Post-quantum migration roadmap: ML-KEM, ML-DSA and FIPS 203/204/205
In August 2024, NIST finalised the first post-quantum cryptography standards. The “when do we migrate” debate is over; the question is now “in what order, and how do we prove it.” This guide maps the standards to what they replace, and lays out a risk-driven, wave-based migration plan.
The three standards, and what they replace
| Standard | Algorithm | Purpose | Replaces |
|---|---|---|---|
| FIPS 203 | ML-KEM (Kyber) | Key encapsulation / key exchange | RSA-OAEP, ECDH |
| FIPS 204 | ML-DSA (Dilithium) | Digital signatures | RSA, ECDSA |
| FIPS 205 | SLH-DSA (SPHINCS+) | Stateless hash-based signatures | RSA/ECDSA where a conservative, hash-based option is preferred |
ML-KEM and ML-DSA are the workhorses; SLH-DSA is the conservative fallback for long-lived signatures where you want assurance not based on lattices.
Why “rip and replace” fails
You cannot migrate what you cannot see, and you cannot migrate everything at once. Cryptography is embedded in code, libraries, certificates, hardware and protocols with tangled dependencies. A credible roadmap is risk-ordered, not alphabetical. That ordering needs three inputs you can only get from an inventory:
- Exposure — is the asset quantum-vulnerable, and how reachable is it?
- Data sensitivity & lifetime — the harvest-now-decrypt-later window (see our HNDL guide).
- Migration complexity — library support, protocol negotiation, hardware constraints.
A wave-based plan
| Wave | Window | Targets |
|---|---|---|
| Wave 1 | 0–6 months | Quick wins & regulator-visible: broken hashes (MD5/SHA-1), expired or RSA-1024 certs. |
| Wave 2 | 6–18 months | High-risk, medium-complexity: RSA / ECDSA signatures and key exchange in core services. |
| Wave 3 | 18–36 months | Complex, dependency-heavy systems; protocol upgrades; hybrid PQC where supported. |
| Wave 4 | 36+ months | Deeply embedded systems, long hardware lifecycles. |
Hybrid (classical + PQC) deployments are a pragmatic interim step where standards support and interoperability are still maturing.
Crypto-agility is the real goal
The deeper objective is not a one-off swap to ML-KEM/ML-DSA — it is crypto-agility: the ability to change algorithms again, cheaply, when the next transition comes. An inventory plus a repeatable assessment is what makes that possible, and it is exactly what regulators (DORA, NIS2, the CRA) now expect you to evidence.
Get a risk-scored migration roadmap
CRYPTAGION produces a wave-based PQC roadmap from your real inventory — mapped to FIPS 203/204/205 — in a focused 2–4 week assessment.
Book a free discovery call →