New Draft White Paper | PQC Migration: Mappings to Risk Framework Docs

The NIST National Cybersecurity Center of Excellence (NCCoE) has published an initial public draft of NIST Cybersecurity White Paper (CSWP) 48, Mappings of Migration to PQC Project Capabilities to Risk Framework Documents.

Cryptographic algorithms are vital for safeguarding confidential electronic information from unauthorized access. For decades, these algorithms have proved strong enough to defend against attacks using conventional computers that attempt to defeat cryptography. However, future quantum computing may be able to break these algorithms, rendering data and information vulnerable. Countering this future quantum capability requires new cryptographic methods that can protect data from both current conventional computers and the quantum computers of tomorrow. These methods are referred to as post-quantum cryptography (PQC). The NCCoE Migration to PQC project is a collaboration with industry and government to demonstrate capabilities that support an organization’s migration to PQC.

The Need for Action

Organizations should start planning now to migrate to PQC, also known as quantum-resistant cryptography, to protect their high value, long-lived sensitive data.

Historically, it has taken a long time from the moment that a new algorithm is standardized until it is fully integrated into information systems.

No one knows how long it will take to build a cryptographically relevant quantum computer. Predictions vary widely, but some people think it may be possible in less than 10 years.

Even if computer security experts implement post-quantum encryption algorithms before sufficiently powerful quantum computers are built, a lot of encrypted data remains under threat because of a type of attack called “harvest now, decrypt later.” This attack describes an adversary who can’t crack the encryption that protects our secrets at the moment who works to capture encrypted data and hold onto it, in the hopes that a quantum computer will break the encryption down the road.

About CSWP 48: Aligning with Cybersecurity Frameworks and Security Controls

The paper is designed to connect those whose risk management practices reference the NIST cybersecurity framework and controls documents with the capabilities in actions to migration to post-quantum cryptography. Specifically, this paper maps capabilities demonstrated in the NCCoE Migration to PQC project to several security objectives and controls found in two important NIST documents:

1. NIST Cybersecurity Framework 2.0 (CSF 2.0). A widely adopted framework that helps organizations manage and reduce cybersecurity risk.
2. Security and Privacy Controls for Information Systems and Organizations (SP 800-53). A comprehensive catalog of security controls that organizations can use to protect their information systems.

This helps organizations align their PQC migration efforts with established security outcomes (and broader cybersecurity risk management practices) and identify specific security controls and objectives needed to successfully implement PQC migration.

Your Feedback Matters

We invite you to review this document and provide comments by October 20, 2025. Comments can be submitted by visiting the NCCoE project page. If you have any questions or need further information, please don’t hesitate to contact the team at applied-crypto-pqc [at] nist.gov (applied-crypto-pqc[at]nist[dot]gov). We encourage you to join the NCCoE PQC Community of Interest (COI) to receive project updates and stay involved!

Comment Now!

View this on the NCCoE website