Recently, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) released a list.
This list outlines categories of IT software and hardware products frequently procured by the federal government that use cryptographic algorithms in encryption or authentication processes.
The guidance covers technologies including: cloud services (such as PaaS and IaaS), collaboration software, web software (browsers and servers), and endpoint security tools (providing full-disk encryption and data-at-rest encryption capabilities).
CISA cites these products as examples, arguing that the post-quantum cryptography standards they employ are "widely available" and designed to "protect sensitive information even after the advent of cryptographically capable quantum computers (CRQC)."
Facing the long-term threat of quantum computing
Currently, the US federal government is operating under an executive order requiring agencies to migrate most of their high-value systems and equipment to post-quantum encryption by 2035.
Last year, the Trump administration also discussed with allies and quantum industry executives whether to further advance this timeline through a new executive order.
However, the transition to quantum-resistant encryption protocols is widely considered an unprecedented social engineering project.
This process requires not only collaboration between hardware and software vendors but also relies on various standards organizations, protocol systems, and the underlying processes and infrastructure supporting internet data transmission.
These factors collectively determine how data is encrypted, transmitted, and verified on the internet.
The complexities of reality are creating a highly unbalanced market environment for technology purchasers: on the one hand, they are required to deploy post-quantum encryption solutions as quickly as possible; on the other hand, they lack mature, complete, and verifiable technological systems to support them.
"PQC availability" does not equate to "quantum security".
In addition to relatively mature technology areas, CISA also listed several other technology categories, stating that vendors should be "encouraged" to implement and test PQC capabilities in these areas, including: network hardware and network software, Software-as-a-Service (SaaS) password managers, intrusion detection systems, and other security tools.
However, even the technology categories listed by CISA as "seemingly PQC secure" have a key prerequisite:
The vast majority of these only support post-quantum standards in key encapsulation and key negotiation, and have not yet implemented PQC in digital signatures or authentication.
Adopting post-quantum cryptography also means reconstructing a large portion of the core backend infrastructure supporting encrypted internet communication.
Some mainstream protocols (such as SSH and TLS) have already done foundational work in this direction, but overall progress remains limited.
Surabhi Dahal of Encryption Consulting pointed out in September 2025 that most protocols are still in their early stages, with related proposals still being drafted, and prototypes being developed and tested to assess how quantum-safe methods can be integrated into existing systems.
A 2024 study by Pacific Northwest National Laboratory (PNNL) investigated the technological challenges of post-quantum migration in the industrial sector, focusing solely on electric vehicle charging infrastructure. The study found numerous internal and external hurdles, including “interoperability concerns, the computational and memory requirements of PQC algorithms, and the organization’s readiness for this transition.”
Roberta Faux, Head of Cryptography and Field CTO at post-quantum cryptography services company Arqit, stated that the CISA guidelines “omit many” the details needed to guide organizations in addressing post-quantum security options.
For example, she noted that the document provides little guidance on how to build a cryptographic asset inventory or timeline, what performance data should be used to measure trade-offs, how CISA measures or defines “PQC-capable,” and how to build hybrid models.
She pointed out that the document “feels optimized for procurement compliance rather than security outcomes.” Peter Bentley, COO of Patero, another post-quantum cryptography company, expressed a similar view, pointing out that "the hardest part isn't choosing a post-quantum algorithm, but understanding where cryptography actually exists," because most organizations don't have a detailed asset inventory.
Due to the lack of robust cryptographic asset visibility in most organizations, he believes that without a systematic cryptographic discovery and inventory management mechanism: "'PQC-enabled' easily becomes a marketing label rather than a verifiable, genuine capability, especially in hybrid or multi-vendor environments."
Faux further points out that the CISA guidelines actually acknowledge a core weakness in current post-quantum migrations: most vendor solutions labeled "PQC-available" only cover parts of the cryptographic process; critical functions such as digital signatures or key establishment still rely on traditional encryption mechanisms.
She emphasizes that the evolution of cryptographic systems typically takes decades, requiring repeated trade-offs between interoperability, performance, and operational costs, often resulting in a "long-term unfinished product phase."
Notably, a footnote in the CISA document also acknowledges that:
The two NIST-approved post-quantum signature algorithms, ML-DSA and SLH-DSA, currently lack mature production-grade implementation support.
Regarding this, Faux states, "This is not a limitation to be taken lightly."
She warns that key negotiation without quantum-safe authentication has very limited security value. Attackers can still forge certificates, impersonate terminals, or launch man-in-the-middle attacks.
