PQC Compliance Interim Positions: What Organisations Can Do While Awaiting Validated Modules

Enterprises average seven to ten years to complete cryptographic migrations at scale. NIST's full federal disallowance of non-post-quantum cryptography under NIST IR 8547 takes effect in 2035.^{[NIST IR 8547]} For organisations that have not yet begun structured migration activity, that arithmetic is already uncomfortable - and it worsens when the validated module pipeline remains immature. No FIPS 140-3 validated module implementing ML-KEM, ML-DSA, or SLH-DSA existed as of Q1 2026.^{[NIST CMVP]} Waiting for that pipeline to clear before acting is not a defensible compliance posture. This article sets out what a defensible interim position looks like, mapped to the specific deadlines CISOs and compliance officers are accountable for.

The Validation Gap Explains Why Interim Positions Are Necessary, Not Optional

NIST finalised FIPS 203 (ML-KEM), FIPS 204 (ML-DSA), and FIPS 205 (SLH-DSA) in August 2024.^{[FIPS 203]} CMVP validation of cryptographic modules implementing those standards is a separate, subsequent process - one that involves laboratory testing, NIST review, and certificate issuance. That process takes months to years under normal conditions, and the PQC algorithm test infrastructure within CMVP was still being established as the standards were published. The result is a structural gap: the standards are final, the regulatory deadlines are running, and the validated products organisations need for compliant procurement are not yet available at scale.

This gap is not a reason to defer action. It is precisely the condition under which interim compliance positions become necessary - and where regulators, auditors, and cyber insurers will distinguish organisations that exercised active cryptographic governance from those that did not. As detailed in our coverage of the FIPS 140-3 validation gap and its compliance implications, the absence of validated modules does not suspend existing obligations; it shifts the compliance burden toward documented process and demonstrable readiness.

The Regulatory Timeline You Are Actually Working Against

Four hard deadlines define the compliance calendar for most organisations. They are not equivalent in scope or audience, but taken together they create a sequenced set of obligations that compliance officers must map against their own asset risk profiles.

April 2026: Canadian Federal Planning Deadline

The Communications Security Establishment's CCCS ITSM 40.001 required Canadian government agencies to have completed initial PQC migration planning by April 2026.^{[CCCS ITSM 40.001]} For those organisations, the planning phase has already closed. The absence of documented plans is a compliance gap, not a scheduling question.

September 21, 2026: NIST CMVP Non-PQC Validation Cutoff

NIST's Cryptographic Module Validation Program will cease issuing new validations for modules that do not include post-quantum algorithms after September 21, 2026.^{[NIST CMVP]} Any organisation pursuing a new or renewed FIPS 140 validation after that date must submit PQC-capable modules. This affects federal agencies, federal contractors with FIPS requirements in their contracts, and any private-sector organisation that markets products under FIPS 140 validation. Procurement teams planning module submissions or renewals in 2026 need to have confirmed vendor timelines for PQC-capable submissions before that window closes.

January 1, 2027: CNSA 2.0 for New NSS Acquisitions

NSM-10 mandates that all new National Security System acquisitions comply with CNSA 2.0 algorithm requirements from January 1, 2027.^[NSM-10] Defense contractors and systems integrators in the NSS supply chain who have not yet confirmed CNSA 2.0-compliant algorithm support in their product roadmaps are already late on that supplier conversation.

2035: Full Federal Disallowance

NIST IR 8547 establishes 2030 as the deadline for deprecating RSA and ECC in federal use cases and 2035 as the point of full disallowance.^{[NIST IR 8547]} NSM-10 aligns with this timeline for national security systems. Given enterprise migration timelines of seven to ten years, organisations that begin active migration work in 2026 are targeting completion at the boundary of the disallowance window - with no margin for schedule slippage. Our detailed breakdown of the 2030 and 2035 deprecation deadlines under NIST IR 8547 covers the specific algorithm-by-algorithm schedule compliance officers must track.

Cryptographic Inventory Is the Foundational Interim Control

A maintained cryptographic bill of materials (CBOM) is the single most defensible interim control an organisation can establish while validated modules remain unavailable. It directly enables every subsequent compliance decision: migration sequencing, risk prioritisation, vendor accountability, and RMF package updates. Without it, no other interim position is credible because the organisation cannot demonstrate it knows what it is protecting or migrating.

No regulator has yet mandated CBOM in procurement as of Q1 2026 - but CISA guidance and practitioner consensus treat it as the prerequisite for any meaningful PQC transition.^{[CISA PQC Resources]} That absence of a mandate is an opportunity, not a reason to defer. Organisations that have a documented, time-stamped CBOM in place before regulators formalise the requirement will be substantially better positioned during audits, cyber insurance reviews, and contract due diligence than those that begin only when compelled. The CBOM also provides the baseline without which no migration sequencing decision can be made responsibly - a point our practitioner's guide to CBOM construction and governance covers in depth.

For compliance teams operating within existing RMF, ISO 27001, or SOC 2 frameworks: frame the CBOM internally as a cryptographic risk inventory. That language maps directly to existing asset management and risk treatment controls, which lowers internal adoption friction and integrates the output into governance structures auditors already review.

Vendor Accountability in the Absence of Standardised Attestation

No standardised PQC vendor attestation framework exists. Procurement teams cannot currently request a certifiable declaration from a vendor confirming FIPS 203/204/205 compliance in the way they might request a SOC 2 Type II report or an existing FIPS 140-2 certificate. That gap requires a working substitute: structured written commitments obtained during procurement, documented in a way that creates an auditable record.

