Last week, CISA released guidance on Product Categories for Technologies That Use Post-Quantum Cryptography (PQC) Standards. The document catalogs technology classes that now support, or are expected to soon support, NIST’s recently standardized PQC algorithms. These categories span much of the enterprise stack: cloud services (PaaS and IaaS), web browsers and servers, messaging platforms, full-disk encryption, networking equipment, operating systems, SaaS platforms, databases, and endpoint security products.
This catalog provides federal acquirers with clearer procurement signals as quantum risk transitions from theoretical to operational. It also aligns with Executive Order mandates directing agencies to accelerate post-quantum adoption. This represents real progress. At the same time, the guidance stops short of offering a robust roadmap for effective, end-to-end migration.
A Major Blind Spot
The guidance focuses almost exclusively on enterprise IT environments, leaving OT and IoT systems largely unaddressed. This omission is particularly concerning for critical infrastructure. OT and IoT assets such as SCADA controllers, industrial sensors, medical devices, grid components, transportation systems, often have operational lifecycles measured in decades; fifteen to thirty years is common. These systems are precisely the targets most vulnerable to harvest-now, decrypt-later strategies, and they are the least able to absorb cryptographic transitions.
Constrained microcontrollers already struggle with today’s NIST PQC algorithms due to code size, memory, power, and latency constraints. CISA’s separate OT-focused guidance acknowledges that the post-quantum transition in these environments is a “significant and enduring challenge.” Yet, this reality is not reflected in procurement-oriented product guidance.
The result is a gap where it matters most. Critical sectors like energy, water, transportation, manufacturing, are left without actionable direction during what is likely to be a prolonged transition period. This gap threatens to undermine national security resilience.
Another often-overlooked point, in many OT and IoT environments, is the role of symmetric cryptography. Both NIST and NSA have been clear that symmetric cryptography (e.g., AES-256) remains quantum-safe. This has important architectural implications for how PQC strategies should be prioritized and deployed in constrained and long-lived systems.
At Arqit, we view CISA’s release as a helpful milestone, but only a starting point. Organizations must begin with comprehensive cryptographic inventories, prioritize authentication alongside key establishment, and plan phased hybrid deployments now. Critical infrastructure operators, in particular, cannot afford to wait for perfect standards alignment before shaping roadmaps.
The quantum threat is not hypothetical. Partial progress is still progress, but it is not protection. Building genuine post-quantum resilience will require sustained pressure, technical realism, and a willingness to confront the hardest parts of the transition head-on.
28 January 2026