The Cybersecurity and Infrastructure Security Agency (CISA) on Friday released its long-awaited list of technology product categories that are expected to support post-quantum cryptography (PQC) standards.
Former President Joe Biden directed CISA in January 2025 to develop a PQC product category list and regularly update it as more products become PQC-enabled. The list was initially due by last July, however President Donald Trump amended the executive order and changed the deadline to December 2025.
Product categories deemed PQC-safe include cloud services, web software, networking hardware and software, and endpoint security, CISA said in a Jan. 23 press release.
“The advent of quantum computing poses a real and urgent threat to the confidentiality, integrity, and accessibility of sensitive data – especially systems that rely on public-key cryptography,” said Madhu Gottumukkala, acting director of CISA, in a statement. “To stay ahead of these emerging risks, organizations must prioritize the procurement of PQC-capable technologies. This product categories list will support organizations making that critical transition.”
PQC protects data by securing digital communications and verifying identities in ways that aim to remain safe even after powerful quantum computers become operational.
CISA said that PQC-enabled products are now widely available in several major technology categories, and organizations – especially federal agencies – should buy only those products when making new purchases.
CISA noted that these PQC efforts align with standards developed by the National Institute of Standards and Technology, which has already finalized several quantum-resistant encryption algorithms.
Those algorithms, called the Federal Information Processing Standards (FIPS), are designed to resist future attacks by quantum computers. To qualify as a PQC-enabled product, vendors must implement the FIPS 203, FIPS 204, and FIPS 205.
“Each category encompasses products that apply PQC standards for foundational cryptographic functions – key establishment and digital signatures,” CISA said.
Key establishment allows secure encrypted communication between parties, while digital signatures verify identity and ensure that data, products, and services are authentic and unaltered.
“Together, these functions form the backbone of secure digital infrastructure, and the list serves as a resource for organizations preparing to navigate the quantum future,” CISA said.
Specific product examples provided by CISA include cloud platforms such as platform-as-a-service and infrastructure-as-a-service, along with chat and messaging tools, web browsers and servers, and endpoint protections such as data-at-rest security and full-disk encryption.
Other common technologies – such as networking equipment, email systems, operating systems, identity management tools, and security software – are still transitioning and should fully adopt post-quantum standards, CISA said.
With its initial product category list now published, CISA will develop a list with specific products on it that are PQC-enabled, according to previous statements from CISA officials.
The White House has said that by 2035, all federal agencies should have completed their migration to PQC.
“If your product is not PQC-enabled, you probably won’t be able to do business with the government as we move forward,” Garfield “Gary” Jones, the former associate chief of strategic technology at CISA, warned in August. “By 2035, we have to start making these PQC-enabled products available and implemented into agencies.”