Post-Quantum Cryptography: What Every Organization Needs to Know

Cybersecurity
Written By Hosch & Morris

August 29, 2025 

Privacy Plus+ 

Privacy, Technology and Perspective 

This week, as the federal government missed its August 13th deadline for post-quantum cryptography (PQC) guidance, let’s examine how organizations are left in compliance limbo while quantum threats accelerate—and what your business should do about it.

Background

The National Institute of Standards and Technology (NIST) released its first finalized PQC standards in August 2024, marking a critical inflection point in cybersecurity law and practice. With quantum computers potentially capable of breaking current encryption within the next decade, these standards provide the first government-approved roadmap for protecting data against quantum threats. Their release triggered mandatory federal compliance timelines and created significant legal and business implications for private sector organizations.

Notably, despite the statutory one-year deadline having passed on August 13, 2025, the Office of Management and Budget's mandatory guidance for federal agencies remains in draft form and has not yet been released. Yet, the quantum threat is real and approaching faster than many anticipated.

What Is Post-Quantum Cryptography and Why Does It Matter?         

NIST has a great explainer that is available by clicking on the following link:

https://www.nist.gov/cybersecurity/what-post-quantum-cryptography

Generally, however, PQC refers to encryption methods designed to withstand attacks from both classical and quantum computers. Unlike traditional computers that process information in binary bits, quantum computers leverage quantum mechanical properties like superposition and entanglement to solve complex mathematical problems exponentially faster.

This capability threatens to render current encryption methods—including widely-used RSA encryption—obsolete. A sufficiently capable quantum computer could potentially break the encryption protecting everything from email messages and financial transactions to classified government communications and critical infrastructure controls.

The threat isn't theoretical. As NIST explains, experts predict that quantum computers capable of breaking current encryption could appear within the next decade, and bad actors are already conducting "harvest now, decrypt later" attacks—collecting encrypted data today with the intention of decrypting it once quantum computers become available.

The Three Current NIST Standards

NIST's August 2024 release included three finalized PQC standards, each serving different cryptographic functions:

  • FIPS 203 (ML-KEM): The primary standard for general encryption, based on the former CRYSTALS-Kyber algorithm. It offers small encryption keys and high-speed operation, making it ideal for protecting information exchanged across public networks.

  • FIPS 204 (ML-DSA): A digital signature standard based on the former CRYSTALS-Dilithium algorithm. It provides identity authentication capabilities using lattice-based mathematics resistant to quantum attacks.

  • FIPS 205 (SLH-DSA): An alternative digital signature method based on the former SPHINCS+ algorithm. It uses hash functions rather than lattice mathematics, providing crucial backup security in case vulnerabilities are discovered in ML-DSA.

Two additional standards are in development: FIPS 206 (based on the FALCON algorithm) remains in draft form, while HQC was selected in March 2025 as a backup encryption method, with final standardization expected by 2027.

What Does This Mean for Private Organizations?

Congress enacted the Quantum Computing Cybersecurity Preparedness Act in 2022, establishing mandatory timelines for federal agencies triggered by NIST's standards release. While the Act doesn't directly regulate private entities, the private sector faces several related emerging risks:

  • - Increased Liability Exposure: Companies holding encrypted data that may still be valuable when quantum computers become available need to assess how quickly to deploy post-quantum encryption. Potential liability and reputational damage will almost certainly be greater now that NIST standards are available.

  • - Government Contract Requirements: Organizations should expect PQC requirements in future government solicitations and industry standards.

  • - "Harvest Now, Decrypt Later" Vulnerabilities: Existing compromised data remains at risk from bad actors collecting encrypted information today for future decryption.

  • - Insurance and Compliance Evolution: Expect cyber insurance policies and regulatory frameworks to begin incorporating quantum-resistance requirements.

 Our Thoughts

The delay in OMB's issuance of mandatory guidance is concerning and highlights a significant gap in federal cybersecurity leadership. With the statutory deadline now over two weeks past due, federal agencies find themselves in a compliance limbo—legally obligated to migrate to post-quantum cryptography but lacking the specific implementation roadmap Congress mandated.

The delay in OMB's formal guidance shouldn't be interpreted as license to postpone preparation—if anything, it underscores the urgency for organizations to begin their own planning without waiting for federal direction. NIST explicitly encourages immediate implementation, stating "There is no need to wait for future standards. Go ahead and start using these three."

Hence, organizations that delay their post-quantum cryptography planning also do so at their own peril. The transition involves complex technical challenges, including:

  • - Cryptographic Discovery: Identifying all systems using quantum-vulnerable encryption

  • - Algorithm Diversity: Implementing multiple algorithms where feasible to mitigate single-point-of-failure risks

  • - Performance Testing: Ensuring new algorithms integrate properly with existing systems

  • - Vendor Coordination: Working with technology suppliers on PQC roadmaps

There are also concerning intellectual property questions that have emerged around some algorithms, particularly lattice-based schemes. While NIST holds signed statements from submitting groups clearing legal claims, third-party patent concerns remain a potential complication.

Forward-thinking organizations should take four immediate steps: conduct a comprehensive cryptographic inventory, assess "harvest now, decrypt later" exposure, develop phased implementation plans prioritizing highest-risk systems, and begin integrating PQC considerations into vendor assessments and M&A due diligence processes. The quantum future is approaching, and preparation cannot wait.

For more information on NIST's post-quantum cryptography standards, visit: https://www.nist.gov/pqcrypto

The full text of the Quantum Computing Cybersecurity Preparedness Act is available at: https://www.congress.gov/bill/117th-congress/house-bill/7535

-- 

Hosch & Morris, PLLC is a boutique law firm dedicated to data privacy and protection, cybersecurity, the Internet and technology. Open the Future℠.

Hosch & Morris https://hoschmorris.com
Next

AI Therapy: Promise, Perils, and the Push for Protective Legislation