CISA Draws the Line: The Product Category Advisory & The End of Legacy Procurement

24 Jan 2026 – The Cybersecurity and Infrastructure Security Agency (CISA) released a definitive advisory titled “Product Categories for Technologies Use Post-Quantum Cryptography Standards.” This document, mandated by Executive Order 14306 (June 2025), fundamentally alters the procurement landscape for the United States federal government and, by extension, the global technology supply chain.   

The advisory bifurcates the Information Technology marketplace into two distinct classifications: “Widely Available” PQC products and “Transitioning” products. This categorization is not merely descriptive; it is prescriptive. For categories deemed “Widely Available” – which notably include Cloud Services (PaaS/IaaS), Web Browsers, and Endpoint Security – CISA has effectively signaled that federal agencies should cease the procurement of non-compliant legacy products immediately. Conversely, the “Transitioning” category acknowledges sectors where the supply chain is not yet mature enough for a hard mandate, such as traditional networking hardware and complex Identity, Credential, and Access Management (ICAM) systems.   

The advisory explicitly references the NIST-standardized algorithms: FIPS 203 (ML-KEM) for key encapsulation, and FIPS 204 (ML-DSA) and FIPS 205 (SLH-DSA) for digital signatures. This moves the conversation from theoretical “quantum readiness” to specific, auditable compliance with Federal Information Processing Standards.   

Technical Context & Deep Dive

The significance of this advisory lies in its recognition of the asymmetric maturity of post-quantum algorithms in commercial products.

The “Widely Available” Tier: CISA has identified that the software layer of the IT stack is largely ready for the transition.

• Cloud Services (IaaS/PaaS): Major providers like AWS, Google Cloud, and Microsoft Azure have already integrated ML-KEM into their Key Management Services (KMS) and internal transport layers. The advisory confirms that for a federal agency spinning up new compute resources, there is no technical excuse for using legacy RSA/ECC key exchange.   
• Web Browsers: With Google Chrome enabling X25519Kyber768 by default in widely deployed versions since 2024, and Microsoft Edge following suit, the client-side browser ecosystem is effectively PQC-native for transport encryption.   
• Endpoint Security: Tools for full disk encryption and data-at-rest protection have successfully integrated PQC, primarily because these use cases are less sensitive to the latency and bandwidth constraints that plague real-time networking.   

The “Transitioning” Tier: The advisory casts a spotlight on the sectors that are lagging, primarily those constrained by hardware lifecycles or complex interoperability requirements.

• Networking Hardware: Routers, firewalls, and switches remain in the “Transitioning” category. This is a tacit admission that the “Packet Bloat” issue – where larger PQC keys cause fragmentation and performance degradation in hardware-accelerated data planes – has not been fully resolved by vendors like Cisco or Juniper.   
• ICAM: Identity management is listed as transitioning. This is critical because while encrypting a connection (KEM) is relatively easy to upgrade, authenticating a user (signatures) involves changing the Public Key Infrastructure (PKI) roots of trust, issuing new smart cards, and updating HSMs—a far more complex dependency chain.   

The Algorithm Gap: A nuanced reading of the advisory reveals a “Signature Gap.” While many products support ML-KEM (Key Encapsulation) for confidentiality, support for ML-DSA (Digital Signatures) is far less prevalent. This creates a “half-migrated” reality where data in transit is protected against “Harvest Now, Decrypt Later” attacks, but the systems are still vulnerable to future quantum impersonation or “Man-in-the-Middle” attacks because the authentication layer relies on classical RSA/ECC signatures. CISA’s categorization reflects this, urging adoption where “widely available” but stopping short of mandating what does not yet exist at scale.   

Strategic Analysis & Implications

The release of this advisory marks the effective end of the “grace period” for technology vendors selling to the US government. For the last two years, vendors have offered roadmaps; CISA has now converted those roadmaps into a binary gate. You are either on the list, or you are a legacy liability.

The “Standard of Care” Shift: While this advisory is technically directed at Federal Civilian Executive Branch (FCEB) agencies, its impact will be immediate in the private sector. In cybersecurity liability litigation, courts often look to government standards to define the “reasonable standard of care.” By declaring PQC “widely available” for cloud and endpoint security, CISA has potentially created a legal liability for private enterprises that suffer a data breach involving “Harvest Now, Decrypt Later” techniques while still using legacy encryption. If a solution was “widely available” and an enterprise chose not to use it, they may be found negligent.   

The Procurement Cliff: For vendors in the “Transitioning” category – particularly networking hardware manufacturers – this is a warning shot. CISA is essentially stating, “We know you aren’t ready yet, so we won’t ban you today, but the clock is ticking.” We anticipate that the next iteration of this advisory, likely in mid-to-late 2026, will begin to move Networking Hardware into the “Widely Available” category. At that point, non-compliant vendors will face a hard stop in federal contracting. This creates immense pressure on hardware R&D teams to solve the packet processing latency issues associated with PQC (see Section 3: BIS Project Leap below for details on why this is so difficult).   

Global Ripple Effects: The US government is the world’s largest purchaser of IT services. Its requirements inevitably become global features. As vendors like Microsoft, Cisco, and Palo Alto Networks update their product lines to meet CISA’s “Widely Available” criteria, these features will roll out to customers in Europe, Asia, and Latin America, effectively exporting US policy through software updates. This reinforces the US position as the standard-setter in the PQC transition, potentially sidelining alternative standards emerging from other geopolitical blocs.