Domain-Specific Solution · S6

Post-Quantum Cryptography Advisory

Preparing enterprises and governments for the quantum threat — cryptographic inventory, CBOM analysis, PQC readiness assessment, crypto agility design and migration roadmaps aligned to NIST FIPS 203/204/205.

NIST PQCFIPS 203 · 204 · 205

CBOMCryptographic BOM

HNDLHarvest-Now-Decrypt-Later

Crypto AgilityArchitecture Design

NSA CNSA 2.0ETSI QSC Aligned

Standards NIST FIPS 203 ML-KEM · FIPS 204 ML-DSA · FIPS 205 SLH-DSA Threat Harvest-Now-Decrypt-Later · Long-Lived Sensitive Data at Risk Today Analysis CBOM · Cryptographic Bill of Materials · Dependency Mapping Migration PQC Readiness Assessment · Crypto Agility Architecture Design Aligned NSA CNSA 2.0 · ETSI QSC · ISO/IEC 18033 · OWASP CBOM CycloneDX Coverage TLS Migration · PKI PQC Readiness · HSM Cryptographic Review Delivery Board Briefings · Executive Reporting · Phased Migration Roadmaps Standards NIST FIPS 203 ML-KEM · FIPS 204 ML-DSA · FIPS 205 SLH-DSA Threat Harvest-Now-Decrypt-Later · Long-Lived Sensitive Data at Risk Today Analysis CBOM · Cryptographic Bill of Materials · Dependency Mapping Migration PQC Readiness Assessment · Crypto Agility Architecture Design Aligned NSA CNSA 2.0 · ETSI QSC · ISO/IEC 18033 · OWASP CBOM CycloneDX Coverage TLS Migration · PKI PQC Readiness · HSM Cryptographic Review Delivery Board Briefings · Executive Reporting · Phased Migration Roadmaps

The quantum clock is running. Most organisations are not ready.

NIST finalised the first post-quantum cryptography standards in 2024 — ML-KEM (FIPS 203), ML-DSA (FIPS 204) and SLH-DSA (FIPS 205). Cryptographically Relevant Quantum Computers (CRQCs) capable of breaking current public-key cryptography may arrive within a decade. Harvest-now-decrypt-later attacks — where adversaries collect encrypted data today to decrypt once quantum capability arrives — are already documented and actively occurring against long-lived sensitive data targets.

Nucleus Systems provides the advisory capability organisations need to understand their cryptographic exposure, prioritise migration effort, build a credible PQC roadmap and implement crypto agility architectures that can adapt as the quantum threat landscape evolves. We work across enterprise, government and financial services sectors, with particular focus on organisations that manage long-lived sensitive data, critical national infrastructure, or classified and sensitive government systems.

Our approach begins with a rigorous cryptographic inventory and CBOM analysis — understanding what cryptography you actually use, where, and what depends on it — before designing migration pathways that are realistic given your architecture, risk tolerance and regulatory timeline.

NIST PQC Standards

ML-KEM · ML-DSA · SLH-DSA — algorithm selection & hybrid transition

We work with the finalised NIST PQC standards and advise on algorithm selection and hybrid transition strategies appropriate to your use case and risk profile — including where and when to deploy hybrid classical/PQC schemes during the transition period.

Cryptographic Bill of Materials

CBOM analysis — the foundation before any migration can begin

CBOM analysis provides a complete inventory of every cryptographic asset in your environment — libraries, protocols, key lengths, certificate lifetimes, dependencies — that is required before any PQC migration planning can begin. You cannot migrate what you have not inventoried.

Harvest-Now-Decrypt-Later

The threat is present — not theoretical, not future

Organisations that transmit or store sensitive data with long classification lifetimes are already at risk from adversary collection operations. We help you identify and prioritise the data and systems most exposed to HNDL collection today — before quantum decryption capability exists.

What's Included

From CBOM analysis and PQC readiness assessment through to crypto agility architecture design and migration roadmap delivery.

PQC Readiness Assessment

Structured assessment of organisational and technical readiness for post-quantum migration — covering cryptographic asset inventory, dependency mapping, algorithm risk classification, and prioritised remediation roadmap aligned to NIST PQC standards and NSA CNSA 2.0 timelines.

Cryptographic Bill of Materials (CBOM) Analysis

Comprehensive cryptographic inventory across your environment — identifying every cryptographic library, protocol, algorithm, key length and certificate in use, mapping dependencies, and producing a structured CBOM that forms the foundation for PQC migration planning and ongoing crypto governance.

Harvest-Now-Decrypt-Later Threat Assessment

Identification and risk classification of data and communication channels exposed to HNDL collection — assessing data classification lifetimes, transit encryption, long-lived key material and the specific adversary profiles most likely to be running collection operations against your organisation today.

Crypto Agility Architecture Design

Architecture design for cryptographic agility — the ability to swap cryptographic algorithms, key sizes and protocols without systemic rearchitecture. Crypto agility is the strategic requirement that underlies all PQC migration: organisations that lack it face much higher migration costs when standards and threats evolve.

NIST PQC Standards Migration Roadmap

Structured migration roadmap from current public-key cryptography to NIST PQC standards — covering algorithm selection (ML-KEM, ML-DSA, SLH-DSA), hybrid classical/PQC transition strategies, dependency sequencing, library and vendor readiness, and phased implementation timeline with measurable milestones.

TLS & PKI Infrastructure PQC Readiness Review

Assessment of TLS configuration, PKI architecture, certificate lifecycle management and CA trust chains for PQC readiness — covering current algorithm usage, hybrid TLS readiness, certificate issuance pipeline, root CA migration planning and the vendor ecosystem readiness for PQC certificate support.

Long-lived Data Encryption Risk Assessment

Risk assessment focused specifically on long-lived encrypted data — financial records, health data, classified information, legal documents — identifying data stores most exposed to HNDL attacks and recommending re-encryption priority, archive security and data lifecycle controls to reduce quantum exposure.

Executive PQC Briefing & Board Reporting

Structured executive briefing and board-level reporting on PQC risk, organisational exposure and migration investment requirements — translating technical quantum threat concepts into business risk language that supports informed governance decisions, budget allocation and regulatory disclosure.

Standards & frameworks

Standard / Framework	Body	Relevance
FIPS 203 (ML-KEM)	NIST	Primary PQC key encapsulation standard
FIPS 204 (ML-DSA)	NIST	Primary PQC digital signature standard
FIPS 205 (SLH-DSA)	NIST	Hash-based signature standard (stateless)
CNSA 2.0	NSA / CISA	US national security system migration guidance
ETSI QSC Standards	ETSI	European quantum-safe cryptography standards
CBOM (CycloneDX)	OWASP	Cryptographic bill of materials specification
ISO/IEC 18033	ISO/IEC	Encryption algorithms reference standard

Parent Pillar

Cybersecurity Trust & Resilience

The foundational pillar covering cryptography governance, PKI security and long-term resilience design.

Explore Pillar 1 →

Start your PQC readiness programme before the threat arrives — not after

The time to prepare is now. HNDL collection is active. Migration timelines are measured in years. Contact us to scope a CBOM analysis or PQC readiness assessment.

Request a briefing →Explore Pillar 1 →