In December 2025, NIST released its final white paper, Considerations for Achieving Crypto Agility (CSWP 39). Having participated in the NIST crypto-agility workshops that helped shape this publication, it’s clear to me that this document represents more than guidance. It marks a turning point in how organizations should approach and manage cryptography moving forward.
Crypto-agility is the only viable way forward given the new realities of approaching NIST PQC deadlines, shortening TLS lifespans, increasing AI agents, and ever-evolving compliance standards.
With the transition to post-quantum cryptography now underway, NIST’s message is clear: organizations need to be able to adapt cryptography without disrupting operations.
So what does this mean in practice for security teams, and what should organizations do next?
Crypto-Agility Has Become an Enterprise Risk Issue
NIST defines crypto-agility as the ability to replace and adapt cryptographic algorithms across protocols, applications, software, hardware, and infrastructure without disrupting operations or degrading security.
That definition matters because it reframes cryptography from a niche technical concern into a core business resilience and risk management challenge. As a cryptographer, it is encouraging to see this perspective clearly reflected by NIST.
During the discussions leading up to CSWP 39, a recurring theme emerged: most cryptographic transitions are not difficult just because the algorithms are complex, but because organizations lack visibility, coordination, and operational control.
Historically, cryptographic transitions have been slow, painful, and reactive. Algorithms were hard-coded, keys were scattered, and dependencies were poorly understood. Cryptographic updates were often treated as one-time corrective actions rather than as changes that would need to be revisited, which helps explain why transitions such as DES to AES or the long deprecation of SHA-1 took decades—and in many environments are still not fully complete.
Post-quantum cryptography changes the scale of the problem entirely. Unlike prior transitions, PQC requires replacing all public-key cryptography, not just a single algorithm. And as NIST emphasizes, this will not be the last transition organizations face.
PQC Is the Catalyst, Not the End State
It’s tempting to view crypto-agility solely through a post-quantum lens. The NIST paper intentionally pushes back on that framing.
Quantum-resistant algorithms introduce larger keys, ciphertexts, signatures, and certificates, along with new performance and interoperability considerations. If PQC is treated as a one-time migration, those constraints can become embedded in systems in ways that limit future adaptability.
One of the clearest messages from the NIST workshops and this final publication is that businesses have to be able to continuously update their cryptographic infrastructure.
Future-proofing cryptography means designing systems, processes, and governance models that anticipate the evolution of cryptographic algorithms and ensure seamless transitions without disrupting production systems or business workflows.
The Real Gap: Operationalizing Crypto-Agility
Rather than focusing solely on definitions, NIST CSWP 39 examines how crypto-agility plays out in real systems and organizations.
Section 5 of the paper outlines a crypto-agility strategic plan that spans governance, asset visibility, policy enforcement, risk management, and automated tooling. In practice, this is where many organizations struggle.
Common challenges discussed throughout the workshops and reflected in the paper include:
- Limited visibility into where cryptography is actually used
- Hard-coded or embedded algorithms that are difficult to change
- Manual, high-risk migration processes
- Fragmented ownership across security, infrastructure, and development teams
NIST also introduces a crypto-agility maturity model, ranging from ad hoc, reactive practices to adaptive programs fully integrated with enterprise risk management.
Reaching higher levels of maturity requires more than policy documents or architectural diagrams. It requires continuous visibility, policy-driven control, and automation across the cryptographic lifecycle.
From Guidance to Action
NIST has now clearly articulated what crypto-agility is and why it matters. The challenge for organizations is turning that guidance into something operational, measurable, and sustainable.
That starts with asking difficult but necessary questions:
- Do we know where cryptography exists across our environment today?
- Can we enforce cryptographic policy consistently across systems and teams?
- How quickly could we adapt if an algorithm were deprecated tomorrow?
- Are we building crypto-agility as a capability or treating every transition as a crisis?
Crypto-agility is more than surviving the next migration. It’s about building confidence that when cryptography changes (and it will), your organization is ready.
Editor’s note: In upcoming posts, we’ll take a deeper look at NIST’s crypto-agility maturity model and explore what it takes to move from guidance to real-world execution.To build a strong foundation, start with the Crypto-Agility 101 guide below, which introduces a few best practices for building a scalable, future-ready crypto-agility strategy.
Crypto-Agility 101
What does NIST mean by crypto-agility?
The ability to change cryptographic algorithms without breaking systems or disrupting the business.
What’s the starting point?
Visibility. NIST is clear that crypto-agility depends on integrated, automated discovery of cryptography across code, software, hardware, firmware, protocols, and services.
Why isn’t this easy today?
Most organizations rely on incomplete, manual inventories – or don’t have an inventory at all. Cryptography is scattered, embedded, and owned by different teams.
Where does automation fit in?
According to NIST’s maturity model, organizations don’t reach Tier 3 (Repeatable) crypto-agility until they use automated cryptographic discovery and remediation tools to continuously manage risk.
What is NIST’s crypto-agility maturity model?
It’s a way to gauge readiness over time. Early stages rely on manual, inconsistent efforts. More mature organizations standardize cryptographic policies and processes. The most mature treat crypto-agility as a core risk management capability, with continuous visibility and ongoing improvement. The dividing line is automation – without it, crypto-agility remains reactive and hard to scale.
How do I know which stage I’m in?
Ask a simple question: If a cryptographic algorithm were deprecated tomorrow, would we know where it’s used – and could we act without scrambling? If the answer depends on spreadsheets, manual searches, or a few people who “just know,” you’re likely in an early stage. If discovery and response are automated and policy-driven, you’re further along.
Is this just about post-quantum cryptography?
No. PQC is the catalyst, but NIST’s guidance makes it clear that cryptography will keep changing. Crypto-agility is about being ready every time it does.
