Quantum-safe cryptography standards: what should teams do now?

TL;DR: NIST’s draft quantum-safe standards for CRYSTALS-KYBER, CRYSTALS-DILITHIUM and SPHINCS+ start the transition from theory to implementation, with a 90-day comment period and protocol work already underway for TLS, S/MIME and SSH, according to DigiCert. Crypto inventories and upgrade planning now matter because long-lived data and signatures are already exposed to harvest now, decrypt later risk.

NHIMG editorial — based on content published by DigiCert: NIST Releases Quantum-safe Cryptography Standards: What Happens Now?

By the numbers:

• NIST has released draft standards for CRYSTALS-KYBER, CRYSTALS-DILITHIUM and SPHINCS+ for a 90-day comment period starting Aug. 24, 2023.

Questions worth separating out

Q: How should security teams prepare for post-quantum cryptography migration?

A: Security teams should start with a full cryptographic inventory, then rank assets by business criticality, data lifespan and trust dependency.

Q: Why does quantum-safe cryptography matter to IAM and NHI programmes?

A: Quantum-safe cryptography matters because identity trust depends on certificates, signatures and secure key exchange across human, machine and workload identities.

Q: What breaks when cryptographic agility is missing?

A: When cryptographic agility is missing, organisations struggle to replace algorithms in production without outages, inconsistent trust chains or delayed renewals.

Practitioner guidance

• Inventory every cryptographic asset Build a central view of certificates, keys, signing systems and protocol dependencies across production, development and archived data.
• Classify long-lived trust dependencies Identify where RSA and ECC support protects data or identities that must remain valid for years, including code signing, email signing, archived records and IoT devices.
• Automate PKI change control Use centralised management to reduce manual certificate handling, shorten rollover time and limit errors during algorithm replacement.

What's in the full article

DigiCert's full blog post covers the operational detail this post intentionally leaves for the source:

• Protocol-level discussion of how CRYSTALS-KYBER, CRYSTALS-DILITHIUM and SPHINCS+ map into TLS, S/MIME and SSH
• Guidance on prioritising assets by lifespan, sensitivity and update difficulty before quantum-safe rollout
• Practical PKI centralisation and automation considerations for certificate replacement at scale
• Background on the standards process and why the 90-day NIST comment period matters for implementation planning

👉 Read DigiCert's analysis of NIST quantum-safe cryptography standards →

Quantum-safe cryptography standards: what should teams do now?

Explore further

View Full Forum →  |  NHI Foundation Course →