The US Cybersecurity and Infrastructure Security Agency (CISA) has published an initial list of hardware and software product categories that support or are expected to support post-quantum cryptography (PQC) standards.
The list aims to guide organizations in planning PQC adoption and shaping technology investment strategies amid the rise of quantum computing.
The release follows Executive Order 14306, issued on June 6 2025, by President Trump through CISA, to identify widely available products using PQC standards.
CISA collaborated closely with the National Security Agency (NSA) to compile the list, which will be regularly updated to reflect developments in quantum-resistant technologies.
“The advent of quantum computing poses a real and urgent threat to the confidentiality, integrity and accessibility of sensitive data – especially systems that rely on public-key cryptography,” Madhu Gottumukkala, Acting Director of CISA, said.
“To stay ahead of these emerging risks, organizations must prioritize the procurement of PQC-capable technologies. This product categories list will support organizations making that critical transition.”
What’s Included in the List
CISA’s list focuses on technologies either already implementing PQC standards or transitioning toward them. Categories include cloud services, collaboration and web software, endpoint security, and networking hardware and software. Each category incorporates PQC for key cryptographic functions, including:
-
Key establishment, which ensures secure, encrypted communication
-
Digital signatures, which verify authenticity and data integrity
Read more on quantum-resistant cryptography: Quantum Computers Are Coming for Your Crypto Keys, But Not Yet
Products currently widely available include platform- and infrastructure-as-a-service (PaaS and IaaS) cloud solutions, web browsers, messaging software and endpoint security tools such as full-disk encryption.
Additional categories are still transitioning, including networking hardware, identity and access management (IAM) systems, and enterprise security software.
CISA emphasized that organizations should acquire only PQC-capable products within the listed categories when planning future procurements. The agency also noted that automated cryptographic discovery tools and nontraditional IT products, such as operational technology (OT) and Internet of Things (IoT) devices, are outside the current scope.
By providing a clear framework for PQC adoption, CISA aims to help federal agencies, industry partners and other organizations prepare for a future in which quantum computing could challenge existing encryption methods.
