Post-quantum migration: a practical roadmap for organizations
Regulators have set the clock: CNSA 2.0 and related mandates require migrating off RSA/ECC to post-quantum cryptography this decade. A practical, non-panic roadmap — inventory first, prioritize by dat
Post-quantum migration is often discussed as a distant, theoretical exercise, which is exactly why organizations fall behind on it. The timelines are not distant. NSA's CNSA 2.0 suite sets staged deadlines through this decade — with post-quantum signing required for software and firmware earliest and full migration of national-security systems targeted by 2030 — and civilian guidance from NIST and OMB points the same direction. The migration is large, touches nearly every system that uses cryptography, and cannot be done overnight, so the organizations that treat it as a multi-year program starting now are the ones that will not be scrambling later. The good news is that it decomposes into a sane, ordered sequence rather than a single leap.
The first step is not to deploy any new algorithm — it is to find out what you have. You cannot migrate cryptography you cannot see, and most organizations have far more of it, in more places, than they think: TLS everywhere, code-signing keys, document signatures, VPNs, embedded firmware, hardcoded certificates, third-party libraries, hardware security modules. The deliverable of this phase is a cryptographic bill of materials — a CBOM — that inventories every place a cryptographic algorithm is used, which algorithm, key sizes, and who owns it. Standards like CycloneDX now support CBOM natively for exactly this reason. Without this map, every later step is guesswork; with it, the rest of the migration becomes a prioritization problem instead of an open-ended hunt.
Prioritization is the second step, and the ordering principle is data lifetime, driven by the 'harvest now, decrypt later' threat. An adversary can capture encrypted traffic or signed artifacts today and break them once a quantum computer exists, so the urgency of any given system is a function of how long its data must stay secret or its signatures must stay trustworthy. Anything protecting decades-long secrets — health records, state secrets, long-lived identities — or producing long-lived signatures — firmware, legal documents, root certificates — goes to the front of the line. Ephemeral data that is worthless in five years can wait. This is why signatures often get migrated first in the official timelines: a signature made today on a firmware image or a public record has to remain unforgeable for the entire life of that artifact, which may outlast the arrival of quantum computers.
The third step is deployment, and the consensus approach is hybrid rather than a hard swap. In hybrid mode you run a post-quantum algorithm alongside the classical one — for example a Dilithium (ML-DSA, FIPS 204) signature next to an existing ECDSA one — so a verifier is protected if either scheme holds. This hedges against two risks at once: that the classical algorithm falls to a quantum computer, and that a young post-quantum implementation has an as-yet-undiscovered flaw. NIST's algorithms are standardized and studied, but crypto-agility — the ability to swap algorithms without re-architecting — is itself part of the goal, because the point is never to bet everything on one scheme again. Two honest caveats keep this grounded: 'quantum-resistant' means resistant to known classical and quantum attacks per NIST, not proven unbreakable, and migration is a program, not a product — buying one library does not make you post-quantum if your inventory is incomplete or your key management is weak. But the roadmap itself is not mysterious: inventory what you have, prioritize by how long it must stay secure, deploy hybrid, and keep the agility to move again. The organizations that start the inventory now are the ones for whom the 2030 deadlines will be a formality rather than a fire drill.
Try it yourself — live, free, verifiable in 30 seconds:
Start with a crypto inventory (CBOM) →