Skip to main content
Home
Main navigation
  • CAPABILITIES
  • SOLUTIONS
    • ArgusGA
    • AthenaGA
    • ComplySyncATO
    • ComplySyncATO (ServiceNow)
    • HephaestusGA
    • PhoenixGA
  • CUSTOMERS
  • CONTRACT VEHICLES
  • ONPOINT
Responsive Hamburger Menu
  • CAPABILITIES
  • SOLUTIONS
    • ArgusGA
    • AthenaGA
    • ComplySyncATO
    • ComplySyncATO (ServiceNow)
    • HephaestusGA
    • PhoenixGA
  • CUSTOMERS
  • CONTRACT VEHICLES
  • ONPOINT
  • GREEN ACCELERATOR
  • PARTNERS
  • CAREERS
  • ABOUT US
primary menu
GREEN ACCELERATOR
PARTNERS
CAREERS
ABOUT US
BACK

EUGENE GOLDLUST

EUGENE GOLDLUST
Sr.Account Executive
Type:
OnPoint Xchange
Tags:
  • ComplySyncAI
Sectors:
Defense, Civilian, Healthcare
Capabilities:
Cyber Security

PQC Governance, Risk and Continuous Authorization

Vinay and Eugene

As part of our Post-Quantum Cryptography (PQC) thought leadership series, we continue the conversation with Vijay Narasimhan, CTO of ASSYST, to explore how PQC is moving from future planning into present-day authorization. Over the next several weeks, we will cover broad areas, including Agile Infrastructure & Platforms, Quantum-Safe Compute and the Software Supply Chain, Quantum Resilient Identity, Access & Trust, Post-Quantum Data Protection and Cryptographic Resilience, and PQC Governance, Risk & Continuous Authorization. 

With new legislation like the GENIUS Act shaping external crypto oversight and CISA and NIST defining quantum-safe standards, agencies now face a dual mandate: govern digital assets with confidence while modernizing their own cryptographic foundations. In this segment, we examine how PQC is becoming an enforceable control within the Risk Management Framework (RMF), turning quantum-safe encryption into a pass/fail requirement for every Authority to Operate (ATO) and every cybersecurity role across the federal enterprise.

Eugene: Vijay, in our last conversation, we discussed crypto governance from regulatory and market trust perspectives. Let’s bring this inside the federal enterprise. With CISA’s new Post-Quantum Cryptography product guidance and NIST finalizing standards, how does PQC actually show up in day-to-day RMF and ATO decisions?

Vijay Narasimhan: This is where things become very real. PQC stops being an abstract “future risk” and becomes an authorization requirement. RMF is the machinery agencies already trust; it’s how they categorize systems, select controls, assess risk, and grant Authority to Operate. What PQC does is insert a new, non-negotiable cryptographic checkpoint into that machinery.

In simple terms: if your system uses encryption, identity, digital signatures, VPNs, or key management, then the CISO will soon have to ask, “Is this quantum-safe, or at least on a defined migration path?” If the answer is no, that becomes an ATO risk finding, just like missing MFA or logging.

PQC 1

Eugene: So PQC becomes a pass/fail gate, not just a roadmap slide?

Vijay:  Exactly. Think of it like TLS in the early 2000s. At first, it was “nice to have.” Then it became “recommended.” Eventually, it became “no TLS, no production.” PQC will follow the same arc, but faster, because the threat model is already known: harvest-now, decrypt-later.

CISA’s product category guidance is important because it first specifies its scope: cloud services, network security, identity systems, HSMs, PKI, and secure communications. These are the same components that RMF already treats as foundational controls. Now they also have to be crypto-agile and PQC-ready.

Eugene: Walk us through how this lands in the RMF lifecycle.

Vijay: During Prepare and Categorize, we are still operating squarely within the Risk Management Framework that agencies have used for decades, not a newly coined construct. RMF already requires agencies to identify mission systems, data sensitivity, and threat exposure. What changes with PQC is the lens: agencies must now classify which systems rely on quantum-vulnerable cryptography and which protect long-lived data, financial records, health data, and mission telemetry that must remain confidential for decades. These become the first candidates for PQC prioritization and migration planning.

