Earlier this year, the National Institute of Standards and Technology (NIST) published their first set of post-quantum encryption standards: FIPS 203, 204 and 205. This wasn’t just a routine announcement; it was an initial wake-up call to the cybersecurity world.
Because the quantum threat is no longer just theory. It’s real and necessitates action. Today.
Why? This urgency was underscored by October 2024 research from Shanghai University, where a team cracked a 22-bit encryption key using a quantum computer. While smaller than real-world 2048- or 4096-bit RSA or ECC keys, the achievement was still pivotal—and a clear indication that quantum computers will be able to break the prime numbers underpinning public-key encryption.
Given these updates, it’s no surprise that NIST has announced a new timeline, with a preparation window that’s getting shorter by the day.
NIST IR 8547: The Transition to Post-Quantum Encryption
Last week, NIST released a new report that “acknowledges this [PQC] transition will demand substantial effort across diverse applications and infrastructures with specific requirements and constraints.” And it serves as a first step in a broader strategy to manage and guide said transition through careful, phased deprecation, controlled legacy use and eventual removal of quantum-vulnerable algorithms that are currently widespread in technological infrastructures.
Why release the document now? Historically, encryption shifts of this scale have taken 10 to 20 years, but with quantum computing advancing rapidly, it’s imperative teams start migrating today, not tomorrow. This report from NIST underscores that directive.
Here's a closer look at the new timeline of developments from NIST:
- From now through 2030: Teams will begin to phase out existing encryption methods and must begin evaluating and testing new, quantum-resistant encryption.
- By 2030: Algorithms relying on 112-bit security will be deprecated. This shift will require you to adopt interim solutions that bridge the gap between current methods and quantum-resistant technologies.
- By 2035: Teams will need to have completed the full transition, as vulnerable, outdated encryption methods will be deprecated. This deadline highlights the urgency of developing and implementing robust post-quantum cryptographic strategies now.
As you can see, the clock is ticking, and the quantum era is already upon us.
Prepare for the Future of Cybersecurity: InfoSec's Guide to Post-Quantum Readiness
The current state of the post-quantum transition
Up until now, the industry’s response to quantum preparedness has been a bit of a mixed bag. In recent research, we uncovered that 67% of security leaders dread discussing quantum transition strategies with their boards. Yet they recognize the important role machine identity security plays in this transition, as it is one of the top 10 concerns for CISOs.
However, nearly 80% of the same survey respondents say they only plan to act against the quantum threat once a viable computer arrives on the scene. But waiting too long could be costly, resulting in vulnerabilities and adversarial exploits. Not to mention the fact that “store now, decrypt later” attacks are already happening, with threat actors stealing encrypted data in the hopes of decrypting it later.
NIST’s timeline can, and should, aid PQC prioritization efforts
Previously, teams didn’t have a clear timeline, and they weren’t sure how to prioritize their migration process. With the new document from NIST, they can move past “wait and see,” kick-starting their efforts to adopt new standards that can help thwart breaches and leakages. This also means they’re less likely to be left scrambling in the future.
PQC readiness: What you should consider today
- Map out your cryptographic assets to get a clear view of your current security landscape. Conduct a thorough inventory of all encryption systems and assess their vulnerabilities against quantum threats.
- Stay updated on NIST's latest work. The formalized standards and timeline aren’t their only developments—they also recently announced 14 new digital signature candidates worth watching.
- Explore hybrid approaches that combine existing encryption methods with quantum-safe techniques to protect your data—especially against “store now, decrypt later” attacks. These strategies offer layered security, providing immediate protection while transitioning to full quantum resistance.
- Begin planning your comprehensive transition strategy now, and remember that this is a marathon, not a sprint. Effective planning requires cross-departmental collaboration and consideration of people and processes in addition to your technology stack. You can also rely on a trusted machine identity security partner during this step.
The groundwork is here. But now it’s time to get to work.
By actively introducing new standards and transition frameworks, NIST is helping to mobilize the broader security community. And it’s critical you start today, because 2035 is not your starting point.
It’s your deadline.
That means the time to act—the time to take control of your company’s quantum future—is now, and it all starts with your machine identities. Knowing where they are, having control over their lifecycles and the cryptographic mechanisms within them, these are crucial steps to post-quantum readiness.
The Venafi Control Plane for Machine Identities provides that extensive visibility, automation and agility, and it enables the use of hybrid certificates and quantum PKI.
The best part? You can start today. Learn more at the link below.