NIST has set firm deadlines for phasing out RSA and ECC, with post-quantum cryptography becoming essential by 2030. Learn what the roadmap means, the risks of delay, and how Unsung helps organisations transition to a quantum-safe future.

What the NIST Post-Quantum Cryptography roadmap means

The world of cybersecurity is evolving rapidly, and with it comes the need for organisations to adapt to new standards and technology. The National Institute of Standards and Technology (NIST) has released a clear roadmap for the transition to post-quantum cryptography (PQC). This roadmap sets firm deadlines for the deprecation and disallowance of legacy algorithms like RSA and Elliptic Curve Cryptography (ECC).

Here's what you need to know, what these deadlines mean for your organisation, and how Unsung can help you prepare for a quantum-safe future.

NIST deadlines: key dates you can't ignore

• 2030: RSA and ECC cryptographic algorithms will be deprecated. Systems using these algorithms will no longer comply with NIST-approved security standards.
• 2035: RSA and ECC algorithms will be disallowed. Organisations still reliant on these will face serious risks, including compliance violations and interoperability issues.

These dates mark the end of an era for legacy cryptography and set the stage for post-quantum cryptographic standards that protect against quantum threat.

Why post-quantum cryptography matters

The quantum computing revolution and its impact on PKI and cybersecurity

Quantum computing is no longer the stuff of science fiction. With advancements accelerating, quantum computers are poised to solve problems efficiently beyond the reach of classical computers. Whilst this innovation holds immense potential for fields like medicine, logistics, and artificial intelligence, it also poses a serious challenge to current cryptographic systems.

Public Key Infrastructure (PKI), the backbone of secure communications, relies on cryptographic algorithms like RSA and Elliptic Curve Cryptography. These algorithms are based on the computational difficulty of certain mathematical problems, such as factoring large prime numbers or solving discrete logarithms. Quantum computers, with their ability to perform massive parallel computations, could break these algorithms in a matter of hours (or even minutes), rendering today's encryption obsolete.

The implications for cybersecurity are profound

Data exposure
Encrypted communications, sensitive data, and digital identities could become vulnerable to decryption by adversaries with quantum capabilities. Protecting data requires transition to quantum-resistant cryptography before quantum technology matures.

Compliance risks
Organisations reliant on legacy systems and legacy cryptographic algorithms will struggle to meet evolving regulatory and cryptographic security standards. Critical infrastructure, government systems, and enterprise networks must align with new standards to maintain compliance.

Operational disruption
Systems not upgraded to post-quantum cryptography PQC may fail to interoperate in a secure ecosystem, leading to widespread disruption. IoT devices, embedded systems, embedded devices, and apps built on legacy cryptographic systems face particular risk.

The quantum threat is not theoretical. Data being encrypted today with RSA or ECC could be stored by attackers and decrypted later when quantum computers become available—a strategy known as "harvest now, decrypt later." This makes the transition to quantum algorithms not just a future concern but a present-day imperative for long-term security.

By acting now to adopt PQC-ready systems, organisations can mitigate these risks and ensure their operations remain secure in the post-quantum era. Unsung is here to guide this critical transition.

Impacts on your organisation

Technology stacks

Legacy systems relying on RSA or ECC will face compatibility and security issues. Post-2030, systems using deprecated algorithms may still function but will not align with modern security policies, exposing organisations to risks. Post-2035, these systems may completely fail to integrate with PQC-ready infrastructure or be outright disallowed by regulators.

Hardware security modules, firmware, and silicon must support new algorithms including CRYSTALS-Dilithium for digital signatures and CRYSTALS-Kyber for key exchange. Software updates and firmware updates will be required across enterprise networks, whilst backward compatibility concerns must be addressed for embedded devices and IoT devices.

Processes and PQC strategy

Transitioning to PQC algorithms will require significant updates to PKI operations, including:

Cryptographic inventory and asset audit
Conduct a comprehensive audit to identify cryptographic assets and locate where legacy algorithms are in use across your systems, hardware, firmware, and apps.

