QuSecure, a post-quantum cryptography vendor, announced March 31 that it has joined the National Institute of Standards and Technology's National Cybersecurity Center of Excellence (NIST NCCoE) Migration to Post-Quantum Cryptography Project — specifically the Cryptographic Discovery workstream. The addition is real. The question is what it means.
The NCCoE, established in 2012 as a partnership between NIST, the State of Maryland, and Montgomery County, Maryland, runs the migration project in two workstreams: cryptographic discovery and interoperability testing. The first workstream focuses on using automated inventory tools to identify where an organization is running classical public-key cryptography — the math underlying today's encryption, which a sufficiently powerful quantum computer could break. The second tests whether NIST-standardized post-quantum algorithms work cleanly across vendors and implementations. Both are unglamorous. Both are where the actual work of post-quantum migration happens.
The original collaborator list, announced in July 2022, included 14 technology collaborators: Amazon Web Services, Cisco, Crypto4A Technologies, Cryptosense, DigiCert, InfoSec Global, ISARA Corporation, Microsoft, Samsung SDS, SandboxAQ, Thales DIS, Thales Trusted Cyber Technologies, VMware, and wolfSSL. QuSecure was not on it. The consortium has since expanded to more than 50 collaborators, adding the NSA, JPMorgan Chase, Google, IBM, Palo Alto Networks, and others. QuSecure's late arrival is the data point worth sitting with: the project is no longer a planning exercise. It is an operational consortium that organizations want to be inside, and the migration work has reached the stage where late entry is better than non-entry.
William Newhouse, a security engineer at the NIST NCCoE, said in QuSecure's announcement that it is critical that organizations begin planning for the technological and operational challenges that a migration to post-quantum cryptography will present. That is a direct and accurate summary of the official NIST position.
QuSecure is participating as a Cryptographic Discovery collaborator, which means its QuProtect R3 platform will be tested alongside other tools for finding quantum-vulnerable public-key cryptography buried in enterprise infrastructure. That is a genuine problem. Most organizations do not have a complete inventory of where classical public-key cryptography lives in their systems — TLS termination points, code signing pipelines, VPN gateways, hardware security modules, and legacy integrations all contain it, and none of it is well-documented. Automated discovery tools are a real product category. ISARA Corporation, Crypto4A, and InfoSec Global all offer something similar. QuSecure joining the consortium does not make it special. It makes it a late entrant to an already-crowded category.
"This collaboration with the NCCoE brings industry leaders together to tackle one of today's most pressing cybersecurity challenges — the transition to post-quantum cryptography," said Garfield Jones, QuSecure's senior vice president for research and technology strategy. That is vendor language. It is also not wrong. The NCCoE consortium is where organizations are doing the unglamorous work of figuring out how to replace classical public-key infrastructure — a process that will take years regardless of what the quantum threat timeline looks like.
The interoperability testing workstream deserves more attention than it typically gets. Post-quantum algorithms are standardized, but that does not mean they work cleanly across every combination of hardware, software, and protocol layer that enterprises actually run. Running interoperability tests surfaces practical frictions — performance characteristics, edge case behavior, library incompatibilities — that specifications do not reveal. That work is happening in the NCCoE, in public, with real vendors testing real implementations against each other.
The meaningful signal in QuSecure's announcement is timing. The project launched in 2022. QuSecure joined in 2026. The migration is no longer hypothetical. Organizations with the resources to participate in a federal consortium are already inside it. Vendors joining now are not early — they are trying not to be late. That is the accurate frame for post-quantum migration in 2026: not a cliff, not a panic, but a slow operational grind that is happening in the open, in a consortium, and that is now too large and too active for any serious player to skip.
What should organizations take from this? Not which vendor to hire. The cryptographic discovery problem is solvable with any number of commercial tools. What matters is whether an organization has actually started: mapped its classical public-key attack surface, identified priority systems, and has a plan with milestones. If it has not, it is not too late — but it should start now, before the work becomes reactive rather than planned.
NIST finalized three post-quantum cryptography standards in 2024: FIPS 203 (ML-KEM for key encapsulation), FIPS 204 (ML-DSA for digital signatures), and FIPS 205 (SLH-DSA for stateless hash-based signatures). NIST is still developing an additional FIPS derived from FALCON as an alternative signature scheme. The algorithms are chosen. The migration is not a research problem anymore. It is an organizational change management problem — and the NCCoE consortium is where that problem is being worked out, in public, with 50-plus organizations and counting.
