PQC pressure and crypto inventory: what IAM teams need now

TL;DR: The Department of War’s November memorandum makes cryptography inventory, named migration leads, test artifacts, and approval gates mandatory, while also rejecting quantum key distribution as a confidentiality substitute and setting phase-out expectations for weaker key-establishment approaches, according to DigiCert. The real message is that crypto-agility, not optimism, now determines whether identity and certificate programmes can survive post-quantum transition.

NHIMG editorial — based on content published by DigiCert: No Time to Wait: PQC Pressure from the Dept. of War

Questions worth separating out

Q: How should security teams prepare for PQC migration in identity-heavy environments?

A: Start by inventorying every cryptographic dependency, then assign ownership to the teams that operate those systems.

Q: Why does PQC pressure matter for machine identity programmes?

A: Machine identity systems often assume stable algorithms, long renewal cycles, and predictable trust chains.

Q: What do organisations get wrong about crypto-agility?

A: They often treat crypto-agility as a future state or a product feature rather than an operational capability.

Practitioner guidance

• Build a cryptographic dependency inventory Map every certificate, key, trust anchor, and embedded identity to a system owner, renewal path, and business criticality.
• Assign named migration leads per cryptographic domain Give responsibility to specific owners for PKI, workload identity, device identity, and application trust so accountability survives across teams and vendors.
• Validate algorithm agility in the certificate pipeline Test issuance, renewal, revocation, and validation workflows against transition profiles before production cutover.

What's in the full article

DigiCert's full blog covers the operational detail this post intentionally leaves for the source:

• How DigiCert says to inventory cryptographic dependencies across certificates, IoT identities, embedded keys, and service-to-service trust.
• What PQC-ready PKI and lifecycle management look like in practice, including issuance, renewal, revocation, and algorithm rotation.
• How the PQC Labs environment is used to test interoperability scenarios before production deployment.
• Which procurement and compliance artefacts the vendor says customers can produce for migration evidence.

👉 Read DigiCert's guidance on PQC migration pressure and crypto inventory →

PQC pressure and crypto inventory: what IAM teams need now?

Explore further

View Full Forum →  |  NHI Foundation Course →