TL;DR
National Institute of Standards and Technology (NIST) has standardised three Post-Quantum building blocks: ML-KEM (key establishment), ML-DSA (signatures), and SLH-DSA (hash-based signatures). Next, the Post-Quantum impact in TLS, code/firmware signing and PKI/certificates. Consequently, the safest near-term path is hybrid (classical + PQC). Therefore, begin with CBOM, press vendor roadmaps, pilot migration at the edge, and fund PKI automation.
NIST PQC Standards
Post-Quantum Cryptography (PQC) is no longer theoretical. NIST has now standardised the first wave of quantum-resistant algorithms, and as a result, regulators, boards, and vendors all have something concrete to work toward.
In practical terms, this means three things for the leadership teams to plan and execute:
You will be expected to plan, not just observe.
Your systems will need to support “hybrid” crypto.
Your crypto inventory (CBOM) becomes a governance asset, not an engineering spreadsheet.
Let’s walk through what that means, step by step.
The standards at a glance
To begin with, NIST has finalised three core algorithm families for the post-quantum world: ML-KEM (FIPS 203), ML-DSA (FIPS 204) and SLH-DSA (FIPS 205).
ML-KEM (FIPS 203)
Key Establishment
This is used to agree on shared secrets between two parties (for example, in TLS handshakes).
In classical crypto, RSA and ECDH do this job. Going forward, ML-KEM is the quantum-resistant replacement.
In reality, most organisations will start with hybrid KEM, where classical and PQC run together.
ML-DSA (FIPS 204)
Digital Signatures
This covers signing and verifying (for example, software packages, documents, certificates).
It is positioned as the successor to RSA/ECDSA for most signing workflows.
SLH-DSA (FIPS 205)
Hash-Based Digital Signatures.
This is another signature family, which uses well-understood hash-based security..
Although the keys and signatures can be larger, the trust model is extremely mature.
You will likely see this in use cases where long-term trust is critical, such as firmware validation.
What it means for Leadership?
From a leadership perspective, NIST’s work removes ambiguity. Until now, most organisations could say “we’re waiting for standards.” That is no longer credible.
Here’s why this now sits at CEO and CISO level:
- First, it is a business risk. If an attacker can decrypt historical customer data, for example, mortgage books or high-value transactions, that becomes a regulatory, contractual, and reputational event, not just a technical one.
- Second, it is an operating model change. You cannot “bolt on PQC” in one weekend. Instead, you are looking at a phased crypto-modernisation program that touches networks, systems, signing code pipelines, PKI and vendors.
- Third, it is an evidence problem. Boards, auditors, and regulators will start asking, “Show us your plan. Where are you still exposed, and what’s the migration path?” That proof point is your CBOM.
A Pragmatic and Phased approach
To move from “Awareness” to “Governance,” you can structure your next steps in three phases.
Phase 1 (0 – 3 months): Visibility and Ownership
Build your Crypto Bill of Materials (CBOM) for your top 20 high-value services.
For each one, record: algorithms, key sizes/parameters, crypto libraries, protocols, certificate and trust store details, and signing flows.
At the same time, identify systems tied to long-lived data.
Finally, send a standard PQC readiness questionnaire to strategic vendors.
Phase 2 (3 – 6 months): Controlled Pilots
Stand up a hybrid TLS pilot at a controlled edge (for example, an API gateway or external facing Web Application).
In parallel, begin testing post-quantum signature schemes (ML-DSA / SLH-DSA) for software signing and firmware signing in a non-production environment.
Measure latency, CPU, handshake size, and integration impact.
Summarise those findings into a board-facing heatmap (Impact vs Effort).
Phase 3 (6 – 12 months): Operationalisation
Expand hybrid support to additional gateways or partner links where feasible.
Update PKI and certificate issuance/rotation policies to include PQC-capable profiles and automated renewal.
Embed crypto-agility requirements into internal standards and third-party contracts.
Report status to the executive team as a tracked program, not an experiment.
For the Organisation, this will be the beginning of controlled modernisation of Trust, Identity and Encryption lifecycles.
Building the Governance Layer
Finally, you will need to update the organisation’s policy and processes. As you move, make sure your governance covers:
Crypto Standards: Add ML-KEM, ML-DSA, and SLH-DSA as approved building blocks, with guidance on when to use hybrid.
PKI and Certificate Policy: Update certificate profiles, validity periods, trust anchors, HSM (Hardware Security Modules), KMS (Key Management Services) usage.
Secure build and release: Update code-signing requirements in CI/CD and firmware pipelines; ensure signatures remain verifiable long-term.
Third-Party Risk: Bake PQC milestones (and reporting dates) into supplier contracts.
Reporting: Define KPIs that leadership will actually track.
Leader takeaway
NIST’s PQC standards define where you’re heading; Your PQC program defines how you’ll get there.
Start with visibility (CBOM), move to hybrid pilots where it matters the most, and anchor vendors to dated commitments. If your data must remain confidential for years, your PQC journey begins now.
Our Post-Quantum Readiness Series
This article is Part 3 of our Post-Quantum Cyber Readiness Series, where we are covering complex concepts.
In this series, we covered:
- Part 1: Introduction to Post-Quantum Cryptography
Part 2: Understanding Quantum Threats and “Harvest Now, Decrypt Later” Attacks
Part 3: NIST PQC Standards – What Organisations Need to Know
Each article will equip CEO’s, CISOs, IT leaders, and Architects with the knowledge and tools to navigate the quantum transition confidently.
