The Post-Quantum Cryptography Coalition (PQCC) released its Post-Quantum Cryptography (PQC) Migration Roadmap to assist organizations in navigating the complexities of transitioning to quantum-safe cryptography. The comprehensive and tailorable guide provides a strategic framework across four critical categories – preparation, baseline understanding, planning and execution, and monitoring and evaluation, equipping organizations with actionable tools and methodologies to safeguard their data against emerging quantum threats.
With detailed activities, desired outcomes, and references to industry standards, the 20-page Migration Roadmap empowers organizations to align stakeholders, prioritize assets, implement solutions, and continuously monitor progress, ensuring a secure transition to quantum-safe cryptography. As the quantum computing landscape evolves, this roadmap serves as an essential resource for maintaining robust security postures and adapting to technological advancements.
Launched in September 2023, the PQC Coalition was formed to accelerate public understanding and adoption of PQC and NIST’s standardized PQC algorithms. The coalition brings together a community of technologists, researchers, and industry experts. Founding members include IBM Quantum, Microsoft, MITRE, PQShield, SandboxAQ, and the University of Waterloo.
Building on the NIST PQC standards and the National Cybersecurity Center of Excellence (NCCoE) PQC migration project, the coalition’s Migration Roadmap allows organizations to tailor a PQC Roadmap for their own needs based on the shared experiences of the PQCC members.
“As quantum computing technology continues to advance, organizations cannot afford to delay preparing for these transformative changes and threats to their security,” Wen Masters, vice president of cyber technologies, MITRE, said in a Wednesday media statement. “This roadmap empowers CIOs (chief information officers) and CISOs (chief information security officers) to act decisively, taking proactive steps to protect sensitive data now and in the future.”
“I’m overjoyed to see the coalition come together to create this roadmap that anyone can use to accelerate their own PQC migration,” said Matt Mickelson, lead coordinator of the PQC Coalition and senior cyber principal for science and technology, MITRE.
In the preparation phase of PQC migration, the organization lays the groundwork by defining its migration objectives, appointing a migration lead, identifying key stakeholders, and aligning them through clear, strategic communication.
To achieve these outcomes, the organization must first assess its cryptographic vulnerabilities and prioritize them based on urgency. This informs a realistic timeline for initiating migration efforts. A designated migration lead takes ownership of the process, ensuring progress and accountability. The organization also takes stock of its current cryptographic inventory and evaluates internal awareness of PQC readiness. Also, key stakeholders are identified and brought into alignment with the migration strategy using targeted messaging. Early engagement with vendors offering PQC-ready solutions begins at this stage, helping the organization anticipate integration challenges and technical requirements.
For the second category, the migration lead gathers a baseline understanding of its data inventory, the prioritized assets to be updated, and the required resources and available budget for discovery initiatives.
The outcomes for this category include that the organization determines whether additional inventory or prioritization is needed; identifies and documents cryptographic assets critical to achieving its PQC resilience goals; and prioritizes those assets based on sensitivity and expected lifespan.
The next category in the PQC Migration Roadmap addresses high-level activities that organizations should evaluate early in the migration process, including determining which post-quantum solutions can be sourced from vendors or developed in-house. Both near- and long-term cryptographic risks are mitigated through out-of-band mechanisms and the implementation of PQC solutions. Given the current lack of detailed data on organizational migration practices, this section remains intentionally flexible rather than prescriptive.
Outcomes for this category include the development of a migration plan outlining which systems must be acquired or built; implementation, acquisition, or development of PQC solutions across the infrastructure; and the deployment of short-term measures to reduce exposure of sensitive data during the transition.
The final category of the PQC Migration Roadmap focuses on tracking progress and establishing a framework for ongoing reassessment of cryptographic security as quantum capabilities evolve. The migration lead ensures that all documentation is maintained and that processes are in place for continuous evaluation, supporting future technology transitions and long-term resilience.
This phase results in the validated implementation of PQC solutions and compliance with relevant standards. The workforce is prepared to deploy and support PQC technologies. Migration progress is actively tracked against defined goals, and processes are established to continuously monitor cryptographic security in response to evolving technological developments.
In conclusion, the PQC Migration Roadmap recognized that for many organizations, migrating to PQC is crucial to safeguard their data against future quantum threats. The process outlined in this roadmap underscores the importance of strategic planning, stakeholder alignment, and continuous monitoring and documentation to adapt to technological advancements and maintain robust security postures. As the quantum computing landscape continues to evolve, organizations must remain adaptable, tracking updates in guidance to maintain a secure PQC transition.
Last September, MITRE’s PQC Coalition had grown to over 125 experts from industry and academia. The group recently released a detailed comparison of global PQC standards and is supporting the cyber community’s readiness for the post-quantum era. Working alongside NIST and the NCCoE, the Coalition provides assessments and guidance to aid in the transition.
