NIST's post-quantum encryption standards are final — the migration countdown has started

In August 2024, the National Institute of Standards and Technology (NIST) published three finalized post-quantum cryptography (PQC) standards — a milestone years in the making. For most people, this news arrived quietly, buried under the daily churn of tech headlines. But for cybersecurity professionals and government agencies, it was a starting gun.

What Was Standardized — and Why It Matters

The three new standards are:

ML-KEM (FIPS 203), based on CRYSTALS-Kyber — designed for key encapsulation and key exchange, replacing the mechanisms used in TLS, VPNs, and secure messaging today.

ML-DSA (FIPS 204), based on CRYSTALS-Dilithium — a digital signature algorithm for authenticating software, documents, and communications.

SLH-DSA (FIPS 205), based on SPHINCS+ — a backup digital signature scheme using a completely different mathematical approach (hash-based cryptography) for additional resilience.

These algorithms were specifically designed to resist attacks from quantum computers. That distinction is what makes them necessary: the encryption protocols the world relies on today — RSA, elliptic-curve cryptography (ECC), and Diffie-Hellman key exchange — are all mathematically vulnerable to a sufficiently powerful quantum computer running Shor's algorithm.

Why Today's Encryption Is at Risk

RSA and ECC security rests on the assumption that factoring large numbers or solving the discrete logarithm problem takes classical computers an impractical amount of time. For a 2048-bit RSA key, that would take longer than the age of the universe with current hardware. A large-scale quantum computer running Shor's algorithm could do it in hours.

Quantum computers powerful enough to break current encryption — called cryptographically relevant quantum computers, or CRQCs — do not yet exist. But credible estimates put their arrival somewhere in the 5-to-15-year window. Some assessments are more aggressive. IBM, Google, and government-backed research programs are advancing rapidly, and the uncertainty itself is the threat.

The "Harvest Now, Decrypt Later" Threat

You don't need a quantum computer today to benefit from one tomorrow. Nation-state adversaries — and the intelligence agencies tracking them — are well aware of this. The strategy is straightforward: intercept and archive encrypted traffic now, while it's still protected, and decrypt it once a sufficiently powerful quantum computer becomes available.

This approach, known as "harvest now, decrypt later" (HNDL), transforms what looks like a future problem into a present one. Classified communications, long-term financial records, medical data, intellectual property protected today under RSA or ECC — all of it is potentially at risk if it's being collected by a patient adversary. NSA, CISA, and NIST have all issued guidance explicitly flagging HNDL as a current threat requiring immediate action, not a wait-and-see concern.

Who Has Deadlines — and What They Are

US federal agencies are operating under a formal migration mandate. The White House's National Security Memorandum 10 (NSM-10), issued in 2022, required agencies to inventory their cryptographic systems and begin migration planning. CISA's guidance has pushed for critical systems to be migrated to PQC algorithms by 2030, with a broader goal of completing migration across federal infrastructure by 2035.

Financial regulators in the US and EU are watching closely. SWIFT, which handles interbank messaging for the global financial system, has been working with member banks on PQC readiness. Payment card networks and clearing houses with long data-retention requirements face particular urgency given the HNDL risk.

Critical infrastructure operators — energy, water, telecommunications — are under similar pressure. The problem is especially acute in operational technology (OT) environments, where embedded systems may have 20-year lifespans and no easy upgrade path.

The Hybrid Transition Period

No one expects organizations to flip a switch overnight. The current guidance from NIST and major standards bodies recommends a "hybrid" approach during the transition: run both a classical algorithm and a post-quantum algorithm simultaneously, so that the connection is secure even if one of them is later found to have a vulnerability.

This approach is already being deployed in practice. Cloudflare, Google, and Apple have implemented hybrid key exchange in TLS connections. Signal added a post-quantum layer to its key agreement protocol in 2023. The hybrid approach costs slightly more in computational overhead, but it provides a safety net while the new algorithms accumulate real-world scrutiny.

What Businesses and Individuals Should Do Now

The migration challenge is not primarily a mathematical one — the algorithms are ready. It is an operational and organizational challenge. For businesses and institutions, the practical steps are:

Inventory cryptographic assets. You cannot migrate what you haven't mapped. That means identifying every place in your infrastructure where RSA, ECC, or DH is in use — TLS certificates, SSH keys, code-signing pipelines, VPN configurations, encrypted databases, and API authentication.

Prioritize long-lived sensitive data. Data encrypted today that must remain confidential for ten or more years — health records, legal documents, trade secrets — should be treated as already at risk under HNDL assumptions. Prioritize re-encrypting this data with PQC-protected methods first.

Update TLS and SSH configurations. The major libraries — OpenSSL, BoringSSL, libsodium — are adding PQC support. Browser vendors and server software are following. Keeping dependencies current and watching for PQC-compatible cipher suite support in your web stack is a concrete step anyone managing infrastructure can take.

Don't wait for vendors. Many enterprise software vendors are moving slowly on PQC integration. If you're locked into systems that have no PQC roadmap, that's a risk to raise with your vendor now, not in 2029.

For ordinary users, the most actionable advice is simpler: use software that's actively maintained and updated. If your messaging app, browser, and operating system are current, you're likely to get PQC protections as they roll out without doing anything special. The heavy lifting is being done at the infrastructure level.

The Bottom Line

The finalization of NIST's post-quantum standards closes the "which algorithms should we use?" question that kept many organizations in a wait-and-see posture. That question now has an answer. The remaining questions are operational: how fast can you move, what's your highest-priority exposure, and do your vendors have a credible plan?

Cryptographic migrations are slow, expensive, and disruptive — the transition from SHA-1 to SHA-256 took over a decade and it was far simpler than what PQC migration requires. The fact that quantum computers capable of breaking RSA don't exist yet is not a reason to delay. It is precisely the reason to start now, while there is still time to do it methodically rather than in a panic.

The countdown has started. The standards are final. The only variable left is how much of a head start the migration gets.