About & Methodology
How this tracker works, where data comes from, and how to contribute.
What this is
PQC Tracker is an operational reference for the post-quantum cryptography transition. It covers PQC algorithms and their standardization status, regulatory mandates issued by governments and recognized standards bodies, issuing organizations, and compliance milestones — all sourced from primary documents and consolidated into a structured, searchable format so practitioners can quickly assess where their systems stand.
The intended audience is practitioners with accountability for cryptographic compliance: CISSP and CISM holders, PKI architects, compliance leads, and agency IT security officers. It is not written for a general audience — it assumes familiarity with concepts like key encapsulation mechanisms, digital signature schemes, and certificate lifecycle management. In scope are official government directives, regulatory instruments, and recognized standards body publications only. Media coverage, vendor guidance, and industry association white papers are explicitly out of scope.
Methodology
Mandates are included only when they originate from an official primary source — a published government directive, regulation, memorandum, or recognized standards body specification. Secondary reporting, vendor summaries, or advocacy positions are not included regardless of accuracy.
Requirement levels are assigned as follows: REQUIRED means the obligation is explicitly mandated in authoritative text with no discretion left to the implementer. RECOMMENDED means the algorithm or measure is officially encouraged or preferred, but non-adoption does not constitute a violation. NOTEDmeans the algorithm or measure is referenced or acknowledged within the mandate's scope but carries no prescriptive force.
Data is updated on a best-effort basis as new mandates are issued or existing ones are amended. Community corrections are welcomed — see the Submit section below. Always verify entries against the linked primary source before making compliance decisions.
Data sources
| Source | URL | Type | What it covers |
|---|---|---|---|
| NSA | https://www.nsa.gov/Cybersecurity/Post-Quantum-Cybersecurity-Resources/ | Guidance | Defense and national security PQC requirements (CNSA 2.0) |
| NIST | https://csrc.nist.gov/projects/post-quantum-cryptography | Standards | FIPS 203/204/205/206 and the broader PQC standardization process |
| CISA | https://www.cisa.gov/quantum | Guidance | Critical infrastructure sector guidance and migration resources |
| OMB | https://www.whitehouse.gov/omb/information-for-agencies/memoranda/ | Policy | Federal civilian agency requirements (M-23-02, related memoranda) |
| ENISA | https://www.enisa.europa.eu/topics/cryptography | Guidance | EU member state PQC guidance and NIS2 implementation support |
| ETSI ISG QSC | https://www.etsi.org/technologies/quantum-safe-cryptography | Standards | Hybrid PQC protocol specifications for TLS, e-signatures, and migration strategies |
| IETF | https://datatracker.ietf.org/wg/lamps/documents/ | Standards | Protocol-level PQC standards: TLS 1.3, X.509 certificates, CMS, XMSS (RFC 8391), LMS (RFC 8554) |
Algorithms tracked
| Algorithm | NIST FIPS | Type | Status |
|---|---|---|---|
| ML-KEM | FIPS 203 | KEM | Standardized |
| ML-DSA | FIPS 204 | Signature | Standardized |
| SLH-DSA | FIPS 205 | Signature | Standardized |
| FALCON (FN-DSA) | FIPS 206 | Signature | Standardized |
| HQC | TBD | KEM | Candidate (NIST 2024) |
| XMSS | SP 800-208 / RFC 8391 | Signature | Standardized (stateful) |
| LMS / HSS | SP 800-208 / RFC 8554 | Signature | Standardized (stateful) |
Submit an update
Corrections and additions from the practitioner community are welcomed. Accepted submissions include: new mandates from official government or standards body sources, corrections to existing deadline dates, broken or outdated source links, and newly published algorithm references in official mandate text. Submissions that reference secondary sources, vendor materials, or that cannot be verified against a primary source will not be incorporated.
About the author
Saqib Ahmad is a cybersecurity professional with 25+ years of hands-on experience in cryptographic security, public key infrastructure, and secure authentication. He holds a CISSP certification and has deep technical expertise spanning hardware security modules (HSM), secure element development, Java Card security architecture, and cryptographic key lifecycle management.
He has contributed to standards development through bodies including Java Card Forum, ETSI, and GlobalPlatform, and has led post-quantum cryptography initiatives in production environments, including PQC integration in network security infrastructure, giving him direct operational experience with the mandate landscape this site tracks.
He holds an MBA from the University of Illinois at Urbana-Champaign and Bachelor's degrees in Computer Science and Journalism.
This site is an independent reference resource, not official compliance advice. Always verify requirements against primary sources before making compliance decisions.