Kari Ritacco
5. Dez. 2025
Departments can accelerate the migration to Post-Quantum Cryptography with commercial software solutions.
The June 2025 release of the “Roadmap for the Migration to Post-Quantum Cryptography” (ITSM.40.001) by Canada’s Cyber Centre marks a watershed moment for the Government of Canada’s (GC) cyber agenda. For departmental leaders and IT executives, it crystallizes both a mandate and a deadline:
By April 2026: each department must submit an initial PQC migration plan
By end 2031: critical high-priority systems should be fully migrated or quantum-risk mitigated
By end 2035: the entirety of non-classified systems must be PQC-secure
If agency leads wish to leverage existing budgets, avoid last-minute scramble, and preserve cyber resiliency, this mandate compels agencies to act now — not wait until 2030. Cryptographically relevant quantum computers (CRQC) may still be years off, but the rate of advancement is accelerating. It is no longer a question of if, but a question of how soon.
The near-inevitability of CRQCs inspires adversaries to harvest encrypted traffic today — storing it in the certainty that they will be able to decrypt it in the future. Any agency system protecting sensitive communications or citizen data is vulnerable to retrospective breach unless it transitions to quantum-resistant cryptography now.
The GC roadmap explicitly flags systems in public network zones as high-priority for quantum risk mitigation. It further mandates that new procurements embed cryptographic agility and post-quantum cryptographic (PQC) readiness from the start. If agencies delay, they risk being locked into legacy systems that lack upgradability — forcing a wholesale rip-and-replace later at much greater cost.
The Cyber Centre breaks migration into three overlapping phases: Preparation, Identification, and Transition. Each phase is demanding — but that’s a feature, not a flaw: it allows for iterative progress, parallel workstreams, and ongoing refinement. Crucially, departments are expected to reuse “existing IT lifecycle budgets” to manage cost wherever possible. In other words, Preparation and Identification enable smarter budgeting for smoother transitions, minimizing disruption.
The Migration Challenge: Hidden, Widespread, and Often Inertial
Many agencies and IT professionals underestimate the breadth of their cryptographic footprints:
Public key use is embedded in network protocols, application stacks, identity and access systems, encryption libraries, HSMs (hardware security modules), VPNs, TLS stacks, and sub-components.
Cryptography use may be obscure — tucked inside code libraries, middleware, or third-party services. Identification demands scanning, profiling, and vendor engagement.
Legacy systems may never support PQC natively. For such cases, agencies must plan isolation, tunneling, or encapsulation as interim mitigations.
Left unaddressed, this “dark crypto” layer becomes a roadblock: partial inventory, overlooked dependencies, or vendor non-cooperation can derail even the best roadmap.
Migration Acceleration
Commercial organizations have anticipated this action and have been preparing tools and services to be a strategic force multiplier. Below is how these tools help accelerate PQC migration success:
Comprehensive Cryptography Discovery & Visibility Automatically aggregate cryptographic data from networks, hosts, and application stacks to surface where public-key cryptography is used (including embedded in libraries or services). This turns opacity into a structured inventory to produce a complete Cryptographic Bill of Materials (CBOM)
Risk Prioritization & Scoring Not all cryptographic assets are equal, and each agency lead should evaluate risk and compliance against their own criteria. For example, how can a solution help score systems based on harvest now, decrypt later (HNDL) exposure, data sensitivity, lifecycle status, and vendor upgrade path, enabling agencies to tackle the riskiest systems first?
Tunneling & Hybrid Encapsulation Paths For systems that can’t be upgraded immediately, verify that the systems support the deployment of transparent PQC tunneling or encapsulation layers, effectively wrapping legacy traffic in post-quantum protection while migration proceeds beneath the hood.
Agile Cryptography Transition Orchestration Integrate with change management, test environments, versioning, rollback safety, and configuration workflows — helping technical teams execute staged, reversible migrations in alignment with governance protocols.
Compliance, Audit & Reporting Support Because the Roadmap requires annual progress reporting from April 2026 onwards, ensuring that selected systems have the appropriate audit trails can assist agencies in compiling evidence of progress, risk posture, and remediation efforts — meeting TBS and Cyber Centre oversight needs.
A Call to Action for Canadian Agencies
To the departmental CIOs, Chief Information Security Officers (CISOs), Directors of Security, and Deputy Ministers across Canada: the mandate is real, the timelines are public, and the risk is accelerating. But this isn’t a doom scenario — it’s an opportunity to lead.
Here’s a strategic path forward:
Appoint a PQC Migration Lead ASAP Under the Roadmap, the Designated Official for Cyber Security (DOCS) or a delegated executive should assume oversight, with a supporting technical committee.
Leverage Existing IT Lifecycle & Procurement Plans Rather than seeking ad hoc funding, embed PQC readiness into scheduled refresh cycles and new procurements now.
Deploy Cryptography Inventory tools in Pilot Mode Immediately Use selections to create a framework and begin to validate discovery, scoring, and tunneling functionality — and surface lessons early.
Iterate in Phases, Measure & Report Make sure your selection has appropriate dashboards and status reporting, so that you can track progress, identify bottlenecks, and meet the Cyber Centre reporting obligations.
Evolve Into Full PQC Mode by 2031/2035 As vendors roll out PQC-native modules (TLS libraries, HSM support, OS stacks), gradually migrate away from fallback tunneling and fully disable quantum-vulnerable algorithms.
Final Word: Lead the Quantum-Safe Transformation
Canada’s PQC Roadmap isn’t just a policy — it’s a strategic imperative: one that protects public trust, citizen data, and core government infrastructure against an existential sovereign data security threat.
Agencies that move early — executing with discipline, prioritization, and the support of commercial tools will gain:
Reduced cost and disruption
Stronger security posture ahead of the quantum horizon
Confidence in meeting federal milestones
Leadership in the emerging quantum-resilient infrastructure era
Let’s help your agency become a beacon of quantum-safe transformation — not a laggard scrambling at the deadline.