The ticking clock of the quantum era is growing louder. While cryptographically-relevant quantum computers (CRQCs) capable of shattering today’s encryption standards may still be a decade away, the foundational shift to post-quantum cryptography (PQC) is no longer a distant concern—it’s an immediate strategic imperative. The most pressing danger lies in the “harvest now, decrypt later” vulnerability, a strategy where adversaries are already siphoning and storing encrypted data. This sensitive information, from state secrets to corporate intellectual property, is a ticking time bomb, waiting to be unlocked by future quantum machines. Recognizing this clear and present danger, the cybersecurity community has responded. In a landmark move last year, MITRE, in collaboration with the Post-Quantum Cryptography Coalition (PQCC), published a comprehensive PQC Migration Roadmap in May 2025. This document serves as the first standardized playbook for a transition of monumental scale, offering a structured, tailorable approach for organizations to navigate one of the most significant technological upgrades in modern history. The migration has officially begun.
In brief:
The threat of cryptographically-relevant quantum computers (CRQCs) makes current encryption standards vulnerable.
“Harvest now, decrypt later” attacks are an immediate concern, where adversaries store encrypted data to break with future quantum technology.
In May 2025, MITRE and the Post-Quantum Cryptography Coalition (PQCC) released a PQC Migration Roadmap to guide organizations.
The roadmap outlines four key phases: Preparation, Baseline Understanding, Planning and Execution, and Monitoring and Evaluation.
Organizations must first assess their risk profile to determine if they are an “urgent” or “regular” adopter, which dictates their migration timeline.
The initial “Preparation” phase is critical and involves assigning a migration lead, identifying stakeholders, and assessing the organization’s unique cryptographic landscape.
Navigating the Immediate Threat of Harvest Now, Decrypt Later
The primary driver for the current urgency around PQC migration is not just the eventual arrival of a CRQC, but the ongoing threat of “harvest now, decrypt later.” This strategy poses a severe risk to any sensitive information with long-term value.
Adversaries are actively collecting vast amounts of encrypted data today. Even though this data is secure under current encryption methods, the plan is to store it until a quantum computer is available to break the encryption. This means that critical infrastructure plans, personal data, and organizational secrets encrypted and transmitted today could be compromised a decade from now.
This vulnerability fundamentally changes the risk calculation. Organizations cannot afford to wait until quantum computers are a reality; by then, their most valuable data from previous years will already be in the hands of attackers, ready for decryption.
MITRE’s PQC Roadmap: A Structured Path to Quantum Resistance
To address this complex challenge, the Post-Quantum Cryptography Coalition (PQCC) developed a strategic document to help organizations make the transition. Released in May 2025, the MITRE Post-Quantum Cryptography Roadmap provides a tailorable framework, acknowledging that the journey will differ for every organization based on data sensitivity, available resources, and existing infrastructure.
PQCC analysts identified four critical categories that organizations must navigate during their migration journey:
- Preparation
- Baseline Understanding
- Planning and Execution
- Monitoring and Evaluation
Researchers emphasized that these components can be implemented concurrently or in a different order depending on an organization’s specific needs and budget for potentially significant software and hardware updates.
The Crucial First Step: The Preparation Phase
The roadmap’s first category, Preparation, is designed to lay a solid foundation for the entire migration process. This initial phase is less about technology and more about strategy, alignment, and governance.
Success at this stage involves organizations getting a complete overview of their migration goals. It requires assigning a dedicated migration lead who is well-positioned to coordinate across different departments and even with external partners. Identifying and aligning all necessary stakeholders through clear and strategic messaging is paramount.
Defining Your Migration’s Scope and Leadership
During this preparatory work, an organization must conduct a thorough evaluation of its attack surface, the types of systems it operates, and the criticality of the data it handles. Understanding interdependencies with other organizations is also a key factor.
The roadmap strongly recommends appointing an individual or a team to monitor and drive the PQC migration. This leadership is crucial for developing messaging that articulates the value and return on investment to stakeholders, securing financial and operational resources, and establishing early engagement with system vendors to scope out the migration’s technical requirements.
Determining Your Timeline: Urgent vs. Regular Adopters
A core component of the roadmap is helping organizations determine the appropriate pace for their efforts. The document presents a model for classifying organizations into two main categories based on their risk profile: “urgent adopters” and “regular adopters.”
This classification helps leadership properly allocate resources and set realistic timelines. Organizations handling highly sensitive data with a long confidentiality lifespan, such as national security agencies or R&D firms, are classified as urgent adopters. Others with lower-risk profiles may follow a more standard timeline. This structured approach ensures that the enterprise migration to quantum-safe infrastructure is both efficient and effective.
By understanding their specific risk profile, organizations can begin planning and budgeting for what will be a multi-year execution phase, turning a daunting challenge into a manageable, strategic program.
What exactly is ‘harvest now, decrypt later’?
It’s an attack strategy where adversaries collect and store currently encrypted data. They hold onto this data with the expectation that they can decrypt it in the future once powerful quantum computers become available, compromising its long-term confidentiality.
Why is PQC migration urgent if powerful quantum computers are still years away?
The ‘harvest now, decrypt later’ threat makes the problem immediate. Any sensitive data with a long shelf life (e.g., intellectual property, government secrets, personal health information) encrypted today could be exposed in the future. The migration process is also complex and lengthy, requiring years of planning and execution.
What is the very first step an organization should take according to the MITRE roadmap?
The first step is Preparation. This involves obtaining a clear overview of the PQC migration goals, assigning a dedicated migration lead to champion the process, identifying all necessary internal and external stakeholders, and aligning everyone with a clear, strategic message about the project’s importance.
