NIST is driving a major shift to post-quantum cryptography, setting clear deadlines to phase out RSA 2048 and ECC 256, deprecated by 2030 and banned by 2035. The urgency comes from the risk that quantum computers could soon break current encryption standards. Organizations need to start reviewing systems and adopting quantum-resistant algorithms now. Collaborative efforts, such as shortening certificate lifespans and using cloud-based tools, will help public and private systems transition smoothly.
The National Institute of Standards and Technology has announced clear deadlines to move away from common cryptographic algorithms like RSA 2048 and ECC 256. Their new guidance says these will be phased out by 2030 and banned after 2035. This move highlights the need to get ready for the post-quantum era. Quantum computing is no longer a far-off issue; it’s something organizations need to address now.
Why This Matters: The Quantum Threat
Quantum computing could bring big, big advances in science, AI, and healthcare, but it also threatens current encryption methods. RSA and ECC, which protect most online communication and data, are especially at risk from quantum attacks. If quantum computers become powerful enough, they could break these algorithms, putting sensitive data at risk.
NIST’s choice to set a firm deadline for ending RSA 2048 and ECC 256 is not just about preparing for a future quantum threat. It’s also about addressing existing risks, such as harvest-and-decrypt attacks. In these cases, attackers gather encrypted data now, hoping to decrypt it later with quantum technology. This makes switching to quantum-resistant cryptography urgent for protecting data privacy over the long term.
The Timeline Is Set for 2030 and Beyond
NIH’s draft guidance outlines a clear roadmap:
- By 2030, RSA-2048 and ECC-256 will be officially deprecated. Organizations must have transitioned to post-quantum cryptography.
- By 2035, these algorithms will be completely disallowed, leaving no room for legacy cryptography in secure communications.
This timeline provides a crucial one for businesses, governments, and organizations: waiting until the last minute is not an option. By 2029, many organizations, especially those using Microsoft Active Directory Certificate Services, may face significant challenges without clear migration plans in place. Microsoft has already signaled that ADCS lacks a pathway to post-quantum solutions, adding urgency to the situation.
Preparing for the Transition
Moving to post-quantum cryptography is more than just changing algorithms. It’s a major shift in approach. Organizations need to look at both their public and private cryptographic needs to be ready for the quantum era.
Public Trust and the Industry-Wide Push
For public systems, the industry is working together. Companies such as Sectigo leverage their experience in certificate lifecycle management (CLM) to help organizations adopt PQC solutions. Browsers like Google and Apple are leading efforts to shorten certificate lifespans, which encourages automation and helps organizations prepare for PQC. If your organization already uses strong CLM practices, you’re well prepared to switch to post-quantum certificates.
Private Systems: Unique Challenges and Opportunities
Private systems face more complicated challenges. Each organization will need solutions that fit its specific needs. Since Microsoft isn’t offering a full quantum-ready path for on-premises ADCS, it’s important to consider other options, such as Sectigo’s modern cloud-based private certificate authority (CA).
Additionally, private systems will face unique challenges, such as adapting to larger signature sizes and new key management practices. These changes offer an opportunity for innovation, allowing businesses to rethink how they secure critical systems, including authentication, VPNs, DevOps environments, and IoT devices.
What You Can Do Now
- Understand the deadlines: plan for the deprecation of RSA 2048 and ECC 256 by 2030. For practical purposes, Gartner advises treating 2029 as the operational deadline.
- Audit your cryptographic systems: identify systems that rely on vulnerable algorithms and assess their readiness for post-quantum migration.
- Engage security partners: work with vendors who have expertise in post-quantum cryptography to develop a clear transition strategy.
- Stay informed: keep up with NIST’s evolving guidance and industry developments. The sooner you act, the smoother your transition will be.
The Bottom Line
NIST’s announcement marks a major shift in cryptography by setting a firm deadline to phase out RSA-2048 and ECC-256. They are making organizations face the quantum threat directly, even though the deadline is a few years away. The transition to post-quantum cryptography is complex, so starting early is important.
Act now. Engage security partners, review your systems, and develop a transition plan for post-quantum cryptography. Starting today ensures a smoother, safer transition and keeps your organization ahead of the quantum threat.
Source: The clock is ticking: NIST’s bold move towards Post-Quantum Cryptography
