Q-Day—when quantum computers break today's encryption—is unknown. Fortunately, the Cybersecurity and Infrastructure Security Agency (CISA) is a pragmatic and forward-thinking organization. They know that adversaries are already harvesting classically encrypted data to decrypt later, and that preparing all Federal Government applications and systems to be PQC-ready will take a long time. Agencies can’t wait any longer to get started.
CISA’s recent announcement, “Product Categories for Technologies That Use Post-Quantum Cryptography Standards,” marks a long-awaited and important milestone for federal agency security. Until now, agencies have been encouraged to “prepare for PQC,” but procurement teams lacked clear, actionable guidance on what to buy today.
This initiative begins to close that gap. The core idea is simple but powerful: when PQC-capable products are already widely available in a given category, federal agencies should procure those products going forward. In doing so, CISA is signaling a transition from planning and experimentation to securing systems in production. This guidance provides the structure federal agencies need to systematically assess, procure, and deploy quantum-resistant solutions before it's too late.
At present, CISA identifies four product categories with widely available PQC-capable solutions (see Table 2 in the announcement). What’s especially interesting is that none of the products in these categories are fully post-quantum secure. This is not due to a lack of standardized algorithms – several NIST’s PQC algorithms are finalized - but rather because cryptographic protocols that depend on those algorithms are still evolving. For example, TLS offers quantum-safe key establishment; other protocol elements, like certificates, are still transitioning to properly support post-quantum cryptography.
Despite this, CISA’s position is clear and pragmatic. Products in these four categories already implement quantum-safe key exchange, most commonly through support for hybrid TLS groups such as X25519+ML-KEM-768 or pure ML-KEM-1024. That capability alone is considered sufficient progress to warrant favoring these products in procurement decisions, even if full PQC coverage is not yet achievable.
CISA understands that the industry is moving quickly to prepare PQC solutions. To keep agencies informed and to help them go beyond the list in Table 2, they have included Table 3, a lists product categories where manufacturer implementation and testing of PQC capabilities are encouraged. This list includes critical product categories, such as Networking Software and Hardware, Storage Area Networks, Identity and Access Management, Containers, and more. As these product categories mature their PQC capabilities, CISA will move them to “widely available” status and add them to Table 2.
SafeLogic welcomes this announcement and the clarity it brings to both federal agencies and product suppliers. SafeLogic partners with vendors and organizations by providing PQC-capable cryptographic libraries and practical guidance on integrating post-quantum algorithms into existing protocols and products. As agencies and vendors move from planning to implementation, moving fast and having the right cryptographic foundation - and the expertise to deploy it correctly - is essential.
If you’re navigating this transition or evaluating how your products align with CISA’s guidance, we are here to help.