The National Institute of Standards and Technology (NIST) National Cybersecurity Center of Excellence (NCCoE) has released an initial public draft of Cybersecurity/Encryption White Paper (CSWP) 48, titled:
Mappings of Migration to PQC Project Capabilities to Risk Framework Documents.
This white paper is now open for public comment through October 20, 2025.
Why This Matters for the CX Industry
CX leaders need to worry about this not because PQC is mandatory yet, but because:
- Quantum risk is inevitable — current encryption will eventually be broken.
- Data is already at risk from “harvest now, decrypt later” attacks.
- Migration takes years and can’t be left to the last minute.
- Compliance pressure will grow once NIST standards are finalized.
- Customer trust is fragile — and PQC readiness shows leadership.
In short, PQC migration is directly tied to protection of data that impacts customer confidence, compliance readiness, and the integrity of the CX experience itself.
What CSWP 48 Does
The white paper maps the technical capabilities demonstrated in the NCCoE “Migration to PQC” project to two key frameworks:
- NIST Cybersecurity Framework (CSF) 2.0
- NIST SP 800-53 (Security and Privacy Controls for Information Systems and Organizations)
By providing these mappings, NIST helps organizations:
- Align PQC migration work with existing cybersecurity and compliance programs.
- Understand which risk management objectives are supported, or required, when adopting PQC.
- Identify potential control gaps or dependencies before full-scale migration.
Key Takeaways
- Risk Framework Integration
PQC migration is not just a technical upgrade. It must be woven into governance, compliance, change management, and audit functions already defined in frameworks like CSF and SP 800-53. - Prioritization Through Risk Lens
The mappings allow organizations to prioritize migration of high-impact systems and data based on existing control requirements. - Governance Is Essential
New dependencies and risks introduced by PQC migration make strong oversight, configuration management, and monitoring even more critical. - Future Adjustments Expected
As PQC standards are finalized and organizations move toward deployment, NIST anticipates updates to these mappings to reflect lessons learned and evolving best practices.
Action Steps for CX Leaders
To prepare for PQC and align with NIST’s guidance, CX leaders should begin acting now:
- Start a Cryptographic Inventory
- Identify where encryption and digital signatures are used across CX platforms, APIs, and customer data flows.
- Engage Risk & Compliance Teams
- Map PQC migration into your organization’s existing NIST CSF or SP 800-53 compliance programs.
- Test in Controlled Environments
- Pilot PQC-ready protocols (e.g., hybrid TLS with PQC) in lab environments to assess interoperability and performance.
- Work with Technology Vendors
- Ask cloud, CRM, and CX platform providers about their PQC roadmaps and how they plan to support NIST standards.
- Educate Stakeholders
- Brief executives, IT leaders, and frontline managers on the importance of PQC to customer trust and long-term data security.
What’s Next
Organizations are encouraged to review the draft and provide feedback to NIST before October 20, 2025.
You can access the draft here: NIST CSWP 48 Draft
For CX leaders, this is an important opportunity to ensure your platforms, compliance strategies, and customer trust initiatives stay aligned with the future of cryptography.
