The U.S. Cybersecurity and Infrastructure Security Agency (CISA) released an initial list of hardware and software categories that currently support, or are expected to support, post-quantum cryptography (PQC) standards. The list helps organizations plan PQC migration strategies and evaluate future technology investments in an evolving cybersecurity landscape. It includes examples of widely available products within these categories that use PQC standards to protect sensitive information.
With a focus on product categories commonly acquired by the federal government that utilize cryptographic algorithms, the CISA resource recognizes that as PQC-capable products become widely available, organizations are advised to prioritize acquiring PQC-capable solutions when planning purchases and procurement within these categories.
The CISA list responds to a June 2025 Executive Order 14306 on ‘Sustaining Select Efforts to Strengthen the Nation’s Cybersecurity and Amending Executive Order 13694 and Executive Order 14144.’ The order directed the Department of Homeland Security, through CISA, to publish categories of widely available products that support PQC. In alignment with the order, CISA developed the list in close collaboration with the National Security Agency (NIST), including example product types. The list will be regularly updated to reflect the evolving PQC technology landscape and support national cybersecurity resilience.
Titled ‘Product Categories for Technologies That Use Post-Quantum Cryptography Standards,’ the CISA list assists organizations in shaping their PQC migration strategies and evaluating future technological investments in an evolving cybersecurity landscape. The product categories outlined in CISA’s list focus on technologies that are either widely available or transitioning to use PQC standards. These technologies include cloud services, web software, networking hardware and software, as well as endpoint security. Each category encompasses products that apply PQC standards for foundational cryptographic functions – key establishment and digital signatures.
Key establishment enables secure, encrypted communication between parties, while digital signatures assure the authenticity of participants and the integrity of data, products, and services. Together, these functions form the backbone of secure digital infrastructure, and the list serves as a resource for organizations preparing to navigate the quantum future.
“The advent of quantum computing poses a real and urgent threat to the confidentiality, integrity, and accessibility of sensitive data — especially systems that rely on public-key cryptography,” Madhu Gottumukkala, acting director of CISA, said in a Friday statement. “To stay ahead of these emerging risks, organizations must prioritize the procurement of PQC-capable technologies. This product categories list will support organizations making that critical transition.”
He added that the “CISA is proud to deliver this resource in support of President Trump’s Executive Order, helping organizations confront complex technical challenges and strengthen secure technology practices for the quantum era.”
In response to the global need for quantum-resistant security, product manufacturers are developing new solutions and updating existing products to incorporate PQC standards. Since 2016, the NIST has been leading the effort to solicit, evaluate, and standardize quantum-resistant public-key cryptographic algorithms. The ongoing PQC standardization process has produced initial standards and is expected to standardize additional algorithms in the coming years.
NIST’s Internal Report 8547, Transition to Post-Quantum Cryptography Standards, outlines the agency’s approach for moving from quantum-vulnerable cryptographic algorithms to post-quantum digital signature algorithms and key-establishment schemes.
The report identifies current quantum-vulnerable standards and the emerging quantum-resistant standards that organizations can adopt during the transition. It provides guidance and informs timelines for federal agencies, industry, and standards organizations in updating products, services, and infrastructure to PQC. NIST will continue to revise the report and provide additional algorithm- and application-specific guidance as needed to support a smooth transition.
NIST has established three PQC standards along with a recommendation for stateful hash-based signature algorithms that support quantum-resistant security. For key establishment, the Module-Lattice-Based Key Encapsulation Mechanism (ML-KEM) is standardized under Federal Information Processing Standards (FIPS) 203. For digital signatures, NIST has standardized the Module-Lattice-Based Digital Signature Algorithm (ML-DSA) under FIPS 204 and the Stateless Hash-Based Digital Signature Algorithm (SLH-DSA) under FIPS 205.
Additionally, NIST recommends stateful hash-based digital signature algorithms, including the Leighton-Micali Signature Scheme (LMS), Hierarchical Merkle Signature Scheme (HMS), eXtended Merkle Signature Scheme (XMSS), and eXtended Merkle Signature Scheme with Multi-Tree (XMSSMT), for organizations seeking additional quantum-resistant protection.
The CISA list also covers several widely available hardware and software product categories that now support PQC standards. In cloud services, this includes platform-as-a-service (PaaS) and infrastructure-as-a-service (IaaS) offerings. Collaboration software that incorporates PQC standards covers chat and messaging applications. Web software examples include web browsers and web servers, while endpoint security products include solutions for data-at-rest protection and full-disk encryption.
The resource lists hardware and software products that use PQC standards to protect sensitive information, even after the advent of a cryptographically relevant quantum computer (CRQC). Organizations developing PQC migration plans can use these categories to assess future technology needs. Once a category is identified as having widely available PQC-capable products, organizations should prioritize acquiring only PQC-capable solutions in that category.
Moving on, the CISA resource does not list categories of PQC-capable products that are currently widely available; instead, it lists product categories where manufacturer implementation and testing of PQC capabilities are encouraged. The products listed must implement PQC for core features and secondary functionality, such as for software updates.
The document lists networking hardware, which includes proxy servers, routers, firewalls, switches, and appliances, while networking software encompasses software-defined networks (SDN), domain name services (DNS), and network operating systems. Cloud services adopting PQC include software-as-a-service (SaaS) offerings. Telecommunications hardware examples are desk phones, fax machines, voice over IP (VoIP) devices, and radios.
For computers, both physical and virtual systems, such as operating systems, hypervisors, and containers, are moving toward PQC standards. Computer peripherals include wireless keyboards and headsets, while storage area networks involve appliances, operating systems, and applications.
Furthermore, Identity, Credential, and Access Management (ICAM) software covers identity management systems, identity providers and federation services, certificate authorities, access brokers, access management software, and public key infrastructure (PKI) management software. ICAM hardware includes hardware security modules (HSM), authentication tokens, badges and cards, and badge/card readers.
Collaboration software adopting PQC includes email clients and servers, conferencing tools, and file-sharing applications. Data systems such as databases and SQL servers are included, while endpoint security products involve password managers, antivirus and anti-malware software, and asset management tools. Enterprise security solutions adopting PQC include continuous diagnostics and mitigation (CDM) tools, intrusion detection and monitoring systems, inspection systems, and security information and event monitoring (SIEM) platforms.
Organizations preparing for the post‑quantum era are facing a rapidly evolving security landscape in which current encryption could be broken by future quantum computers, forcing a long and complex shift to quantum‑safe cryptography.
Moody’s research warned in August 2024 that moving to PQC will be a prolonged and costly undertaking, potentially taking a decade or more to implement new standards across diverse systems because of operational challenges, legacy devices, and integration barriers, while experts also emphasize the risk of “harvest now, decrypt later” attacks if sensitive data is intercepted today and decrypted once quantum capabilities mature.
At the same time, industry groups such as the Post‑Quantum Cryptography Coalition have responded with practical guidance, releasing a detailed Migration Roadmap that breaks down the transition into phases, from preparation and baseline assessment to planning, execution, and continuous monitoring, providing organizations with tools and a framework to inventory cryptographic assets, align stakeholders, plan PQC adoption, and track progress toward resilient quantum‑safe systems.
link