PQShield is an NCSC Assured Cyber Security Consultancy (ACSC) for PQC

Understanding the NCSC Assured Cyber Security Consultancy (ACSC) Scheme

The UK NCSC’s Assured Cyber Security Consultancy (ACSC) scheme is designed to assure companies that offer consultancy services to organisations with complex and high-risk cyber security requirements. This includes, but is not limited to, governments, the wider public sector, and Critical National Infrastructure (CNI). This ACSC scheme marks a crucial milestone on the roadmap to full post-quantum migration and is also a significant step towards ensuring that the UK and its critical national infrastructure are resilient against future threats.

The Urgency of PQC for Critical National Infrastructure (CNI)

The transition to PQC needs to happen urgently, particularly for CNI. The NCSC’s own PQC roadmap encourages CNI providers and vendors to be quantum-proof by 2031, a deadline some four years ahead of the 2035 deadline set for other industries. To meet this goal, IT leaders supporting our national infrastructure—spanning from the defence and energy sectors to data centres and hospitals—require practical advice on how to implement these new cryptography standards. Additionally, their teams need to be upskilled in maintaining PQC.

Why PQShield?

PQShield stands at the forefront of the quantum-safe cryptography revolution, leading the charge in developing and implementing new cryptographic standards. Our diverse team of approximately 90 experts spans 10 countries across the EU, UK, US, and Japan, with over 50 dedicated specialist PQC cryptographers and engineers forming our core.

This exceptional talent pool has been instrumental in co-authoring all of the initial NIST international PQC standards and continues to play a pivotal role with NIST, alongside significant contributions to other key industry bodies like RISC-V, IETF, and ETSI. We are recognized as a leading authority in real-world PQC implementation, with deep expertise in areas such as Side Channel and Fault Attack resistance, FIPS 140-3 certification, and secure protocols. 

Our commitment to innovation is evidenced by over 85 peer-reviewed papers and 36+ filed patents.

Backed by prominent global investors including Addition, OSE, Chevron, and Legal & General, and having successfully raised $37 million in a Series B round in 2024, PQShield is robustly positioned to deliver cutting-edge quantum-safe cryptography. 

We provide high-quality, certifiable quantum-safe cryptography solutions in both software and hardware IP to the global secure product supply chain, operating with full export control and ISO 9001/27001 compliance. 

Our PQC-ready products are already trusted by a growing list of global customers, including industry leaders such as Microchip, AMD, Lattice, Mirise Technologies, Cryptomathic, Lockheed Martin, Capgemini, and TCS, securing their critical systems against future quantum threats.

PQShield’s Role in PQC Pilot

In the PQC pilot for this scheme, PQShield has been selected in both categories:

• Discovery & Migration Planning
• Advice

While official standards and roadmaps have successfully raised awareness of the PQC challenge and initiated the global cryptographic transition, the toughest step now involves actually implementing these standards.

Within the ACSC scheme there are two key roles appointed:

1) Service Owner (i.e. the business owner)

Ben Packman – Chief Strategy Officer

Ben has 6 yrs experience specifically in the Post-Quantum Cryptography (PQC) market, having started working with PQShield founder, Dr Ali El Kaafarani, on day 2 of the business back in 2018 and helped lead the company through its involvement with all PQC schemes announced by NIST to date.

Ben leads PQShield’s global expansion through sales and partner growth across multiple vertical markets, advising customers on their migration to PQC, alongside taking a lead role in briefing both the government and the supply chain on the quantum threat.

A strategic leader and natural problem solver with a proven track record of delivering innovative, creative and successful commercialisation and G2M across a diverse range of business areas, both domestically and internationally. 30+ yrs experience in technology, health, media, and telecoms, as well as advising multiple startups in the UK tech space.

Ben is a constant presence in PQC working groups globally, including the example groups below:

• NIST – Liaison with NIST on PQC standards
• NCCoE – Key Member of PQC working group
• MITRE – Founder of MITRE’s PQC Coalition with IBM Quantum and Microsoft
• WHITE HOUSE –  Key PQC liaison
• EUROPEAN PARLIAMENT –  Key PQC liaison
• UK NCSC –  Key PQC liaison
• WEF –  Member of PQC working group
• DIGITAL CATAPULT –  PQC advisory
• DIGITAL REGULATION COOPERATION FORUM –  PQC Advisory
• GSMA –  Member of PQC working group

2) Lead Consultant (i.e. the delivery engine)

Dr Luke Mather – Lead Solutions Architect

Luke holds a PhD in applied cryptography from the University of Bristol, UK. He has multiple published articles on the topic of using statistical hypothesis tests to gain confidence that highly-protected systems such as payment cards are not leaking information on the secret information they process.

