Post-quantum cryptography is not the future.\u00a0It is your current reality.\u00a0\u00a0
\n \t
\n
<\/BR>
\n
\n \t
\n
<\/BR><\/p>\n
For most of the last decade, post-quantum cryptography lived in a particular kind of conversation. It came up at security conferences. It appeared in NIST press releases. CISOs nodded politely when it surfaced in briefings, filed it under \u201cthings to deal with eventually,\u201d and moved on to the quarter\u2019s actual fires.\u00a0<\/p>\n
That conversation is over. It ended this week.\u00a0<\/p>\n
In the span of a few days, five separate signals landed. Each on its own is significant. Together,\u00a0they are impossible to ignore. Western Digital announced PQC support in its product line. CNN ran a primetime segment on the quantum threat. The U.S. government committed\u00a0roughly two\u00a0billion dollars toward quantum computing initiatives. <\/p>\n
Reports surfaced of an executive order accelerating federal PQC adoption. And Apple publicly endorsed ML-KEM and ML-DSA, the NIST-finalized post-quantum algorithms, for protecting iMessage.\u00a0<\/p>\n
Pick any one of those in isolation,\u00a0and\u00a0it\u2019s\u00a0notable. Stack them on the same week,\u00a0and\u00a0they\u2019re\u00a0a pattern. The companies, governments, and infrastructure providers who\u00a0actually run\u00a0the world\u2019s encryption are not waiting anymore. They are building, shipping, and deploying.\u00a0<\/p>\n
The question for everyone reading this is no longer whether post-quantum cryptography matters.\u00a0It\u2019s\u00a0whether your organization is moving with the industry or quietly drifting behind it.\u00a0<\/p>\n
The most expensive misconception in PQC strategy is the assumption that nothing bad happens until a cryptographically relevant quantum computer exists. That framing makes the threat feel distant, which makes it easy to defer, which is exactly why so many programs are still in planning instead of execution.\u00a0<\/p>\n
Two threats are already active today, and neither one requires a working quantum computer to do damage.\u00a0<\/p>\n
The first is Harvest Now, Decrypt Later, or HNDL. Adversaries, nation-states in particular, are intercepting and storing encrypted traffic right now. They\u00a0don\u2019t\u00a0need to read it today. They need to read it in 2030, or 2035, or whenever a sufficiently powerful quantum computer comes online. Storage is cheap. Patience is free. <\/p>\n
The encryption protecting your VPN traffic, your TLS-secured APIs, and your long-lived sensitive communications becomes retroactively breakable the moment that hardware exists. For any data that needs to stay confidential for ten years or more (healthcare records, financial archives, intellectual property, government communications), the exposure window has already opened.\u00a0<\/p>\n
The second is Trust Now, Forge Later, or TNFL. This is the integrity side of the same problem. Digital signatures that\u00a0establish\u00a0trust today, including root CA keys, code-signing keys, firmware signatures, and certificate hierarchies, can be forged retroactively once quantum capability arrives. <\/p>\n
The thing being attacked\u00a0isn\u2019t\u00a0confidentiality.\u00a0Its\u00a0authenticity. Software supply chains, identity systems, secure boot, legal signatures, all of it depends on signatures whose security assumptions are quietly aging.\u00a0<\/p>\n
Neither threat is theoretical. Both are operational right now. And both are why the organizations leading on PQC are not waiting for hardware to exist before they act.\u00a0<\/p>\n
Here is the part that\u00a0doesn\u2019t\u00a0make it into the headlines.\u00a0<\/p>\n
When organizations finally do start their PQC programs, they\u00a0almost always\u00a0run into the same wall. Not algorithm selection. Not vendor support. Not budget. The wall is\u00a0visible.\u00a0<\/p>\n
Cryptography in a modern enterprise lives in six places at once, and most of them are not on anyone\u2019s map. There is the application layer, where legacy systems hardcode RSA and ECC implementations that nobody on the current team built. There is the infrastructure layer (load balancers, VPN gateways, SSH endpoints),\u00a0where deprecated cipher suites and long-lived keys often have no documented owner. <\/p>\n
