CISA Releases Post-Quantum Cryptography Product Categories to Accelerate Migration
CISA publishes updated hardware and software categories for post-quantum cryptography adoption following Executive Order 14306, aiding federal agencies in PQC migration.
CISA Publishes Post-Quantum Cryptography Product Categories to Support Federal Migration
The Cybersecurity and Infrastructure Security Agency (CISA) has released and will regularly update a comprehensive list of hardware and software product categories that utilize post-quantum cryptography (PQC) standards. This initiative responds to Executive Order (EO) 14306, issued on June 6, 2025, titled “Sustaining Select Efforts to Strengthen the Nation’s Cybersecurity and Amending Executive Order 13694 and Executive Order 14144.”
Key Details
CISA’s resource aims to accelerate PQC adoption across federal agencies by providing a structured framework for identifying technologies that meet emerging cryptographic standards. The lists categorize products into hardware and software segments, offering example typologies to guide procurement and implementation efforts. While the full details are available on CISA’s official resource page, the categories are designed to help organizations transition away from quantum-vulnerable cryptographic algorithms such as RSA and ECC.
Technical Context
Post-quantum cryptography refers to cryptographic algorithms believed to be resistant to attacks from both classical and quantum computers. With the National Institute of Standards and Technology (NIST) finalizing its PQC standardization process in 2024, federal agencies are now mandated to prioritize PQC-compliant solutions. CISA’s product categories align with NIST’s approved algorithms, including:
- CRYSTALS-Kyber (key encapsulation)
- CRYSTALS-Dilithium (digital signatures)
- SPHINCS+ (hash-based signatures)
Impact and Next Steps
The release of these product categories underscores the urgency of PQC migration for federal agencies and critical infrastructure providers. Organizations are advised to:
- Assess current cryptographic dependencies and identify systems reliant on quantum-vulnerable algorithms.
- Review CISA’s product categories to evaluate PQC-compliant alternatives for hardware and software.
- Develop a phased migration plan in alignment with NIST’s guidelines and federal mandates.
- Monitor CISA’s updates to the product lists, as the agency will refine categories based on evolving standards and market availability.
CISA’s resource serves as a critical tool for agencies navigating the complex transition to quantum-resistant cryptography, ensuring compliance with EO 14306 while mitigating long-term cybersecurity risks.