The Industry Is Moving. But Not Together.

In the last two years, post-quantum cryptography (PQC) has moved from a future concern to an immediate priority for governments and enterprises across the globe. The National Institute of Standards and Technology (NIST) finalized its first PQC standards in 2024. The U.S. National Security Agency (NSA) CNSA 2.0 advisory is shaping acquisition requirements for National Security Systems. The European Union (EU) has published a PQC transition roadmap. Hyperscalers are embedding PQC requirements into RFPs. Regulators on multiple continents are signaling that quantum readiness is becoming an expectation, not an option.

Unfortunately, quantum computing advances have outpaced regulators and compliance regimes. In the absence of certification programs and globally aligned standards, we see a proliferation of quantum-safe claims with little to no industry-wide coordination: some vendors focus on data in transit or quantum key distribution, others highlight platform integrity and authentication, and some make broad claims without reference to specific risks or requirements. The result is a fragmented landscape where organizations struggle to understand where they stand relative to the threat, their peers, or their vendors.

What’s missing isn’t urgency. It’s clarity.

Standards provide the foundation to build secure, scalable, and interoperable technology. However, these algorithms, protocols, and benchmarks do not, on their own, provide a shared language for measuring progress. The broader industry still lacks a common way to describe the level of quantum Cisco Confidential resilience a product or system provides – one that maps to those industry standards, can be applied consistently across vendors and architectures, and gives customers and regulators something concrete to evaluate against.

No single company can solve that alone. But Cisco has spent years working through exactly this question: engaging with standards bodies, mapping our own portfolio against the threat, and developing a structured way to think about what quantum resilience requires at each layer.

Cisco’s Quantum Resilience Framework

Cisco has developed a framework to articulate multiple levels of quantum resilience – each representing distinct capabilities designed to respond to new and emerging threats to confidential communication and product integrity.

We are sharing Cisco’s framework to support our customers and the broader industry as we grapple with multiple stages of maturity: some capabilities are available today, others are emerging, and others represent the direction customers should be planning toward as standards, certifications, and product implementations continue to evolve. Organizations need to understand the end goal while also committing to making progress today based on what is available. Each incremental level of resilience matters:

• Level 1 provides partial defense against harvest-now-decrypt-later (HNDL) attacks, giving organizations a foundation to begin reducing threat exposure today.
• Level 2 makes it materially harder for adversaries to harvest useful data or compromise product integrity for the coming years.
• Level 3 defines the longer-term horizon for identity, authentication, and lifecycle trust.

Our framework is grounded in globally recognized cryptographic standards, including NIST’s post- quantum algorithms, CNSA 2.0 and EU standards where applicable. These standards provide some of the clearest high-assurance benchmarks available today.

Level 1 – Partial

• Third-party key management support, including support for Quantum Key Distribution (QKD), enables crypto agility without requiring full protocol-layer PQC.
• Secure boot, using established hash-based signing algorithms such as LDWM.

Level 1 is a starting point and not an end state. It gives organizations a foundation as they progress toward more complete levels of quantum resilience.

Level 2 – Core

• Confidentiality protection across relevant protocols, including TLS, DTLS, IKEv2/IPsec, MLS, SSH, and others, with support for pure PQC or hybrid approaches where applicable based on customer risk priorities and evolving standards.
• Full PQC chain of trust, from hardware root of trust to running applications, including next-generation secure boot, using NIST-approved algorithms such as ML-DSA and LMS, plus software and firmware integrity verification aligned to CNSA 2.0.

Level 2 addresses both data-in-transit risk and the integrity of the platforms enforcing protection, while giving customers flexibility to adopt PQC in ways that reflect their security, interoperability, and compliance needs.

Level 3 – Extended

• Confidentiality coverage across relevant protocols, plus quantum-resistant authentication and identity verification for devices, users, and systems.
• PQC-signed Secure Unique Device Identifiers and Attestation Identity Key certificates, enabling devices to cryptographically prove their identity and demonstrate that they have not been tampered with across their lifecycle.

Level 3 extends quantum resilience into identity and attestation. This is especially critical for infrastructure with long deployment cycles, where trust established at manufacturing time must remain reliable years into the future.

Together, these levels give customers a practical way to evaluate quantum resilience. You can move beyond asking if a device is quantum safe and instead ask more precise questions about which risks it addresses, which layers it protects, and how it advances the specific level of resilience your organization requires.

From Framework to Portfolio Execution

A framework only matters if it can be operationalized. Today, we are introducing our Quantum-Safe Communications Roadmap, marking the shift from a conceptual framework to portfolio execution.

Cisco’s advantage is that we are building quantum resilience broadly across our portfolio: the network and layers of infrastructure that customers use every day. That includes Quantum-safe communications across protocols and network planes, Quantum-safe products with stronger boot integrity, software and firmware validation, and hardware-rooted trust – and the broader capabilities that help organizations understand, deploy, and manage their quantum transition.

Cisco Live 2026, Jeetu Patel announced:

• New Quantum-safe communications advancements across Cisco’s core portfolio: With a commitment to enable quantum-safe communications capabilities across the majority of Cisco’s core portfolio by December 2026, Cisco is extending post-quantum protection to the systems where the most sensitive enterprise traffic flows. We are also publishing our roadmap for quantum-safe communications on Cisco.com.
• Quantum-safe by default for new infrastructure. Starting today, all newly introduced campus, branch and data center routers, switches, and firewall series launch with quantum-safe secure boot.

The point is not simply that individual products are adding PQC capabilities. The bigger story is that Cisco is helping customers move toward quantum resilient infrastructure as a system, one that Cisco Confidential protects communications, strengthens product integrity, and supports the trust foundations that digital operations depend on.

The Call to Action

No company, government, or organization can solve this problem alone. We must collaborate – and that starts by defining a common set of goals and standards to align efforts and drive progress. By working together, we can realize the potential of quantum computing without sacrificing the cryptographic protections that provide the foundation for a secure and resilient future.

To learn more about Cisco’s PQC approach and track our progress, visit the Cisco Trust Center.

 

Note: Some products and features described are in development and offered on a when-and-if-available basis. Cisco reserves the right to change delivery timelines and will have no liability for any delays or failures to deliver. The views and standards described above are current as of the date of posting and may change over time.