There\u00a0is\u00a0cloud and SaaS, where the cryptographic boundary\u00a0frequently\u00a0lives outside the customer\u2019s direct control. There is OT and IoT, where firmware-level cryptography can be operational for fifteen or twenty years without ever being upgraded. <\/p>\n
There is the PKI layer, where root and issuing CAs anchor trust for the entire organization. And there is the third-party and supply-chain layer, where vendors choose algorithms on your behalf and rarely tell you what they picked.\u00a0<\/p>\n
When you\u00a0actually run\u00a0discovery against an enterprise environment, the findings are\u00a0almost always\u00a0the same. RSA-1024 running in production on services nobody\u00a0maintains. Certificates with ten-year validity periods\u00a0were issued before the\u00a0current governance existed. Cryptographic keys hardcoded into application configs and CI\/CD pipelines, with no rotation history and no dependency map. Third-party integrations using algorithms\u00a0that\u00a0the security team has no contractual right to audit.\u00a0<\/p>\n
You cannot migrate cryptography you cannot see. You cannot prioritize what you have not inventoried. And you cannot defend a posture you cannot describe to your board.\u00a0<\/p>\n
The most consistent pattern across industries and organization sizes is that PQC programs fail in\u00a0roughly the\u00a0same way. They start with algorithm selection. They pick a pilot system. They get a small proof of concept working. And then they hit the wall of\u00a0trying to scale that pilot across thousands of systems,\u00a0they\u00a0don\u2019t\u00a0have a complete inventory of.\u00a0<\/p>\n
The sequence that works runs in the opposite direction.\u00a0<\/p>\n
It starts with a Cryptography Bill of Materials, or CBOM. This is a live, continuously updated inventory of every cryptographic asset across the enterprise: algorithms, key lengths, certificates, libraries, protocols, ownership, business criticality. Not a one-time spreadsheet that goes stale within weeks. Operational infrastructure that stays current as your environment changes.\u00a0<\/p>\n
With a CBOM in place, the second phase becomes possible: crypto-agility. This is the architectural property that lets you swap algorithms without rebuilding systems, deploy hybrid classical-plus-PQC key exchange without breaking compatibility, automate certificate lifecycle operations at enterprise scale, and migrate in phases instead of all at once. Crypto-agility does not replace your infrastructure. It is a capability layered on top of it.\u00a0<\/p>\n
Once both are in place, the third phase, prioritization, becomes a rational exercise instead of a guessing game. Score every asset on three axes: algorithm vulnerability, data longevity, and business criticality. The intersection tells you what migrates\u00a0immediately, what migrates in the next twelve to eighteen months, and what stays under continuous monitoring.\u00a0<\/p>\n
Skip the inventory step, and everything downstream becomes guesswork. You make architectural decisions on incomplete information. You execute migration waves and discover dependencies mid-deployment. You spend resources on the wrong assets in the wrong order. The sequence is non-negotiable: inventory first, then agility, then prioritization.\u00a0<\/p>\n
NIST finalized the first three PQC standards in August 2024: ML-KEM (FIPS 203), ML-DSA (FIPS 204), and SLH-DSA (FIPS 205). That moment changed PQC from research to deployable engineering. Within months, organizations like Cloudflare, Google, Apple, Akamai, AWS, and Microsoft began shipping production deployments. <\/p>\n
Chrome made ML-KEM the default key exchange. Apple\u2019s PQ3 protocol moved iMessage to hybrid ML-KEM ratcheting. Google set an internal target to complete its PQC migration by 2029. Cloudflare reports that over half of human internet traffic now runs through post-quantum key agreement.\u00a0<\/p>\n
Behind those deployments, the regulatory floor is rising. CNSA 2.0 enforces PQC signing requirements for new National Security Systems acquisitions starting in 2027. NIST has\u00a0signalled\u00a0the\u00a0deprecation of RSA and ECC after 2030. <\/p>\n
