NIST PQC Standards Mandated for US Agencies
The National Institute of Standards and Technology (NIST) has finalized its post-quantum cryptography (PQC) standards, which are now under a "hard mandate" for implementation across the US government. The official algorithms include CRYSTALS-Kyber, CRYSTALS-Dilithium, FALCON, and SPHINCS+. Social media discussions highlight the urgency and complexity of the migration, with one user noting it is the "largest digital‑infrastructure overhaul ever."
- The White House Office of Management and Budget (OMB) projects the transition will cost federal agencies approximately $7.1 billion to upgrade prioritized, non-national security information systems between 2025 and 2035. A significant portion of this cost is allocated to replacing government technology that cannot support the new cryptographic systems. - This mandate is driven by policies including the Quantum Computing Cybersecurity Preparedness Act of 2022 and National Security Memorandum 10 (NSM-10), which sets a 2035 deadline for the full transition. - The urgency stems from the "harvest now, decrypt later" threat, where adversaries are currently intercepting and storing encrypted U.S. government data, expecting to decrypt it once a cryptographically relevant quantum computer is available. - The new standards serve distinct cryptographic functions: CRYSTALS-Kyber (FIPS 203 or ML-KEM) is designed for key encapsulation to establish secure communication channels. - The other algorithms are for ensuring authenticity and integrity: CRYSTALS-Dilithium (FIPS 204 or ML-DSA) and FALCON are for digital signatures, while SPHINCS+ (FIPS 205 or SLH-DSA) is a stateless hash-based signature scheme providing an alternative based on different mathematical principles. -
