In August 2024, the National Institute of Standards and Technology did something it had been working toward for eight years: it finalized the first three cryptographic standards built to withstand attacks from quantum computers. By spring 2026, the federal government, major tech companies, and security teams across the private sector are racing to adopt them, driven by a unsettling possibility that intelligence agencies have warned about for years. Adversaries may already be intercepting and stockpiling encrypted data today, waiting for quantum machines powerful enough to crack it open.
The threat has a name in cybersecurity circles: “harvest now, decrypt later.” And the new standards from NIST are the government’s answer.
What NIST finalized and why it matters
The three standards, formally approved by the Secretary of Commerce, are Federal Information Processing Standards designed to replace the public-key cryptography that secures nearly all internet traffic. Here is what each one does:
- FIPS 203 (ML-KEM): A key-encapsulation mechanism that protects data in transit. When your browser establishes a secure connection to a bank, this is the type of algorithm that would guard the key exchange.
- FIPS 204 (ML-DSA): A digital signature algorithm derived from CRYSTALS-Dilithium. It replaces signature schemes like ECDSA and RSA that verify the authenticity of software updates, legal documents, and financial transactions.
- FIPS 205 (SLH-DSA): A hash-based digital signature alternative, offering a different mathematical foundation as a backup if lattice-based approaches face unexpected vulnerabilities.
An important distinction often gets lost in coverage of these standards. NIST’s own announcement described the release as its “first 3 finalized post-quantum encryption standards,” but FIPS 204 and FIPS 205 specifically cover digital signatures, not encryption. Encryption protects confidentiality (keeping secrets secret). Digital signatures protect authenticity and integrity (proving a message or file has not been tampered with and really came from who it claims). Organizations planning migrations need to understand that these standards address different security functions and are not interchangeable.
Dustin Moody, who leads NIST’s post-quantum cryptography project, has urged system administrators to begin integrating the new standards immediately rather than waiting for a mandate.
The federal push is already broad
NIST is not acting alone. Multiple federal agencies have converged on the same message with unusual speed.
The Cybersecurity and Infrastructure Security Agency has published operational migration guidance that lays out a step-by-step playbook: build a quantum-readiness roadmap, perform a full cryptographic inventory, assess supply chain and vendor readiness, and plan staged adoption. The Department of Homeland Security has issued a memorandum directing its own components to begin preparing. The National Security Agency has pointed to its CNSA Suite 2.0 materials and CNSS Policy 15 as policy guidance for national-security systems, signaling that classified networks face the same migration pressure as civilian ones.
Meanwhile, NIST’s National Cybersecurity Center of Excellence is running hands-on migration projects that include cryptographic discovery tools and interoperability testing with widely used protocols like TLS and SSH. Those projects are still in progress, but they represent the closest thing to a federal proving ground for post-quantum deployment.
Industry is moving, unevenly
Some of the largest technology companies have not waited for mandates. Google began experimenting with ML-KEM in Chrome’s TLS connections. Apple shipped its PQ3 protocol for iMessage, designed to protect messages against future quantum decryption. Signal adopted PQXDH, a post-quantum key agreement protocol, for its encrypted messaging. These early movers share a common trait: they control their own software stacks and can push updates to billions of devices relatively quickly.
The picture is far less clear for organizations that depend on long-lived embedded systems, industrial control equipment, or medical devices. Some of those products may never receive post-quantum firmware updates, forcing expensive hardware replacements or layered compensating controls. A hospital network running MRI machines with 15-year lifecycles faces a fundamentally different migration challenge than a cloud provider updating its server fleet.
Independent researchers have already begun benchmarking the new algorithms on constrained hardware. A study published on arXiv tested ML-KEM and ML-DSA on the ARM Cortex-M0+, a low-power processor common in IoT sensors and embedded devices. The results suggest the algorithms are feasible on small hardware, though that single study does not substitute for broad industry validation across diverse real-world environments.
What no one has answered yet
For all the urgency, significant gaps remain in the public record.
No federal agency has published a hard deadline for when organizations, or even government departments, must complete their cryptographic migrations. CISA’s guidance describes what to do but includes no enforcement mechanism or compliance timeline for private-sector supply chains. The DHS memorandum directs internal components to prepare, but interpretations vary on how binding it actually is.
Cost data is almost entirely absent. No federal estimate exists for what a full cryptographic migration would cost a mid-size company, a hospital network, or a municipal government. No public dashboard tracks what percentage of federal systems have begun the transition. Without those numbers, security teams are left to build business cases on threat modeling alone, which makes it harder to secure budget approval from executives who want concrete figures.
NIST’s standardization work is also not finished. A fourth evaluation round is under way, assessing additional candidate algorithms. That means the current set of three standards may expand, and organizations that build rigid architectures around only the initial algorithms could face another round of upgrades. The prudent approach, according to NIST’s own guidance, is crypto-agility: designing systems that can swap algorithms without a full rebuild.
And then there is the biggest unknown of all: when will a quantum computer actually be powerful enough to break RSA-2048 or similar schemes? Estimates from researchers and companies like IBM and Google vary widely, ranging from the early 2030s to decades further out. But the “harvest now, decrypt later” threat does not require waiting for that day. Data stolen today and stored cheaply could be decrypted the moment a sufficiently powerful machine comes online. For information with long confidentiality requirements (medical records, state secrets, financial data governed by retention rules), the window for action is already closing.
Where this leaves organizations in 2026
The most reliable signals from NIST, CISA, DHS, and the NSA all point in the same direction: the cryptographic tools to begin the transition are available now, and waiting for perfect clarity on timelines or costs carries its own risk.
The practical starting point is the one CISA has already outlined. Security teams need a cryptographic inventory: a clear map of where RSA, ECDSA, and other quantum-vulnerable algorithms live across their systems, which vendor products depend on them, and which assets carry the longest confidentiality requirements. That inventory becomes the foundation for every decision that follows, from prioritizing high-risk systems to sequencing upgrades without breaking critical applications.
From there, the evidence supports a few measured conclusions. The finalized FIPS standards are technically mature enough for pilot deployments, especially in environments where software updates are routine. Migration will be uneven: sectors with strong regulatory oversight and centralized IT (finance, large cloud providers) are likely to move faster than fragmented ecosystems like small healthcare practices or local governments. And organizations should treat the current three standards as a starting point, not a finish line, building flexibility into their architectures for whatever NIST finalizes next.
The absence of precise deadlines and cost estimates should not be read as permission to delay. The convergence of federal guidance is unusually clear for a threat that has not yet fully materialized. For security leaders, the question is no longer whether to begin the shift to post-quantum cryptography. It is how fast they can move before the math catches up.
More from Morning Overview
*This article was researched with the help of AI, with human editors creating the final content.
