On August 13, 2024, the National Institute of Standards and Technology released three finalized post-quantum cryptographic standards. FIPS 203, based on the CRYSTALS-Kyber algorithm, addresses key encapsulation. FIPS 204, based on CRYSTALS-Dilithium, addresses digital signatures. FIPS 205, based on SPHINCS+, provides a hash-based signature alternative.
This was not a research publication. It was not a draft for comment. These are finalized Federal Information Processing Standards — the same framework that governs AES-256 and SHA-3, the same framework that underpins every meaningful cryptographic requirement in US and Canadian federal procurement.
For any organization that sells to, operates within, or is regulated by the US or Canadian federal government, these standards are now the baseline. The question is no longer whether to migrate. It is how quickly the migration can be accomplished and what the consequences of delay will be.
What the Three Standards Actually Cover
| Standard | Algorithm | Purpose | Relevance to Communications |
|---|---|---|---|
| FIPS 203 | ML-KEM (CRYSTALS-Kyber) | Key encapsulation mechanism | Protects session key exchange in every encrypted communication |
| FIPS 204 | ML-DSA (CRYSTALS-Dilithium) | Digital signatures | Authentication of parties in encrypted communications |
| FIPS 205 | SLH-DSA (SPHINCS+) | Hash-based signatures | Long-term signature validity, document authentication |
For communications security specifically, FIPS 203 is the critical standard. Key encapsulation is the mechanism by which two parties establish a shared secret over an untrusted network — the foundation of every encrypted session. The existing standard, based on RSA and elliptic curve Diffie-Hellman, is vulnerable to Shor's algorithm on a sufficiently powerful quantum computer. ML-KEM is not.
The Compliance Timeline Is Not Voluntary
CISA's guidance on post-quantum migration, the Canadian Centre for Cyber Security's quantum-safe cryptography recommendations, and parallel guidance from the UK's NCSC and Australia's ASD have all moved in the same direction: establish a migration inventory now, begin transition of highest-risk systems immediately, complete migration of all critical systems within defined timelines.
"What is guidance today becomes mandate on a timeline that is determined by threat assessment, not by organizational readiness. The organizations that treat current guidance as optional will face mandatory transition under worse conditions."
The US Office of Management and Budget issued memoranda in 2022 and 2023 requiring federal agencies to inventory cryptographic systems and prioritize migration. The NSA has published similar requirements for National Security Systems. These requirements flow down to contractors, vendors, and technology providers who supply those agencies.
For Canadian federal procurement, the Treasury Board Secretariat's direction on cryptographic standards follows NIST and CSE guidance. Any organization seeking to supply communications technology to the Canadian federal government will be expected to demonstrate post-quantum readiness in procurement timelines that are already beginning to reflect these requirements.
What Migration Actually Involves for Communications Infrastructure
The complexity of post-quantum migration is routinely underestimated. It is not a library upgrade. For communications infrastructure, migration requires addressing every layer where cryptography is implemented — transport layer security, key exchange protocols, authentication mechanisms, stored key material, and the hardware security modules that protect cryptographic operations.
Organizations that have implemented cryptography through third-party communications platforms face an additional dependency: they are waiting for their vendors to migrate, on their vendor's timeline, with their vendor's prioritization. Organizations that have built communications infrastructure on a post-quantum foundation from the outset do not have this dependency.
The organizations that will be positioned for compliance when mandates arrive are the ones beginning migration now — not when the mandate is issued, not when their vendor announces a roadmap, and not when a competitor demonstrates quantum decryption capability in a public forum.
The Window and What It Costs to Miss It
The migration window is the period between now and when post-quantum migration becomes mandatory under regulatory compulsion. Organizations that complete migration during this window do so on their own terms — with time to test, train, and verify. Organizations that miss the window migrate under pressure, with limited vendor capacity, against a compliance deadline that carries consequences for contracts, certifications, and operating licenses.
For organizations in regulated industries, the cost of missing the window is not abstract. FIPS 140-3 compliance — already required for cryptographic modules used in federal systems — will increasingly require post-quantum algorithm support. Common Criteria evaluations will incorporate post-quantum requirements. Organizations whose communications infrastructure cannot demonstrate compliance will find themselves excluded from procurement opportunities that currently represent core business.
If your organization is assessing its post-quantum migration timeline, we'd like to hear from you.
Get in Touch