Now Available for Comment: White Paper on Migration to Post-Quantum Cryptography (PQC)
September 18, 2025

The NIST National Cybersecurity Center of Excellence (NCCoE) has published an initial public draft of NIST Cybersecurity White Paper (CSWP) 48, Mappings of Migration to PQC Project Capabilities to Risk Framework Documents.

The emergence of quantum computing technology poses a significant threat to the security of our online data. Many of the cryptographic algorithms that currently protect our communications, data processing, and storage systems will potentially be made vulnerable by the advent of quantum computing. When practical quantum computers become available, public-key algorithms and associated protocols will be at risk of being broken by malicious actors, including hackers, competitors, and other adversaries. This is a concern because attackers can already steal encrypted data with the intention of decrypting it later, once they have access to a quantum computer.

The Need for Action

To mitigate this risk, organizations should start planning now to transition to quantum-resistant algorithms. The NCCoE is leading the way in working with industry partners and other government agencies to demonstrate practices that enable the migration to PQC.

About CSWP 48: Aligning with Cybersecurity Frameworks and Security Controls

The project is designed to support and align with key NIST cybersecurity frameworks and security controls. Specifically, the project’s capabilities are informed by and mapped to the security objectives and controls outlined in two important NIST documents:

• • NIST Cybersecurity Framework 2.0 (CSF 2.0). A widely adopted framework that helps organizations manage and reduce cybersecurity risk.
  • Security and Privacy Controls for Information Systems and Organizations (SP 800-53). A comprehensive catalog of security controls that organizations can use to protect their information systems.

This white paper provides a mapping of the project’s capabilities to these two resources. This helps organizations align their PQC migration efforts with established security outcomes (and broader cybersecurity risk management practices) and identify specific security controls and objectives needed to successfully implement PQC migration.

Your Feedback Matters

We invite you to review this document and provide comments by October 20, 2025. You can submit comments by visiting the NCCoE project page.

If you have any questions or need further information, please don’t hesitate to contact the team at [email protected]. We encourage you to join the NCCoE PQC Community of Interest (COI) to receive project updates and stay involved!

Comment Now!