NIST Releases NIST CSWP 48 IPD – Mapping of Migration to PQC Project to NIST CSF 2.0
Sep 2025 – NIST has just released the initial public draft of CSWP 48, part of its Migration to Post-Quantum Cryptography project: “Mappings of Migration to PQC Project Capabilities to NIST Cybersecurity Framework 2.0 and to Security and Privacy Controls for Information Systems and Organizations.”
The project is here: Migration to Post-Quantum Cryptography and the actual document [PDF]: Mappings of Migration to PQC Project Capabilities to NIST Cybersecurity Framework 2.0 and to Security and Privacy Controls for Information Systems and Organizations
This is the first in a series of implementation-focused white papers under the Migration to PQC initiative. It follows the excellent second public draft of CSWP 39 (Considerations for Achieving Crypto Agility), which was released in August. Together, these documents form a growing body of practical guidance from NIST helping organizations prepare for the transition to post-quantum cryptography.
CSWP 48 maps the real-world capabilities demonstrated in NIST NCCoE’s PQC migration lab environment – like cryptographic asset discovery, algorithm interoperability, and inventory management – to familiar risk frameworks: NIST Cybersecurity Framework 2.0 and SP 800-53.
If you’re planning your PQC migration (and you should be), you need a way to integrate cryptographic modernization into your existing cybersecurity, risk management, and compliance processes. This document can help you with that.
It shows:
- How core functions like crypto discovery and inventory align with CSF outcomes and SP 800-53 controls
- Which foundational governance and control practices should be in place before implementing PQC tools
- Where new PQC-focused activities support broader cybersecurity goals, not just crypto modernization
The public comment period is open through October 20, 2025. Consider contributing if you are in the industry. Our team at Applied Quantum has already completed our review and drafted our comments submission.
In short: it’s a strong initial draft. We did suggest a few areas for future expansion such as tighter integration with supply chain management and enterprise risk strategy, but overall, this paper is already useful if you’re getting started with crypto inventory, discovery, or roadmap planning.
This is exactly the kind of structured, implementation-ready guidance the community needs as we move closer to a post-quantum future.
Quantum Upside & Quantum Risk - Handled
My company - Applied Quantum - helps governments, enterprises, and investors prepare for both the upside and the risk of quantum technologies. We deliver concise board and investor briefings; demystify quantum computing, sensing, and communications; craft national and corporate strategies to capture advantage; and turn plans into delivery. We help you mitigate the cquantum risk by executing crypto‑inventory, crypto‑agility implementation, PQC migration, and broader defenses against the quantum threat. We run vendor due diligence, proof‑of‑value pilots, standards and policy alignment, workforce training, and procurement support, then oversee implementation across your organization. Contact me if you want help.
