CSA Singapore Post-Quantum Cryptography Advisory
- Issuer
- Cyber Security Agency of Singapore(CSA)
- Effective date
- Jul 1, 2023
- Published date
- Jul 1, 2023
- Full text
- View full text →
Summary
The Cyber Security Agency of Singapore (CSA) has published advisory guidance encouraging organisations to begin preparing for the post-quantum transition. CSA recommends following NIST PQC standards (FIPS 203, 204, 205), adopting cryptographic agility, and conducting cryptographic asset inventories. The advisory targets Singapore government agencies, financial institutions, and critical information infrastructure operators.
PKI impact
CSA's advisory explicitly targets Singapore CII operators including financial institutions, which hold high-value cryptographic material and have long system lifecycle times. Device/IoT certificate infrastructure in smart nation and critical infrastructure contexts has multi-decade operational lifespans, elevating the urgency beyond the advisory framing.
Migration hints
- Complete a cryptographic asset inventory for all CII systems, prioritizing internet-facing TLS/SSL endpoints and long-lived signing keys in financial transaction and settlement systems.
- Include Device/IoT certificate infrastructure in the inventory scope — smart nation infrastructure such as sensors, controllers, and edge devices may carry certificates with lifetimes extending well past expected quantum threat timelines.
- Follow CSA's alignment with NIST FIPS 203/204/205 for new certificate issuance and key establishment — CSA has not added additional Singapore-specific algorithm requirements.
- Engage with MAS (Monetary Authority of Singapore) on any sector-specific PQC requirements for financial services that may exceed CSA advisory timelines.
- Embed cryptographic agility requirements in technology procurement contracts to ensure CA, HSM, and certificate management vendors support PQC within known upgrade cycles.
Milestones (2)
| Deadline | Label | Type | Hard | Notes |
|---|---|---|---|---|
| Dec 31, 2025 | Critical information infrastructure: complete cryptographic inventory | Inventory | CSA advises CII operators to complete cryptographic asset inventories and quantum risk assessments by end of 2025. | |
| Dec 31, 2026 | Government agencies: begin PQC migration planning | Migration Plan | CSA recommends Singapore government agencies develop and submit PQC migration roadmaps by end of 2026. |
Algorithm references (2)
- ML-KEMFIPS 203Recommended
Replaces: RSA, ECDH
CSA recommends ML-KEM (FIPS 203) for post-quantum key encapsulation, aligned with NIST standardisation.
- ML-DSAFIPS 204Recommended
Replaces: RSA, ECDSA
CSA recommends ML-DSA (FIPS 204) for digital signatures in post-quantum migration planning.
Changelog (2)
| Date | Type | Description |
|---|---|---|
| Oct 1, 2025 | Clarification | CSA updated advisory to reference finalised NIST FIPS 203/204/205/206 and align Singapore CII operator guidance with the 2025 cryptographic inventory milestone. |
| Jul 1, 2023 | New | CSA Singapore published PQC advisory guidance, recommending NIST PQC standards adoption and cryptographic agility for government and CII sectors. |
Issuer
Cyber Security Agency of SingaporeCSA
Type: GOVERNMENT
Region: Singapore