Considerations for Achieving Crypto Agility: Strategies and Practices is the latest publication from NIST, now released in its final form as CSWP 39 in December, 2025. It’s a comprehensive guide for organizations on transitioning away from static cryptographic implementations, and it points towards a more flexible ‘crypto agile’ posture.
Crypto agility reflects the ability to replace or adapt cryptographic infrastructure without disrupting system operations or security. With a crypto agile position, an organization can consider its cryptography as a modular, manageable system property, rather than a hard-coded feature.
The paper identifies several technical ‘levers’ to aid crypto agility, which are interesting to consider. For example:
- Modularity – separating cryptographic algorithms from the application logic, allowing developers to easily switch out libraries or algorithms
- Abstraction via APIs – standardized APIs can help applications call for a secure connection rather than a specific algorithm
- Policy/Mechanism separation – storing cryptographic policies in config files or management consoles means they no longer need to be hard-wired in the source code
- Hybrid Mechanisms – supporting the use of PQ/T during the transition period helps maintain security against both current and future threats.
The central message of CSWP 39 is then, that crypto agility is no longer an option, but a necessity. With the shortening timeline for quantum threats, organizations must switch their thinking to ‘planned agility’ building systems that are designed to change as the threat landscape evolves. It’s a mission that PQShield has been considering for a while now, and our Product suite has specifically been designed with crypto agility in mind. It’s great to see this starting point for organizations that are aiming for flexibility, in a world in which it’s fast becoming essential.