---
title: "Post-Quantum Cryptography: Essential Product Categories for a Secure Future"
short_title: "Key Product Categories for Post-Quantum Cryptography"
description: "Discover the critical hardware and software categories using post-quantum cryptography (PQC) standards. Learn how to future-proof your cybersecurity strategy now."
author: "Vitus"
date: 2024-10-02
categories: [Cybersecurity, Vulnerabilities]
tags: [post-quantum cryptography, cybersecurity, encryption, nist, pqc standards]
score: 0.78
cve_ids: []
---
TL;DR
The U.S. government, via CISA, has identified key hardware and software categories that now support post-quantum cryptography (PQC) standards to counter the threat of quantum computing. Organizations must prioritize procuring PQC-capable products in these categories to safeguard sensitive data against future quantum attacks. This guide outlines the critical product categories and actionable steps for a seamless transition.
---
Main Content
Introduction: The Urgency of Post-Quantum Cryptography
Quantum computing poses an existential threat to traditional cryptographic systems. Once a cryptographically relevant quantum computer (CRQC) becomes operational, it could break widely used encryption methods like RSA and ECC, exposing sensitive data globally. To mitigate this risk, the U.S. government issued Executive Order (EO) 14306 in June 2025, mandating the adoption of post-quantum cryptography (PQC) standards.
In response, the Cybersecurity and Infrastructure Security Agency (CISA) has released a comprehensive list of hardware and software categories that now support PQC. This article explores these categories, the underlying PQC standards, and how organizations can future-proof their cybersecurity infrastructure.
---
Key Points
- Executive Order 14306 mandates federal agencies to adopt PQC-capable products in critical categories.
- NIST has standardized three PQC algorithms (ML-KEM, ML-DSA, SLH-DSA) for key establishment and digital signatures.
- Cloud services, collaboration tools, and web software are among the first categories to widely support PQC.
- Networking hardware, ICAM systems, and endpoint security are transitioning to PQC but require further testing.
- Organizations must prioritize PQC-capable products in procurement to avoid quantum-related vulnerabilities.
---
Technical Details
#### The Role of NIST in PQC Standardization
In 2016, the National Institute of Standards and Technology (NIST) launched a global effort to identify and standardize quantum-resistant cryptographic algorithms. After years of rigorous evaluation, NIST has released the following PQC standards:
| Cryptographic Function | Algorithm Standard | NIST Standard |
|----------------------------|------------------------------------------------|-----------------------------------------------------------------------------------|
| Key Establishment | Module-Lattice-Based Key-Encapsulation (ML-KEM) | [FIPS 203](https://csrc.nist.gov/pubs/fips/203/final) |
| Digital Signature | Module-Lattice-Based Digital Signature (ML-DSA) | [FIPS 204](https://csrc.nist.gov/pubs/fips/204/final) |
| Digital Signature | Stateless Hash-Based Digital Signature (SLH-DSA)| [FIPS 205](https://csrc.nist.gov/pubs/fips/205/final) |
| Digital Signature | Stateful Hash-Based Signature Algorithms | [NIST SP 800-208](https://csrc.nist.gov/pubs/sp/800/208/final) |
These standards form the backbone of PQC adoption, enabling secure key establishment and digital signatures in a post-quantum world.
---
#### Core Cryptographic Functions
1. Key Establishment
- The process of securely generating and sharing cryptographic keys between parties.
- Essential for establishing confidential communication using encryption.
- PQC algorithms like ML-KEM replace vulnerable methods like Diffie-Hellman.
2. Digital Signatures
- Provide origin authentication, data integrity, and non-repudiation.
- PQC algorithms like ML-DSA and SLH-DSA ensure signatures remain secure against quantum attacks.
---
Product Categories Using PQC Standards
#### Widely Available PQC-Capable Products
CISA’s Table 2 highlights product categories where PQC-capable solutions are already widely available. Organizations must prioritize these in procurement:
| Product Category | Example Product Type |
|---------------------------|---------------------------------------------|
| Cloud Services | Platform-as-a-Service (PaaS), Infrastructure-as-a-Service (IaaS) |
| Collaboration Software | Chat/messaging applications |
| Web Software | Web browsers, web servers |
| Endpoint Security | Data-at-rest (DAR) security, full disk encryption |
Note: While these categories support PQC for key establishment, most have not yet implemented PQC for digital signatures. Thus, they are not fully quantum-resistant but are critical for securing communications.
---
#### Products Transitioning to PQC
CISA’s Table 3 lists categories where PQC adoption is still in progress. Manufacturers are encouraged to implement PQC for core and secondary features (e.g., software updates):
| Product Category | Example Product Type |
|------------------------------------|---------------------------------------------|
| Networking Hardware | Routers, firewalls, switches, appliances |
| Networking Software | Software-defined networking (SDN), DNS |
| Cloud Services | Software-as-a-Service (SaaS) |
| Telecommunications Hardware | VoIP, radios, desk phones |
| Computers (Physical and Virtual) | Operating systems, hypervisors, containers |
| Identity, Credential, and Access Management (ICAM) | Identity providers, PKI management, HSMs |
Important: As these categories mature, CISA will move them to the widely available list. Organizations should monitor updates and plan accordingly.
---
Impact Assessment
#### Why PQC Adoption Is Critical
1. Quantum Threat Is Imminent
- A CRQC could break traditional encryption, exposing government, financial, and healthcare data.
- PQC adoption is not optional—it’s a national security imperative.
2. Federal Mandates
- EO 14306 requires federal agencies to procure only PQC-capable products in listed categories.
- Non-compliance risks data breaches, regulatory penalties, and loss of trust.
3. Long-Term Cost Savings
- Retrofitting legacy systems is costly and complex. Early adoption reduces future expenses.
4. Competitive Advantage
- Organizations that adopt PQC early will lead in cybersecurity resilience and gain stakeholder trust.
---
#### Challenges in PQC Transition
- Interoperability: Some PQC-capable products may still rely on non-PQC algorithms for compatibility.
- Performance Overhead: PQC algorithms can be computationally intensive, requiring hardware upgrades.
- Lack of Awareness: Many organizations underestimate the quantum threat and delay adoption.
---
Conclusion
The transition to post-quantum cryptography is not a distant concern—it’s a current necessity. With CISA’s guidance and NIST’s standardized algorithms, organizations can begin procuring PQC-capable products today to safeguard their data against future quantum threats.
Key Takeaways:
✅ Prioritize PQC-capable products in cloud services, collaboration tools, and web software.
✅ Monitor updates from CISA and NIST for new PQC standards and product categories.
✅ Plan for interoperability challenges and performance considerations during transition.
✅ Act now to avoid costly retrofits and compliance risks.
The quantum era is coming. Is your organization ready?
---
References
[^1]: Cybersecurity and Infrastructure Security Agency (CISA). "[Product Categories for Technologies That Use Post-Quantum Cryptography Standards](https://www.cisa.gov/resources-tools/resources/product-categories-technologies-use-post-quantum-cryptography-standards)". Retrieved 2024-10-02.
[^2]: National Institute of Standards and Technology (NIST). "[FIPS 203: Module-Lattice-Based Key-Encapsulation Mechanism](https://csrc.nist.gov/pubs/fips/203/final)". Retrieved 2024-10-02.
[^3]: National Institute of Standards and Technology (NIST). "[NIST IR 8547: Transition to Post-Quantum Cryptography Standards](https://csrc.nist.gov/publications/detail/ir/8547/final)". Retrieved 2024-10-02.