NIST Post-Quantum Migration Guide 2026

This guide reflects the post-quantum migration landscape as of May 2026. FIPS 203, 204, and 205 are finalized. CNSA 2.0 deadlines for software signing and web services have arrived. Browser support for hybrid key exchange is deployed in production. The question is no longer whether to migrate but how to execute the migration efficiently.

The Current State of Play

The post-quantum ecosystem has reached practical maturity. FIPS 203 (ML-KEM) is implemented in OpenSSL 3.x, BoringSSL, AWS-LC, and liboqs. Chrome, Firefox, and Edge support hybrid ML-KEM key exchange in production. Major cloud providers support hybrid TLS on their load balancers.

FIPS 204 (ML-DSA) is implemented in the same libraries. Code signing tools are adding ML-DSA support. CAs are beginning to issue ML-DSA certificates.

FIPS 205 (SLH-DSA) is implemented but less widely deployed due to larger signatures (17 KB). Primarily used for root certificates, long-lived archival signatures, and defense-in-depth alongside ML-DSA.

Migration Priorities for 2026

Priority 1: Hybrid Key Exchange (If Not Already Done)

If you have not enabled hybrid key exchange, this is overdue. Every day without it is a day of harvest-now-decrypt-later exposure. Enable X25519+ML-KEM-768 on all web servers, API gateways, and load balancers. This is a configuration change in most environments.

Priority 2: Post-Quantum Attestation for Sensitive Data

For data requiring long-term integrity verification (audit trails, financial records, healthcare data, legal documents), add post-quantum attestation. The H33-74 overlay provides three-family PQ attestation as a 74-byte proof, independent of TLS configuration.

Priority 3: Code Signing Migration

CNSA 2.0 requires PQ code signing for National Security Systems by 2025. Commercial organizations should follow suit. Implement dual signing with both classical and ML-DSA-65 signatures.

Priority 4: Certificate Infrastructure

Prepare certificate infrastructure for ML-DSA certificates. Update internal CAs. Coordinate with public CAs on their ML-DSA timeline. Deploy on internal services first.

Priority 5: HSM and KMS Migration

Contact HSM vendors about ML-KEM and ML-DSA support. Major vendors (Thales, Entrust, AWS CloudHSM) have PQ support in various deployment stages.

Priority 6: Application-Level Cryptography

JWT signing should migrate to ML-DSA. Encryption key wrapping to ML-KEM. Database key management to PQ-safe transport. Each application needs individual assessment from the inventory.

The H33 Approach

The H33-74 attestation overlay provides immediate post-quantum protection through a single API call. Three independent PQ signature families ensure security surviving a breakthrough against any single algorithm. The overlay deploys in days and provides compliance documentation for auditors.

The overlay is a bridge: immediate protection while the broader migration proceeds. With it in place, migrate TLS, certificates, HSMs, and applications at a sustainable pace.

Common Mistakes to Avoid

Waiting for further ecosystem maturity. The ecosystem is mature enough for production deployment. Waiting adds risk without value.

Trying to migrate everything at once. Start with hybrid key exchange (days), add attestation overlay (weeks), then migrate certificates and applications (months).

Ignoring the attestation layer. TLS migration protects transit. Audit trails, compliance records, and signed documents also need PQ protection.

Deploying PQ-only without hybrid. Do not remove classical algorithms during transition. Hybrid provides defense in depth.

Not testing rollback procedures. Every migration step needs a tested rollback path.

Timeline Summary for 2026

This week: Enable hybrid key exchange on highest-priority TLS endpoints.

This month: Deploy PQ attestation overlay for most sensitive data flows.

Q3 2026: Complete hybrid across all external services. Begin code signing migration.

Q4 2026: Deploy ML-DSA certificates internally. Begin HSM migration planning.

H1 2027: Complete certificate migration. Deploy PQ application-level cryptography.

H2 2027: Complete HSM/KMS migration. Deprecate classical-only cipher suites.

This timeline is aggressive but achievable. The standards are final. The implementations are production-ready. The threat is active. The migration is not optional.