The $7.1 Billion Federal Estimate
In its 2025 report to Congress, the Office of the National Cyber Director (ONCD) projected that migrating federal civilian agencies to post-quantum cryptography will cost approximately $7.1 billion over the NSM-10 timeline (through 2035). This estimate covers 100+ agencies, thousands of systems, and millions of endpoints -- but it excludes the Department of Defense and intelligence community, which have separate (and classified) budgets for their CNSA 2.0 migration.
The federal estimate breaks down roughly as follows: 30% for cryptographic discovery and inventory, 25% for algorithm replacement and integration, 20% for testing and validation, 15% for re-certification (FedRAMP, FISMA, FIPS 140-3), and 10% for workforce training and ongoing operations. These proportions are remarkably consistent with what we see in enterprise migrations, just scaled down.
But the federal number, large as it is, represents organizations with existing relationships with NIST, access to the Cryptographic Module Validation Program (CMVP) process, and dedicated cybersecurity staffing. Enterprises do not have these advantages. Their costs, per-system, are typically higher.
The Enterprise DIY Cost: $18M+ Over Three Years
We have built a detailed cost model based on published consulting rates, salary surveys for cryptography specialists, and our experience working with enterprises evaluating PQ migration. Here is the line-by-line breakdown for a mid-to-large enterprise (1,000-10,000 employees, 200+ applications, regulated industry):
| Cost Category | Estimate | Notes |
|---|---|---|
| Cryptographic Inventory & Discovery | $200,000 - $400,000 | Scanning all systems, APIs, certificates, HSMs, key stores. Most enterprises have never done this comprehensively. |
| Library Evaluation & Selection | $150,000 - $250,000 | Evaluating liboqs, BoringSSL PQ forks, PQClean, wolfCrypt PQ, vendor-specific libraries. Compatibility testing with existing stacks. |
| Custom Implementation & Integration | $2,000,000 - $5,000,000 | Replacing RSA/ECDH/ECDSA in every application, API, database connection, message queue, microservice. This is where the real cost lives. |
| Integration & Regression Testing | $500,000 - $1,000,000 | Performance testing, compatibility testing across every integrated system. PQ algorithms have different failure modes than classical ones. |
| Compliance Re-certification | $300,000 - $600,000 | SOC 2, HIPAA, PCI DSS, ISO 27001, FedRAMP -- each requires evidence update and assessor re-engagement. |
| Ongoing Maintenance (Year 1-3) | $500,000/year | Algorithm updates, security patches, performance tuning, monitoring. PQ is a new domain -- expect more maintenance than classical crypto. |
| Specialized Hiring | $800,000+/year | Post-quantum cryptography engineers command $250K-$400K+ total compensation. You need at least 2-3. If you can find them. |
| HSM Replacement/Upgrade | $500,000 - $2,000,000 | Most deployed HSMs do not support ML-KEM or ML-DSA natively. Hardware replacement or firmware upgrade programs. |
| Network Infrastructure | $200,000 - $500,000 | Load balancers, WAFs, API gateways, CDNs -- all need PQ-capable TLS termination. Most appliances require upgrade. |
| Project Management & Consulting | $400,000 - $800,000 | A 3-year migration project needs dedicated PM, architecture review, external consulting for domain expertise. |
Total: $5.5M - $11.4M in direct costs, plus $1.3M - $1.8M/year in ongoing costs.
Over a 3-year migration and initial operation period, the fully-loaded cost ranges from $9.4M to $16.8M. For larger enterprises with more complex infrastructure, the number easily exceeds $18M. And this assumes the project stays on schedule -- which, given the scarcity of PQ expertise and the complexity of cryptographic migration, is optimistic.
The Hiring Problem Is Real
The single largest constraint on DIY post-quantum migration is not budget -- it is talent. Post-quantum cryptography engineering requires a rare combination of skills: deep understanding of lattice mathematics, implementation experience with constant-time code, familiarity with NTT-based polynomial arithmetic, and practical knowledge of side-channel resistance. There are perhaps a few hundred people in the world with production-grade PQ implementation experience.
