Summary
CISA has issued a definitive advisory, mandated by Executive Order 14306, that reshapes federal procurement and pressures the broader tech supply chain to move on post-quantum cryptography. The guidance splits the market into Widely Available PQC products and Transitioning products, and it is prescriptive rather than descriptive.
For Widely Available categories like Cloud Services (PaaS/IaaS), web browsers, and endpoint security, agencies are effectively told to stop procuring non-compliant legacy offerings now. Transitioning covers areas where supply chains are not mature enough for a firm cutoff, notably traditional networking hardware and complex ICAM systems, signaling direction without immediate hard mandates.
CISA grounds compliance in the NIST-standardized algorithms: FIPS 203 (ML-KEM) for key encapsulation, and FIPS 204 (ML-DSA) plus FIPS 205 (SLH-DSA) for digital signatures. The focus shifts from abstract quantum readiness to auditable FIPS-based requirements. For vendors and CISOs, this sets clear procurement expectations and accelerates PQC roadmaps while clarifying timelines for sectors that need more runway.
Read more
See the original article at: https://postquantum.com/security-pqc/cisa-pqc-procurement/