The Cybersecurity and Infrastructure Security Agency published a guidance on Jan. 23 that lists federal IT products where post-quantum cryptography is recommended or available and urges agencies to begin procurement and testing of quantum-resistant options.
KEY FACTS
- Agency Cybersecurity and Infrastructure Security Agency published the guidance
- Date Jan. 23 release
- Coverage Cloud services, collaboration tools, web software and endpoint encryption are listed
- Limitation Many vendors offer post-quantum support for key agreement but not for digital signatures
- Deadline Executive order requires most high value systems to use post-quantum encryption by 2035
The guidance lists common federal purchases that use cryptography and identifies product categories where manufacturers say post-quantum standards are available or testing is encouraged. It highlights cloud, platform and endpoint products as examples where agencies can begin procurement of quantum-resistant options.
The document notes that post-quantum standards currently cover key encapsulation and key agreement more broadly than digital signatures and authentication. A footnote points out that two NIST-approved algorithms, ML-DSA and SLH-DSA, do not yet have production-ready implementations.
Adopting post-quantum algorithms will require redesign of backend infrastructure and updates to major internet protocols. Work on protocols such as SSH and TLS has begun, while protocol integration, performance and interoperability remain unsettled.
Per Surabhi Dahal of Encryption Consulting, most protocols are still in early stages with proposals and prototypes underway. Per Roberta Faux of Arqit, the guidance omits operational details on cryptographic inventories, timelines, performance metrics and hybrid models. Per Peter Bentley of Patero, lacking detailed inventories makes the label “PQC-enabled” difficult to verify in mixed vendor environments.
WHY IT MATTERS
The guidance may steer procurement toward post-quantum products but does not by itself resolve technical gaps such as signature support or operational visibility. Agencies and vendors face multi-year migration and interoperability challenges before full quantum resistance is achieved.