The NIST National Cybersecurity Center of Excellence (NCCoE) has published an initial public draft of NIST Cybersecurity White Paper (CSWP) 48, Mappings of Migration to PQC Project Capabilities to Risk Framework Documents.
Cryptographic algorithms are vital for safeguarding confidential electronic information from unauthorized access. For decades, these algorithms have proved strong enough to defend against attacks using conventional computers that attempt to defeat cryptography. However, future quantum computing may be able to break these algorithms, rendering data and information vulnerable. Countering this future quantum capability requires new cryptographic methods that can protect data from both current conventional computers and the quantum computers of tomorrow. These methods are referred to as post-quantum cryptography (PQC). The NCCoE Migration to PQC project is a collaboration with industry and government to demonstrate capabilities that support an organisation’s migration to PQC.
The Need for Action
Organisations should start planning now to migrate to PQC, also known as quantum-resistant cryptography, to protect their high value, long-lived sensitive data.
Historically, it has taken a long time from the moment that a new algorithm is standardized until it is fully integrated into information systems.
No one knows how long it will take to build a cryptographically relevant quantum computer. Predictions vary widely, but some people think it may be possible in less than 10 years.
Even if computer security experts implement post-quantum encryption algorithms before sufficiently powerful quantum computers are built, a lot of encrypted data remains under threat because of a type of attack called “harvest now, decrypt later.” This attack describes an adversary who can’t crack the encryption that protects our secrets at the moment who works to capture encrypted data and hold onto it, in the hopes that a quantum computer will break the encryption down the road.
About CSWP 48: Aligning with Cybersecurity Frameworks and Security Controls
The paper is designed to connect those whose risk management practices reference the NIST cybersecurity framework and controls documents with the capabilities in actions to migration to post-quantum cryptography. Specifically, this paper maps capabilities demonstrated in the NCCoE Migration to PQC project to several security objectives and controls found in two important NIST documents:
- NIST Cybersecurity Framework 2.0 (CSF 2.0). A widely adopted framework that helps organizations manage and reduce cybersecurity risk.
- Security and Privacy Controls for Information Systems and Organizations (SP 800-53). A comprehensive catalog of security controls that organizations can use to protect their information systems.
This helps organisations align their PQC migration efforts with established security outcomes (and broader cybersecurity risk management practices) and identify specific security controls and objectives needed to successfully implement PQC migration.
NIST invites comments by October 20, 2025. Comments can be submitted by visiting the NCCoE project page.
