QSL
Compliance

Aligning with Emerging Global Standards

Quantum security is not just a technical challenge — it is a regulatory one. Organizations need to meet the compliance requirements that are already taking shape.

Standards Alignment

NIST Post-Quantum Cryptography Readiness

NIST's PQC Standardization

A quantum-resilient architecture should implement the algorithms selected through NIST's rigorous multi-year evaluation process, ensuring alignment with the definitive global standard for post-quantum cryptography:

  • ML-KEM / FIPS 203 — the key encapsulation mechanism built on the CRYSTALS-Kyber algorithm family. Supports all security levels (ML-KEM-512, ML-KEM-768, ML-KEM-1024).
  • ML-DSA / FIPS 204 — the digital signature scheme built on CRYSTALS-Dilithium. Used for authentication, integrity verification, and code signing.
  • SLH-DSA / FIPS 205 — the hash-based signature scheme built on SPHINCS+, providing security under different mathematical assumptions as a diversified backup.
FIPS 203 FIPS 204 FIPS 205 CNSA 2.0

NSA CNSA 2.0 Timeline

The NSA's Commercial National Security Algorithm Suite 2.0 establishes mandatory quantum-resistant migration timelines for national security systems:

  • 2025 — software and firmware signing must use quantum-resistant algorithms.
  • 2027 — web servers, cloud services, and networking equipment must support PQC.
  • 2030 — all national security systems must be fully transitioned. A crypto-agility framework supports incremental migration toward this deadline.
CNSA 2.0 2025 Milestone
Framework

Crypto-Agility Framework

Swap Algorithms Without Rebuilding

Crypto-agility is the ability to replace cryptographic algorithms and parameters without modifying application code or disrupting operations. This should be a core architectural property of any quantum-ready system:

  • Algorithm abstraction layer — applications interact with cryptographic services through a stable API. The underlying algorithms are configured via policy, not code.
  • Hot-swappable primitives — when a new algorithm is approved (or an existing one deprecated), the change is applied through the policy engine with zero application changes.
  • Version-tagged ciphertext — all encrypted data carries metadata identifying the algorithm and parameters used, enabling automatic re-encryption during migration.
  • Graceful deprecation — deprecated algorithms remain available for decryption of historical data while blocked for new encryption operations.
Algorithm Abstraction Hot-Swap Version-Tagged Graceful Deprecation

Why Crypto-Agility Matters for Compliance

Regulatory bodies are increasingly mandating crypto-agility as a requirement, not just a recommendation:

  • NIST SP 800-131A requires the ability to transition away from deprecated algorithms on defined timelines.
  • The EU Cybersecurity Act and European Cybersecurity Certification Scheme are moving toward crypto-agility requirements.
  • Financial regulators (PCI DSS, SOX) are expected to incorporate PQC readiness into audit frameworks.
Auditability

Audit-Ready Logging

Every Cryptographic Operation Must Be Recorded

A compliant architecture maintains comprehensive, tamper-evident logs of all cryptographic operations, providing the audit trail that compliance regimes demand:

  • Key lifecycle events — generation, distribution, rotation, usage, and destruction of every key is logged with timestamps, actors, and justification.
  • Algorithm usage tracking — every encryption and decryption operation logs the algorithm, key identifier, and security level used.
  • Policy enforcement logs — every policy decision (approve, deny, warn) is recorded, including the rule that triggered it and the context of the request.
  • Tamper-evident storage — audit logs are stored with cryptographic integrity protection (hash chains), making unauthorized modification detectable.
Key Lifecycle Algorithm Tracking Policy Logs Tamper-Evident

Compliance Report Generation

Audit logs should feed directly into compliance reporting, reducing the manual effort required for security assessments:

  • Automated compliance dashboards showing PQC migration status across the infrastructure.
  • Exportable audit reports formatted for common compliance frameworks (SOC 2, ISO 27001, NIST CSF).
  • Real-time alerting when cryptographic operations fall outside of policy parameters.
SOC 2 ISO 27001 NIST CSF PCI DSS

Compliance Must Be Architectural

Quantum compliance cannot be bolted on after the fact. It needs to be embedded in the architecture from the ground up.

View Future Roadmap Back to Overview