← Back to Blog
Post-Quantum CryptographyCISAFederal AcquisitionComplianceProcurement

CISA's PQC Product Categories Move Quantum-Safe From Roadmap to Procurement

Lattix branded cover for CISA's PQC product categories and federal acquisition. /11 section number, January 23 2026 publication date, two-tier procurement category map, IBM Plex Mono on dark grid background, surgical yellow accent.

CISA published the Product Categories for Technologies That Use Post-Quantum Cryptography Standards on January 23, 2026. The list was directed by Executive Order 14306, signed June 6, 2025, which tasked DHS through CISA to identify product categories where federal buyers should acquire only PQC-capable offerings. The list itself is advisory. The Federal Acquisition Regulation supplements, agency-level acquisition policy memos, and integrator RFP language that will be built on top of it are not.

The list places product categories into two tiers. The Widely Available tier covers categories where PQC-capable products already exist commercially and should be the default acquisition choice today. The Transitioning tier covers categories where PQC adoption is underway but not yet broad. Both tiers reference FIPS 203 (ML-KEM), FIPS 204 (ML-DSA), and FIPS 205 (SLH-DSA) as the standards a product must implement to qualify.

What the two tiers actually cover

The Widely Available tier names cloud service offerings (IaaS and PaaS), collaboration tools that handle chat and messaging, core web software including browsers and web servers, and endpoint security products that protect data stored on devices through full-disk encryption. CISA's framing for this tier is direct: federal buyers planning acquisitions in these categories should acquire only PQC-capable products.

The Transitioning tier covers a wider slice of the enterprise stack. Networking hardware and software, software-as-a-service platforms, telecommunications equipment, operating systems, storage systems, identity and access management tools, enterprise security software, and email and file-sharing collaboration platforms all sit in this tier. The signal is that vendors in these categories are expected to ship PQC-capable variants on a defined timeline, and that procurement teams should be writing RFP language that anticipates the transition rather than locking in legacy cryptographic dependencies for the next refresh cycle.

The combined effect is that the two lists describe most of the federal technology stack. There is no category in the list where a quantum-safe roadmap is acceptable as a permanent posture. Either the products exist and should be acquired, or the products are arriving and the acquisition language should reflect that.

How "PQC-capable" reads in an RFP response

The list does not certify products. It defines what category a product must compete in. A vendor that claims PQC-capable in the Widely Available tier needs to show FIPS 203 or 204 implementation against the workload the federal buyer is acquiring, not against a marketing surface that happens to include a PQC library somewhere in the codebase. NIST IR 8547 and the underlying FIPS publications define what implementation means, and CISA's category framing pushes that definition into the procurement conversation.

The harder claims are at the data layer. A cloud service can implement TLS 1.3 with ML-KEM-768 key encapsulation and meet a transport-layer reading of PQC-capable. A claim that the data the cloud service stores is also protected with a quantum-safe algorithm is a different claim, with a different evidence requirement. The Office of the National Cyber Director's white paper on PQC migration recommends evaluating both transport and at-rest cryptography for long-confidentiality data. Procurement teams writing PQC language need to specify which layer they are buying.

Where data-centric architectures fit the procurement framing

Lattix Technologies binds policy to the data object through attribute-based access control at the policy enforcement point, post-quantum key encapsulation using ML-KEM-768 and ML-KEM-1024, and Merkle-tree lineage in content-addressed storage. The architecture aligns to two of the Widely Available categories at once. The cloud service layer carries quantum-safe transport. The endpoint and storage layers carry quantum-safe encapsulation on the object itself. The same architecture extends into the Transitioning categories that handle the actual content: file-sharing collaboration, storage systems, identity-bound access decisions.

This is the procurement angle that the existing post-quantum coverage misses. A vendor that can answer the cloud service category and the endpoint category from a single architecture, with FIPS 203 implementation on the object and on the wire, is a different proposal than a vendor that meets one tier with one product line and the other tier with another. The federal buyer reads both responses against the same CISA categorization. Integrator RFP language for FY27 will look the same.

Where this is heading

CISA stated that the list will be updated to reflect the evolving PQC landscape. The realistic expectation is that the Transitioning tier shrinks over the next twelve to eighteen months as more categories meet the Widely Available threshold, and that agency-level acquisition memos start referencing specific categories in solicitations. The September 21, 2026 sunset of FIPS 140-2 and the January 1, 2027 CNSA 2.0 deadline for new National Security System acquisitions both fall inside that window. The procurement language built on the CISA categorization will land before the algorithm migration is complete across the federal stack, which means the language will be the forcing function for the migration, not a reflection of one already finished.

Vendors with a roadmap response to the Widely Available tier are already behind. Vendors with a product response to both tiers are positioned for the FY27 solicitation cycle.

References

← Back to Blog