During Select and Implement, instead of simply stating “use approved encryption,” the control language will evolve to say “use NIST-approved post-quantum or hybrid algorithms, or document an approved transition plan.” Procurement will reference CISA’s PQC-ready product categories the same way it references FedRAMP today.

During Assess, auditors won’t just test whether encryption exists. They’ll test what algorithms, what key sizes, what libraries, what hardware roots of trust, and whether the cryptographic bill of materials includes quantum-vulnerable components.

During Authorize, the Authorizing Official will be making a risk decision that explicitly includes quantum exposure. A system may be fully compliant with today’s controls, yet still receive conditions or a limited ATO if it cannot demonstrate crypto-agility.

PQC - 2

Eugene:  That’s a big shift in mindset for ISSOs and program managers.

Vijay:  It is. That’s why we say PQC is not a science project; it’s a governance transformation. ISSOs become cryptographic assurance officers. Program managers have to plan PQC transitions as funded milestones. Enterprise architects must design for algorithm swap-ability the same way they design for cloud portability.

This is where platforms like ComplySyncATO and Athena Agentic AI come into play. Standards-ready compliance automation means that when NIST or CISA updates cryptographic requirements, those controls can be ingested, mapped to RMF, and continuously evaluated, rather than waiting for the next three-year ATO cycle.

Eugene: How does this play out in continuous authorization and monitoring?

Vijay: Some agencies have already matured enough to implement Continuous Authorization for select systems, particularly High-Value Assets (HVAs). Many others are actively striving toward this model. This is where the final Monitor step becomes critical. PQC readiness must be baked into continuous assessment reporting, tracking algorithm usage, certificate lifecycles, crypto modules, and migration progress as living risk indicators. In this future state, systems are not only Zero Trust by design, but quantum-aware by design, with cryptographic posture continuously measured and attested.

PQC - 3

Eugene:  And where should agencies start from a technology standpoint?

Vijay: As CISA highlighted this week, the transition to PQC can begin with widely adopted layers such as Cloud Platform-as-a-Service (PaaS) and Infrastructure-as-a-Service (IaaS), where encryption, identity, and key management are centralized. At the same time, agencies still operating on-premises datacenters should view cloud migration and PQC transition as converging imperatives. There is no time to waste; quantum readiness must now be evaluated across on-prem, hybrid, and cloud environments at every RMF step.

Eugene: So the message for agencies is: PQC is not a parallel effort, it’s an RMF evolution.

Vijay:  Exactly. You don’t “do PQC” separately. You embed it into how you authorize, operate, and modernize systems. RMF is the process. PQC is now part of the required math inside that process. And the strategic point is this: If the GENIUS Act tells us cryptography is now a matter of national economic trust, then PQC + RMF tells us cryptography is also a matter of operational mission trust. Every ATO, every cloud migration, every Zero Trust rollout, every identity system refresh must now be quantum-aware by design.

Eugene: What’s the forward look for this series?

Vijay: The next frontier is people. Technology and policy can move only as fast as the workforce that operates them. We’ll explore how agencies must upskill ISSOs, architects, program managers, and auditors to become crypto-agile, ready to validate PQC, govern cryptographic risk, and sustain quantum-safe operations. Workforce readiness will be the final pillar of true cryptographic resilience.

Related Files:

Related Content

Crypto Oversight and Cryptographic Resilience, exploring impact for Government Cyber Programs
CRAaaS - Cyber Risk Advisory, Monitoring, and Expert Guidance to Strengthen Security Posture
ASSYST ComplySyncATO Selected for GSA FedRAMP® 20x Phase 2 Pilot
Back
  • Facebook
  • Linkedin
  • Twitter

CORPORATE

22866 Shaw Road
Sterling, VA 20166
Phone: 703-230-3100
Fax: 703-230-3100
e-mail: info@assyst.net

OTHER OFFICES

7000 Security Boulevard, Suite 120
Baltimore MD 21244
Phone: 443-200-5387

FOLLOW US

facebook linkedin twitter

TALK TO US

Image CAPTCHA
Get new captcha!
Enter the characters shown in the image.
Clicky
Footer menu
  • Terms of Use
  • Accessibility
  • Privacy Statement
CMMC 2.0 CMMI Level 3 ISO 9001 ISO 20000 ISO 27001 © All Rights Reserved.