Key and certificate migration
Ensure seamless functionality with quantum-resistant cryptography through planned migration that maintains secure communications throughout the transition.

Crypto agility
A shift towards crypto agility enables organisations to adapt quickly to new cryptographic standards in the future. Flexible APIs, plug-and-play implementations, and support for multiple post-quantum algorithms ensure future-proofing as the industry and academic institutions continue to refine PQC implementations.

Why act now on Post-Quantum Cryptography

Whilst 2030 may feel distant, the transition to post-quantum cryptography is a complex, multi-year endeavour. Organisations that start planning now will:

• Avoid last-minute scrambling and potential disruptions
• Align with regulatory requirements well before deadlines
• Ensure their systems remain secure and interoperable in a quantum-safe future

The NIST roadmap provides the perfect opportunity to assess your organisation's readiness and define a clear PQC strategy to meet these milestones. Academic institutions, government agencies, and vendors are collaborating through forums like the Internet Engineering Task Force to create standards and tools that support this transition.

How Unsung supports PQC implementation

At Unsung, we specialise in Public Key Infrastructure and post-quantum cryptography solutions. Here's how we can guide your organisation:

Audit and assessment of cryptographic assets
We'll help you locate all instances of legacy cryptography within your infrastructure through a comprehensive crypto-asset audit. Our deeper dive examines your cryptographic inventory across hardware, firmware, apps, and systems to identify where quantum threat poses risk.

PQC strategy development
Our team will design a bespoke PQC transition plan aligned with NIST's timelines, ensuring minimal disruption to your operations. We focus on crypto agility, helping you create a roadmap that supports new algorithms as they emerge, defines implementation priorities, and addresses backward compatibility requirements.

Implementation across systems and technology
From upgrading components to migrating keys and certificates, we'll handle the technical challenges. Our PQC implementation services cover hardware security modules, embedded systems, enterprise networks, and critical infrastructure. We work with your existing technology stack and support integration of CRYSTALS-Dilithium, CRYSTALS-Kyber, and other PQC algorithms approved by NIST.

Managed services for quantum security
Post-transition, we provide ongoing support to maintain a quantum-safe posture and ensure compliance with evolving standards. We monitor cryptographic security, manage software updates and firmware updates, and maintain the crypto agility needed to adapt as post-quantum standards mature.

Debunking myths - don't let PQC vendors scare the PKI Horses

Transitioning to post-quantum cryptography doesn't have to be a daunting task. Whilst vendors may create panic to push unnecessary solutions, a measured and well-informed approach is key. At Unsung, we believe in simplifying the path to PQC readiness, not overcomplicating it.

When evaluating NIST PQC vendors, consider:

• Vendor-neutral advice that focuses on your needs, not vendor comparison matrices designed to favour one algorithm or solution
• Support for multiple implementations and flexible APIs rather than plug-and-play solutions that lock you into proprietary systems
• Experience across government, critical infrastructure, and enterprise networks
• Understanding of the Internet and secure communications requirements specific to your industry

Our expertise and vendor-neutral approach mean we deliver solutions that are tailored to your needs, not upsold for profit.

Get ahead of the curve on Post-Quantum Security

The clock is ticking, and the time to act is now. By starting your PQC journey today, you can:

• Ensure compliance with NIST deadlines
• Safeguard your systems against emerging quantum threat
• Build a foundation of digital trust and post-quantum security that stands the test of time

Unsung has the expertise, tools, and track record to guide your organisation through this transformation. We secure the future of your cryptographic systems, protecting data in the post-quantum era whilst maintaining the flexibility to adapt as technology and cryptographic standards evolve.

Contact us today to begin planning your post-quantum future. Let's navigate this roadmap together and ensure your systems are secure, compliant, and future-ready.