His interests are in the role of cryptographic primitives and protocols as building blocks in the construction of secure systems. He has more than 10 years of industry experience in enterprise, IoT and embedded systems environments. This experience includes topics ranging from architecture and design specification work, down to the implementation, delivery and deployment of solutions, ensuring that he is able to take into account a wide range of considerations when analysing system security in the future.

Recent client engagements include:

• Defence client – Generated an assessment of the impact of quantum cryptanalysis on existing and future weapons platforms, including the performance and implementation characteristics of the appropriate quantum-safe algorithms.  Identified a set of approaches for achieving quantum-safe communications between the relevant systems.
• Enterprise client – Supported this client in exploring the migration of their existing cryptographic services infrastructure to use quantum-safe algorithms.  This assessment included an analysis of the supply-chain constraints that limit their implementation strategy and considered the future agility necessary to ensure that this challenging migration task did not need to be repeated in the future.
• Manufacturing client – Performed a security analysis of a set of access control systems products for which attackers would have physical access.  This analysis identified one communications path with unacceptable risk, and resulted in follow-up work that included the design, benchmarking and specification of a lightweight secure communications protocol to protect it.
• Manufacturing client – Designed the system security architecture for secure communication between white goods appliances and cloud services.  Developed small, efficient implementations of cryptographic primitives and protocols for integration into manufacturer devices.  Balanced competing sets of requirements: security, certification, engineering risk, time-to-market.
• Semiconductor client – Architected and supported the implementation of a key management system used as part of a larger digital rights management solution.  Collaborated with the client on a suitable threat model for this internal system and designed a lightweight but secure user authentication and authorization capability.

High level overview of our Discovery approach

A high-level summary of our approach to discovery is to use a desktop study of the risks associated with data held and the cryptographic architecture of the systems and services that process it, informed by an analysis of an organisation’s supply-chain.

As such, we envisage most engagements requiring clients to make personnel available from a range of teams (e.g. architects, asset management, operations). An effective engagement requires the client to understand this need and stakeholders to obtain sufficient internal buy-in to make personnel available. We ensure that the client fully understands our approach and the underlying rationale, and have developed small training modules that can be delivered to help achieve this in a repeatable manner.

We recognise that the operational domains of different clients vary and that it is critical to establish whether PQShield’s internal expertise is sufficient to satisfy the requirements of a particular engagement before the onset. PQShield has several partners and emerging partnerships where the technical domain or scale of an engagement requires additional resources, for example:

• Capgemini
• CGI
• Roke
• Tata Consulting Services

High level overview of our Advice approach

Our team has deep cryptographic expertise: we are co-authors of the PQC standards announced by NIST and participate in the follow-on standardisation of these into protocols and higher-level systems (e.g. in the IETF, GSMA). We track NCSC’s published positions on PQC and cryptography more widely, and have a process for selecting appropriate guiding principles prior to each engagement, including ensuring advice exactly matches NCSC positions for the appropriate customers.

We have observed that cryptographic advice is best considered alongside the broader migration planning context for an organisation. For example, cost is often a key consideration in determining whether brownfield devices should be ‘uplifted’ to be quantum-safe, or whether they should be replaced with quantum-safe-by-design greenfield devices.  

Our team’s existing experience in the domains of secure systems integration and cryptographic security architecture has also enabled us to support customers in the ‘wider’ discovery activities of building an understanding of their estate. This can include (re-)discovering the rationale behind architectural choices, re-assessing risks to the data being processed, and identifying how components are managed (e.g. in house, via service provider). The objective is to build up an understanding of the estate that enables the identification of an efficient migration strategy informed by the broader risks and drivers within the business (e.g. existing supplier contract management).

For more information on the Assured Cyber Security Consultancy (ACSC), visit the website.