The US Cybersecurity and Infrastructure Security Agency (CISA) has released a new advisory mapping post-quantum cryptography (PQC) standards to common enterprise hardware and software categories, giving CIOs and security teams an early reference for evaluating quantum-safe technology readiness.
Issued in response to a June 6, 2025 executive order on strengthening federal cybersecurity, the advisory identifies classes of IT products that already use, or are transitioning toward, NIST-standardized PQC algorithms. CISA said the lists are intended to guide procurement and long-term migration planning as agencies assess systems that rely on public-key cryptography.
For enterprises, the guidance signals that quantum-safe cryptography is becoming a practical procurement consideration today, while also highlighting gaps. CISA noted that many listed product categories have implemented PQC for limited functions, such as key establishment, but are not yet fully quantum-resistant.
CISA noted PQC-ready product categories
The advisory highlighted several technology categories where PQC-compatible solutions are already available (or are in active transition) to help organizations evaluate purchase decisions and plan migration.
The advisory highlighted that several product categories under hardware and software are already using PQC Standards. These include cloud services (PaaS, IaaS), collaboration software (chat/messaging), web software (browsers and servers), and endpoint security (DAR security and full disk encryption).
Several other categories, including networking hardware and software, SaaS, telecommunications hardware, computers (physical or virtual), storage area networks, ICAM hardware, password managers, and antivirus software, were highlighted for their potential for adopting PQC.
CISA noted that none of these categories is fully quantum-resistant. “Most of these categories have implemented PQC for key encapsulation and key agreement but have not yet widely implemented PQC for digital signatures and authentication,” CISA said about the categories already using PQC Standards.
“As a result, these categories are not considered to be fully quantum resistant; CISA includes them on this list because one of their main security services is quantum resistant, and Federal Civilian Executive Branch (FCEB) departments and agencies should procure them appropriately.”
The advisory added a note for categories like operational technology (OT) and internet of things (IoT) devices that weren’t considered traditional IT products. “These also should be transitioning to PQC standards as well, but are out of scope for these lists,” it said.
PQC standards and algorithm roadmap
The CISA advisory is aimed at aligning technologies with the nascent PQC standards now added into federal policy. NIST’s post-quantum standardization project and its Federal Information Processing Standards (FIPS) publications formed the baseline for the advisory.
These include FIPS 203, which specifies the Module-lattice-Based Key Encapsulation Mechanism (ML-KEM) based on the CRYSTALS-KYBER algorithm for secure key establishment, FIPS 204, which defines the Module-Lattice-Based Digital Signature Algorithm (ML-DSA) rooted in CRYSTALS-Dilithium for secure digital signatures, and FIPS 205, which covers the Stateless Hash-Based Digital Signature Algorithm (SLH-DSA) derived from SPHINCS+ hash-based signature scheme.
These standards implement mathematical constructions designed to resist both classical and quantum cryptanalytic attacks. To qualify as PQC-ready under CISA’s view, products are expected to implement these PQC primitives for key establishment (enabling two parties to negotiate secure session keys) and digital signatures (for authentication and integrity).