CISA Unveils Post-Quantum Cryptography Product List
▼ Summary
– CISA has published an initial list of hardware and software product categories that are supporting or transitioning to post-quantum cryptography (PQC) standards.
– The list is a response to an executive order and aims to guide organizations in planning technology investments against the threat quantum computing poses to encryption.
– The list includes categories like cloud services, web software, and endpoint security that use PQC for functions such as key establishment and digital signatures.
– CISA advises organizations to prioritize procuring PQC-capable products from these categories for future purchases, though some areas like IoT devices are not yet covered.
– The agency, collaborating with the NSA, will update the list regularly to help federal and private entities prepare for quantum computing risks.
The Cybersecurity and Infrastructure Security Agency (CISA) has taken a significant step toward future-proofing national digital infrastructure by releasing its first official list of product categories that support post-quantum cryptography (PQC). This initiative provides a crucial roadmap for both government and private sector organizations to begin planning their technology investments and adoption strategies in anticipation of quantum computing’s potential to break current encryption standards. The move directly supports a recent executive order aimed at identifying commercially available products that incorporate these new, quantum-resistant algorithms.
CISA developed this resource in close partnership with the National Security Agency (NSA), with plans to update the list periodically as technology evolves. Agency officials stress the urgency of the situation, noting that the powerful computational abilities of future quantum machines represent a clear and present danger to data protected by today’s public-key cryptography. Acting CISA Director Madhu Gottumukkala emphasized that proactive procurement of PQC-ready technologies is essential for staying ahead of these emerging threats, and that this new list is designed to facilitate that critical transition for all organizations.
The published catalog highlights specific technology areas that are either already implementing PQC standards or are actively moving in that direction. Major categories include cloud services, web and collaboration software, endpoint security solutions, and networking hardware and software. For each, the focus is on integrating post-quantum cryptography into core functions like key establishment for secure communication channels and digital signatures for verifying authenticity and ensuring data integrity.
Among the products identified as currently and widely available are various platform- and infrastructure-as-a-service cloud offerings, modern web browsers, secure messaging applications, and endpoint tools such as full-disk encryption software. Other areas, including networking hardware, identity and access management (IAM) platforms, and broader enterprise security software, are categorized as still being in transition toward full PQC capability.
CISA’s guidance is straightforward: when planning new procurements in these listed categories, organizations should prioritize acquiring products that are PQC-capable. The agency also clarified the current boundaries of its list, noting that automated tools for discovering cryptographic assets, along with nontraditional systems like operational technology (OT) and Internet of Things (IoT) devices, fall outside this initial scope. By establishing this clear framework, CISA aims to bolster preparedness across federal agencies and critical industries, helping them safeguard sensitive information against the cryptographic challenges posed by the next generation of computing.
(Source: InfoSecurity Magazine)