These engineers are overwhelmingly employed at the handful of organizations that have been building PQ systems for years: NIST's internal teams, university research groups, a small number of specialized vendors (including H33), and the engineering teams at cloud providers working on PQ TLS deployment. They are not available on the open market at any price, and the ones who are available command compensation packages starting at $300,000.
The alternative -- training existing engineering staff in PQ cryptography -- takes 12-18 months of dedicated learning to reach competency, and 3-5 years to develop the deep expertise needed for production-grade implementation. By the time your team is ready, the migration deadline may have already passed.
What You're Actually Paying For With DIY
This is the part that should give every CISO pause: the vast majority of the DIY cost is spent reimplementing what NIST has already standardized and what vendors have already productionized. You are not paying for innovation. You are paying for re-creation.
Consider what the $2-5M "Custom Implementation & Integration" line item actually buys you:
- An ML-KEM implementation (already standardized in FIPS 203, already available in open-source libraries, already deployed at scale by cloud providers)
- An ML-DSA implementation (already standardized in FIPS 204, already available in open-source libraries)
- Integration code to replace every RSA/ECDH/ECDSA call site in your codebase (custom to your stack, but structurally identical to what every other organization is doing)
- TLS configuration changes to enable hybrid PQ key exchange (documented by every major web server project)
- Certificate chain migration (procedural, not inventive)
None of this is novel engineering. It is migration engineering -- important, complex, error-prone work that requires expertise, but work that produces no competitive advantage. Your PQ implementation will not be better than H33's. It will be more expensive, take longer, and carry higher risk of implementation flaws that create new vulnerabilities.
The Alternative: H33 API Integration in Days
H33 provides the complete post-quantum cryptographic stack -- ML-KEM key exchange, ML-DSA signatures, BFV Fully Homomorphic Encryption, STARK zero-knowledge proofs -- through a single API. Integration takes days, not years. There is no cryptographic library to evaluate, no algorithm to implement, no HSM to replace.
| Dimension | DIY Migration | H33 API |
|---|---|---|
| Time to production | 3-5 years | Days to weeks |
| Year 1 cost | $3M - $6M | Free tier (dev), $9,143/yr (scale) |
| 3-year total cost | $9.4M - $18M+ | $27,429 (at scale pricing) |
| Specialized hiring needed | 2-3 PQ engineers ($800K+/yr) | Zero |
| Compliance coverage | Self-assessed | SOC 2 Type II + HIPAA + ISO 27001 (100% in Drata) |
| Performance | Varies (unoptimized) | 2.17M auth/sec, 38.5us/auth |
| Algorithm updates | Your responsibility | Automatic (API-side) |
| HNDL protection starts | Year 3-5 (post-migration) | Day 1 |
The cost difference is not 2x or 5x. It is 300-600x. And the time difference is the more critical dimension: HNDL protection begins the day you make your first API call to H33, versus the day you complete a multi-year migration project.
When DIY Makes Sense (and When It Doesn't)
There are legitimate cases for building PQ capability in-house:
- You are a cryptographic vendor whose core business is providing cryptographic primitives to other organizations. H33 is one of these. You should build.
- You operate air-gapped infrastructure that cannot make external API calls (military, intelligence, certain critical infrastructure). You must build internally.
- You require FIPS 140-3 Level 3+ validation on your specific hardware/software combination. This requires running the CMVP process on your implementation, which takes 12-24 months and costs $200K+ per module.
For everyone else -- the 99% of organizations that need PQ protection but whose core business is not cryptography -- buying is the rational choice. You do not build your own TLS library. You do not implement your own AES. You should not implement your own ML-KEM.
Start Today, Not in 2035
NSM-10 says 2035. CNSA 2.0 says 2027 for National Security Systems. But the HNDL threat says today. Every day your systems transmit sensitive data under classical cryptography is another day of recorded ciphertext waiting for a quantum computer.
The question is not whether to migrate to post-quantum cryptography. That decision has been made for you by physics and mathematics. The question is whether to spend $18M and 3 years doing it yourself, or to make one API call and be protected today.
Further Reading
- H33 Pricing -- Credit-based pricing with free tier
- Two Paths to Post-Quantum -- Detailed build vs. buy analysis
- HNDL Protection -- Why the threat timeline is already behind you
- PQ Standards for Banking -- What your auditor will ask
- API Documentation -- Get started in minutes