What Are NIST’s Finalized Post-Quantum Cryptography Standards?

Share:
NIST's post-quantum cryptography standards are finalized. Learn what FIPS 203, 204, and 205 mean, why they matter, and how to prepare for quantum-safe encryption.

Post-quantum cryptography moved from a research topic to an operational priority in August 2024, when the National Institute of Standards and Technology finalized its first quantum-resistant encryption standards after an eight-year global competition. The urgency is real, because a sufficiently powerful quantum computer would be able to break the RSA and elliptic-curve algorithms that protect almost all of today’s digital communications, and adversaries are already capturing encrypted data now so that they can decrypt it later once that capability exists.

This article explains exactly what NIST finalized, what it has not finalized yet, and what the announcement means for the way your organization should plan its cryptographic future.

What Is the Need for NIST to Standardize Post-Quantum Cryptography?

Most of the cryptography that secures online banking, software updates, and confidential data relies on mathematical problems that classical computers cannot solve efficiently, yet a cryptographically relevant quantum computer running Shor’s algorithm could solve those same problems quickly and render RSA and elliptic-curve cryptography insecure. Nobody knows precisely when such a machine will exist, but the risk cannot be deferred until it does, because data encrypted today can be harvested and stored now and then decrypted years later, and any information with a long confidentiality shelf life is therefore already exposed. To get ahead of that threat, NIST ran a public standardization process from 2016 onward, evaluated dozens of submissions from cryptographers around the world, and selected the algorithms that became the first finalized standards, and you can see how this fits within the wider standards landscape in our overview of NIST security standards.

What are the Three Standards NIST Finalized?

NIST published three finalized Federal Information Processing Standards on August 13, 2024, and each one addresses a core cryptographic function that quantum computing threatens.

  • FIPS 203 specifies ML-KEM, the Module-Lattice-Based Key-Encapsulation Mechanism derived from the CRYSTALS-Kyber submission, and it serves as the primary standard for general encryption and secure key exchange, so it is the intended replacement for the key-establishment role that RSA and elliptic-curve Diffie-Hellman play today.
  • FIPS 204 specifies ML-DSA, the Module-Lattice-Based Digital Signature Algorithm derived from CRYSTALS-Dilithium, and it is the primary standard for protecting digital signatures, which underpin authentication, software signing, and data integrity across almost every modern system.
  • FIPS 205 specifies SLH-DSA, the Stateless Hash-Based Digital Signature Algorithm derived from SPHINCS+, and because its security rests on hash functions rather than lattice mathematics, it acts as a conservative backup that would remain secure even if a weakness were ever found in the lattice-based schemes.

What NIST Has Not Finalized Yet?

It is worth being precise about the word finalized, because two further algorithms are still moving through the pipeline rather than being published as standards. The fourth signature standard, expected to be numbered FIPS 206 and named FN-DSA after the FALCON submission, has taken longer because of its mathematical complexity, and NIST has indicated that its finalization is expected around late 2026 or early 2027 rather than alongside the first three. NIST also selected HQC in March 2025 as an additional key-encapsulation mechanism, and because HQC is code-based rather than lattice-based it provides a mathematically different backup to ML-KEM, though its own standard is still being drafted. For most organizations the practical guidance is unchanged, because ML-KEM, ML-DSA, and SLH-DSA are the standards that NIST says can and should be adopted now.

What Should be the Migration Timeline You Should Plan Around

NIST paired the new standards with a transition roadmap in its draft Internal Report 8547, and the direction of travel is unambiguous even though some details are still being refined. Under that roadmap the quantum-vulnerable algorithms, including RSA and elliptic-curve cryptography, are set to be deprecated after 2030 and disallowed entirely after 2035, and high-risk systems are expected to move well before those dates. The National Security Agency’s CNSA 2.0 guidance points national security systems and their supply chains toward similar deadlines, so organizations in regulated or defense-adjacent sectors face pressure that arrives sooner rather than later. The consistent message from NIST is that migration should begin now rather than at the moment a quantum computer appears, because cryptographic transitions across large estates take years to complete.

What This Means for Your Organization?

The move to post-quantum cryptography is a software and governance program rather than a hardware project, and it starts with knowing where vulnerable cryptography lives. Organizations should build a cryptographic inventory that maps every place RSA and elliptic-curve algorithms are used across applications, certificates, and third-party connections, and this discovery step is what makes the rest of the migration plannable rather than guesswork. Crypto-agility then becomes the design goal, because systems that can swap algorithms cleanly will absorb ML-KEM today and HQC or FN-DSA later without a painful rebuild. Compliance obligations reinforce the same priorities, since frameworks such as PCI DSS already govern how cryptography protects sensitive data, and vendor exposure matters too, which is why this discipline connects directly to audit readiness and to a mature approach to third-party risk management.

How Ampcus Cyber Helps You Prepare for Post Quantum World?

Preparing for a post-quantum world is as much a leadership and governance challenge as a technical one, and Ampcus Cyber supports organizations across both dimensions. While our services help security leaders assess cryptographic exposure, prioritize migration against real business risk, and align the effort with the frameworks that already apply to them, our product suite ensures continuous visibility into controls and risk as the transition unfolds. If your organization has not yet started mapping its cryptographic estate, the finalization of these standards is the signal to begin, because the timelines are already set and the harvest-now-decrypt-later risk is already running.

Quantum threats won’t wait. Neither should your cryptography strategy.

Partner with Ampcus Cyber experts and get a crypto-agile roadmap. Prepare your organization for a secure post-quantum future. Connect with us!

Enjoyed reading this blog? Stay updated with our latest exclusive content by following us on Twitter and LinkedIn.

×

7th August 2026

New Delhi, India

Know more
Ampcus Cyber
Privacy Overview

This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognising you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.

Talk to an expert