will be closed. The organizations that navigate this transition successfully will be the ones that treated it as a structured multi-year program starting now, not a crisis response when the deadline becomes visible.
• Do not underestimate the scope of your cryptographic surface area. Cryptography is embedded in far more systems than most organizations realize when they start the inventory. Web application TLS, SSH, code signing, certificate infrastructure, VPNs, mobile applications, hardware security modules, operational technology, and embedded firmware all potentially contain quantum-vulnerable algorithms. Approach the inventory with the assumption that the scope is larger than your initial estimate.
• Do not deploy new quantum-vulnerable systems. Every new system deployed with classical cryptography and no cryptographic agility built in is creating a future migration liability. Starting today, system design standards should require post-quantum algorithm support and cryptographic agility. This is the easiest and cheapest time to make that requirement.
• Do not treat this as purely a security team problem. Cryptographic migration touches legal (data retention obligations), compliance (regulatory requirements), IT (infrastructure and application changes), and procurement (vendor requirements). PQC migration is a cross-functional program, not a security department project. Build the governance structure accordingly from the start.

Final Thought

Every major cryptographic transition in history has been more disruptive and more expensive than the organizations going through it anticipated. The transition from DES to AES took years. The move from SHA-1 to SHA-2 took longer than anyone planned. Post-quantum migration is an order of magnitude larger than either of those transitions, because the scope of quantum-vulnerable cryptography in modern enterprise environments is enormous and the replacement standards are new enough that operational experience is still developing. The organizations that will navigate this successfully are not the ones waiting for the perfect moment to start. They are the ones building their cryptographic inventory, engaging their vendors, designing for agility, and treating this as the multi-year program it actually is. Start that work now. The alternative is a forced march to compliance under deadline pressure, and that is always a more expensive way to travel.

If your organization has started a post-quantum cryptography program and you have lessons learned from the discovery or vendor engagement process, share them in the comments. This is an area where the practitioner community is genuinely building knowledge in real time, and specific experiences are more useful than general advice. Subscribe to InfoSec Made Easy for follow-up posts as the PQC regulatory landscape continues to evolve, and share this with any colleague who is still treating quantum computing as a problem for another decade.