Roadmap (policy-aligned, vendor-practical)
Phase 0 — Set the rules of the game (Week 0–4)
-
Adopt standards + timelines as your north star:
-
NIST FIPS 203/204/205 (Kyber/ML-KEM, Dilithium/ML-DSA, SPHINCS+) are finalized. NIST CSRCNIST
-
NIST 4th-round status (e.g., HQC selected for standardization in 2025) for additional KEM coverage. NIST CSRCNIST
-
NSA CNSA 2.0 timelines for high-assurance environments (e.g., software/firmware signing move ASAP; broad completion toward ~2030–2031). U.S. Department of DefenseNational Security Agency+1
-
Track TLS 1.3 hybrid key exchange (X25519+Kyber) drafts and real-world tests. IETF Datatracker+1Keysight
-
Phase 1 — Discover & risk-rank (Month 1–3)
-
Run automated crypto inventory (where are RSA/ECC/DSA/DH? which key sizes? cert chains? embedded libs?).
-
Identify long-lived confidentiality data (“harvest-now-decrypt-later” exposure), and map to systems.
-
Use CISA’s migration guidance to structure reporting & ownership. CISA+1U.S. Department of Homeland Security
Phase 2 — Design crypto-agility (Month 2–6)
-
Introduce abstraction layers/keystores so algorithms/keys are swappable without code rewrites.
-
Upgrade PKI (enterprise CA/RA, ACME/automation) to issue PQC (and hybrid) certs.
-
Ensure HSMs/KMS and libraries (OpenSSL/BoringSSL/WolfSSL, JCA, CNG) support Kyber/Dilithium/SPHINCS+ (or hybrid).
Phase 3 — Pilot PQC (Month 3–9)
-
TLS 1.3 hybrid KEX pilots (X25519+Kyber) on internal APIs, then customer-facing edges/CDN/WAF. IETF DatatrackerKeysight
-
Code-signing pipelines move first (CNSA 2.0 priority). U.S. Department of Defense
-
Start PQC-capable certificate issuance in non-prod → canary → prod.
Phase 4 — Scale deployment (Month 6–24)
-
Roll out PQC or hybrid across TLS, VPN, email (S/MIME), mTLS, service mesh, SD-WAN, and device onboarding.
-
Rotate keys/certs; deprecate weak suites; update compliance baselines and runbooks.
-
For OT/IoT, plan gateways/firmware updates or compensating controls.
Phase 5 — Sustain & deprecate (Year 2+)
-
Continuous posture monitoring (crypto bill of materials, drift alerts).
-
Retire hybrids once PQC-only interoperability is mature and mandated (track CNSA 2.0/sector rules). National Security Agency
What to deploy where (quick mapping)
- Key establishment / TLS KEX: Kyber (ML-KEM); hybrid X25519+Kyber during transition. NIST CSRCIETF Datatracker
- Signatures (general): Dilithium (ML-DSA) as primary; SPHINCS+ where ultra-conservative needed; Falcon where compact signatures are critical. NIST CSRC
- Code signing / firmware: Dilithium or Falcon (per vendor/HSM support) aligned to CNSA 2.0. U.S. Department of Defense
- Symmetric / hashing: Keep AES-256 / SHA-384/512 (length-doubling for quantum margin). (Background: symmetric/hash aren’t fully broken; they need bigger sizes.)
Cost: how to think about it (with a live model)
There’s no single “correct” global price tag—cost scales with asset count, app complexity, supply-chain readiness, and sector (IoT/OT is pricier). To make this concrete, I built a transparent calculator with tweakable assumptions (inventory/tooling, app refactors, PKI/HSM upgrades, training, program overhead).
Baseline (adjustable) assumptions in the model
- Inventory & discovery: $10 / endpoint (tools + effort).
- Application refactor: $120k per app/service (design → test → deploy).
- PKI upgrade: $150k per org.
- HSM/KMS upgrades: $15k per unit.
- Training: $1.5k per security/crypto-relevant staffer.
- Program overhead: 18% (PMO, audits, vendor mgmt, contingency).
Example outputs (included in the file)
Tiers: SMB, Mid-market, Large Enterprise, Hyperscale/Cloud, Critical Infra/OT, with counts per tier.The illustrative global roll-up using conservative—but broad—counts comes out around $5.0T over a multi-year horizon (this includes millions of SMBs and OT/IoT-heavy operators).
Interpreting the numbers (reality check)
If you narrow scope to the top ~100k orgs and critical systems first, real-world spend could be $300B–$1T over 5–7 years.The biggest drivers are app refactors (headcount/time), OT/IoT retrofits, and code-signing/PKI modernization—not license fees for the algorithms themselves.
Immediate actions (that save money later)
Inventory now (CISA-aligned) to avoid “unknown unknowns.” CISA
Crypto-agility abstraction (keystores, policy engines) to prevent re-writes.
Move code-signing first (CNSA 2.0 guidance). U.S. Department of Defense
Pilot TLS hybrid on a single customer-facing domain to validate performance & telemetry. IETF DatatrackerKeysight
Vendor pressure-test: require PQC-capable roadmaps in contracts and SLAs (see GSA Buyer’s Guide). buy.gsa.gov
Support this blog
Thank you for your attention!
For questions and/or technical consulting, I am available in the comments section below on the blog, or by email at simedruflorin@automatic-house.ro
Have a nice day, everyone!