Quantum-Safe Compliance
NSA CNSA 2.0, NIST FIPS 203/204/205, OMB M-23-02, ETSI QSC, quantum readiness.
What is Quantum-Safe Compliance?
Quantum-safe compliance is emerging as a distinct regulatory and standards domain as governments and industry bodies set concrete timelines for post-quantum migration. The United States is leading with aggressive mandates: NSA's CNSA 2.0 advisory requires National Security Systems to adopt quantum-resistant algorithms by 2030 for software/firmware signing and by 2033 for most other uses. OMB Memorandum M-23-02 directs federal agencies to inventory their cryptographic systems and submit migration plans.
NIST has finalized the foundational technical standards — FIPS 203 (ML-KEM), FIPS 204 (ML-DSA), and FIPS 205 (SLH-DSA) — providing the algorithms organizations must adopt. The Cryptographic Module Validation Program (CMVP) is updating FIPS 140-3 validation to include post-quantum algorithms, which will drive adoption across regulated industries. In Europe, ETSI's Quantum-Safe Cryptography (QSC) working group and the French ANSSI have published their own guidance and timelines.
For organizations, quantum-safe compliance requires a structured approach: conducting a cryptographic inventory to identify all public-key dependencies, prioritizing migration based on data sensitivity and system lifespan, building crypto agility into procurement requirements, and establishing governance processes to track migration progress against regulatory deadlines. The compliance burden is front-loaded — the inventory and planning phase is the most resource-intensive, but delaying makes the eventual migration more expensive and risky.
Why it matters
Government mandates with hard deadlines are turning quantum-safe migration from optional future planning into a compliance requirement. Organizations that ignore CNSA 2.0 and OMB M-23-02 timelines will face regulatory consequences and procurement exclusion.
Quantum-safe compliance translates the technical requirements of post-quantum cryptography into governance, risk management, and audit frameworks that CISOs, compliance teams, and government contractors must operationalize.
Govern & Direct
Set direction, own risk, shape policy, govern AI/quantum programs, work with people and narrative.
Other domains in this layer
Key topics
People shaping this field
Researchers and practitioners worth following in this space.
NIST PQC project lead, architect of FIPS 203/204/205 standardization
Former NSA Cybersecurity Director, drove CNSA 2.0 rollout
NIST NCCoE lead on PQC migration practice guide
Curated resources
Authoritative sources we ground Quantum-Safe Compliance questions in — frameworks, research, guides, and tools.
CISA — "Post-Quantum Cryptography Initiative"
Federal guidance on preparing for quantum threats. Cryptographic inventory requirements, risk assessment methodology, and migration prioritization. Practical governance questions.
NIST SP 800-131A Rev. 2 — Transitioning the Use of Cryptographic Algorithms
Transition guidance for cryptographic algorithms. Established precedent for how NIST manages algorithm deprecation (e.g., SHA-1, DES). Informs questions about how PQC transition will be mandated.
PCI SSC — Quantum Computing Impact on Payment Security
Bulletin on quantum threats to payment card security (AES, RSA in payment protocols). Sector-specific compliance questions for financial services PQC migration.
Cloud Security Alliance — "Quantum-Safe Security Working Group"
Practical guidance for cloud providers and enterprises on quantum-safe migration. Covers certificate management, key negotiation, and hybrid deployment models.
NSA CNSA 2.0 — Commercial National Security Algorithm Suite
NSA's mandated quantum-resistant algorithm suite for national security systems. Defines transition timelines for all classified communications.
OMB M-23-02 — Migrating to Post-Quantum Cryptography
White House memo requiring federal agencies to inventory cryptographic systems and begin migration to quantum-resistant algorithms.
Roles where this matters
Career paths where this domain shows up as core or recommended.
Manage risk, ensure regulatory compliance, and build governance frameworks. Where security meets business strategy.
Lead security strategy, communicate risk to the board, and build security programs. Executive-level cybersecurity leadership.
Prepare for the post-quantum era. Understand quantum threats and lead cryptographic migration efforts.
Certifications that signal this domain
Credentials whose blueprint meaningfully covers this domain. Core means centrally covered; also touched means present in the blueprint but not the primary focus.
Also touched
NIST / vendor PQC migration training (emerging credentials)
Crypto inventory, algorithm selection (ML-KEM/ML-DSA/SLH-DSA), migration planning.
Browse all certifications → — pick a cert on the interactive map to highlight every domain it covers.
More in Quantum Technologies & Cybersecurity
Drill Quantum-Safe Compliance with adaptive difficulty
40 questions available. Skip what you know, focus where you're weak, and watch your rating move.