Security architects broadly recommend the following minimum set of vendor commitments for any cryptographic product or service procured during the validation gap:

• Written roadmap specifying the target date for CMVP submission of a PQC-capable module, with the algorithm set explicitly named (ML-KEM, ML-DSA, SLH-DSA per FIPS 203/204/205)
• Written confirmation of whether current implementations use algorithm parameters aligned to the final FIPS standards - not draft or pre-standardisation versions
• Contractual provision for notification if the CMVP submission date slips by more than 90 days
• Confirmation of hybrid mode support - simultaneous classical and post-quantum key exchange - where the deployment context requires continuity during transition

These commitments do not replace validated module status, but they create a documented due diligence record that demonstrates active vendor management. In the event of a regulatory inquiry or breach investigation, the presence or absence of that record will be material.

Building a Crypto-Agility Roadmap That Satisfies Auditors Today

Crypto-agility - the organisational capability to replace cryptographic algorithms without requiring architectural redesign - is both the enabling condition for PQC migration and an interim compliance posture in its own right. An organisation that can demonstrate a documented crypto-agility architecture, even before migration is complete, is demonstrating forward-looking risk governance that auditors and regulators can evaluate now.

A crypto-agility roadmap that satisfies internal audit and external regulators in the 2026-2027 window should contain at minimum:

• Hybrid deployment plan: Documentation of which systems will operate in hybrid classical/PQC mode during transition, with the specific algorithm combinations specified and the classical fallback conditions defined
• Migration sequencing: Risk-ranked ordering of systems for PQC migration, derived from the CBOM, with highest-risk systems (external-facing, long-data-retention, FIPS-required) prioritised
• Annual inventory integration: A defined process for updating the CBOM at least annually and incorporating findings into RMF authorisation packages - a requirement implied by NSM-10's annual inventory mandate, though the specific mechanics for RMF integration remain agency-defined^[NSM-10]
• Owner accountability: Named system owners for every cryptographic asset in the CBOM, with documented acceptance of migration timelines

This roadmap does not require validated modules to exist. It requires documented intent, sequenced commitments, and governance structures - all of which are achievable today.

What "Reasonable Security" Looks Like Post-CMVP Cutoff for Non-Federal Entities

The September 2026 CMVP cutoff is a federal procurement mechanism, not a direct regulatory mandate on private-sector organisations. However, it will materially shift what regulators, courts, and insurers treat as "reasonable security" for organisations in regulated industries.

For public companies, the SEC's cybersecurity disclosure rules require material cybersecurity risks to be disclosed. An organisation that has taken no documented action on PQC migration after the CMVP cutoff - when the federal government has made its own position on cryptographic adequacy explicit - faces an increasingly difficult argument that its cryptographic risk posture does not meet the materiality threshold. For critical infrastructure operators, CISA's cross-sector guidance on PQC readiness creates a similar expectation floor.^{[CISA PQC Resources]} For organisations subject to DORA or NIS2 in the EU, ICT risk management obligations already require documented treatment of emerging cryptographic risks.

The practical implication: the CMVP cutoff date functions as an industry-wide signal that the standards community has declared the transition period open. Compliance officers in non-federal organisations should treat September 21, 2026 as the date by which they need a documented interim posture - not because a specific regulation requires it on that date, but because the absence of one becomes progressively harder to defend after it.

The concrete action to take before that date is a scoped CBOM sprint: assign a cross-functional team covering security architecture, procurement, and legal or compliance to produce a first-pass cryptographic bill of materials for your three highest-risk asset categories - external-facing applications, regulated data-at-rest encryption, and any system subject to FIPS 140 requirements. A documented, time-stamped partial CBOM demonstrates active cryptographic governance to auditors, regulators, and insurers in a way that a verbal commitment does not.

Key Takeaways

• No FIPS 140-3 validated PQC module existed as of Q1 2026. Waiting for the pipeline to mature before acting is not a defensible compliance posture.
• September 21, 2026 is the NIST CMVP cutoff for new validations of non-PQC modules - a hard date affecting federal agencies, contractors, and vendors operating under FIPS 140 requirements.
• NIST IR 8547 sets 2030 as the RSA/ECC deprecation deadline and 2035 as full federal disallowance. Enterprise migration timelines of 7-10 years leave no margin for delayed starts.
• A documented, time-stamped CBOM is the single most auditable interim control available now - even a partial one demonstrates active cryptographic governance.
• No standardised PQC vendor attestation framework exists. Procurement teams should obtain written roadmap commitments and algorithm confirmations as a documented due diligence substitute.
• A crypto-agility roadmap covering hybrid deployment, migration sequencing, and annual inventory integration can satisfy internal auditors and regulators today, without requiring validated modules to be in place.
• The September 2026 CMVP cutoff will shift "reasonable security" expectations for non-federal regulated entities even where no specific private-sector mandate applies on that date.

Related Reading

On this site:

• Why no FIPS 140-3 validated PQC module exists and what that means for compliance claims
• The 2030 and 2035 algorithm deprecation deadlines compliance officers must track under NIST IR 8547
• A sequenced PQC compliance roadmap covering frameworks, deadlines, and mandatory obligations

Primary sources:

• NIST Cryptographic Module Validation Program - official program documentation and validation cutoff guidance
• NIST IR 8547 - federal algorithm deprecation and disallowance timeline through 2035
• CISA post-quantum cryptography resources for critical infrastructure operators

This article draws on primary documentation from NIST CMVP, NIST IR 8547, NSM-10, CCCS ITSM 40.001, NSA CNSA 2.0, and CISA PQC guidance. All claims verified against official sources as of April 2026.