The September 2026 transition of legacy FIPS 140-2 validations to the historical list creates a convergence\u00a0point: organizations modernizing to FIPS 140-3 are doing it under the same engineering load as the PQC migration itself.\u00a0<\/p>\n
What this means in practice: organizations that started foundational work (the CBOM, the vendor conversations, the hardware assessments) in 2024 and 2025 are now executing migrations. Organizations starting that work today are still on the bridge. Both can get to the other side. The runway is different.\u00a0<\/p>\n
This is where CBOM Secure fits\u00a0into\u00a0the conversation. It is the cryptographic posture management platform Encryption Consulting built specifically for this problem: the visibility gap that sits underneath every PQC program, every compliance audit, and every certificate lifecycle automation initiative.\u00a0<\/p>\n
The platform runs nineteen production discovery sensors across the layers where cryptography\u00a0actually lives. Cloud KMS (AWS, Azure, GCP). HSM APIs including Entrust\u00a0nCipher, Thales Luna, IBM 4767\/4768\/4769,\u00a0Yubico\u00a0YubiHSM\u00a02, and\u00a0Fortanix\u00a0DSM. KMIP servers, versions 1.0 through 2.1. Database TDE. Source code across seven languages. <\/p>\n
OS trust stores. Active Directory, LDAP,\u00a0HashiCorp\u00a0Vault, and the major filesystem formats. Everything normalizes into a single CBOM-compliant inventory exported in\u00a0CycloneDX\u00a0format. Every asset gets a risk score. Quantum-vulnerable cryptography is flagged automatically. Audit evidence for NIST SP 800-131A, FIPS 140-3, CNSA 2.0, CMMC 2.0, PCI DSS 4.0, and FedRAMP comes out of the same dataset, on demand.\u00a0<\/p>\n
The pattern most organizations adopt: start with the CBOM, because without visibility,\u00a0everything downstream is guesswork, and build from what the inventory reveals. The certificate automation, the PQC migration planning,\u00a0and\u00a0the compliance reporting all run off the same source of truth.\u00a0<\/p>\n
This is the question worth taking back to your team this week.\u00a0<\/p>\n
The headlines\u00a0aren\u2019t\u00a0going to slow down. Western Digital, CNN, the U.S. government, the executive branch,\u00a0and\u00a0Apple. That was one week. There will be another week like it, and another after that. Every one of those announcements compresses the timeline for organizations that\u00a0haven\u2019t\u00a0started, and\u00a0widens the gap for organizations that have.\u00a0<\/p>\n
There are\u00a0roughly three\u00a0paths from here. The first is to start the foundational work now. Build the CBOM.\u00a0Identify\u00a0the assets with the longest lead times. Begin the hybrid deployment conversations with vendors. Treat crypto-agility as an operating model rather than a project. <\/p>\n
The second is to wait one more quarter, one more budget cycle, one more strategic planning meeting, and start the same work later under more pressure. The third is to do nothing and discover, somewhere around 2028 or 2029, that the migration window has narrowed faster than the program can execute.\u00a0<\/p>\n
Organizations on path one\u00a0are\u00a0building cryptographic agility\u00a0by\u00a0the way they push configuration updates. Organizations on path two are still buying themselves time. Organizations on path three are building a gap that compounds every quarter.\u00a0<\/p>\n
The technology is ready. The standards are\u00a0finalized. The deployments are happening at scale, in production, this week.\u00a0<\/p>\n
What path is your organization on?\u00a0<\/p>\n
Encryption Consulting builds CBOM Secure, the cryptographic posture management platform behind the inventory layer described in this article. To see how a continuously updated CBOM maps against your environment, visit\u00a0<\/em>www.encryptionconsulting.com<\/em><\/a>\u00a0or reach out at\u00a0<\/em>info@encryptionconsulting.com<\/em><\/a>.<\/em>\u00a0<\/p>\n \n The post Post-quantum cryptography is not the future.\u00a0It is your current reality.\u00a0\u00a0<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\n