up:: The Mandates MOC

NIST SP 1800-38 (Migration to Post-Quantum Cryptography)

NIST SP 1800-38, “Migration to Post-Quantum Cryptography,” is the hands-on practice guide from NIST’s National Cybersecurity Center of Excellence (NCCoE) that demonstrates, in a lab, how the early phases of a post-quantum migration actually work. Where the binding mandates tell agencies that they must move and what to inventory, SP 1800-38 is the how. It shows automated tooling that discovers where quantum-vulnerable public-key cryptography is being used, and it documents interoperability and performance testing of draft post-quantum algorithms inside real protocols like TLS, SSH, QUIC, and X.509 certificate chains. It’s a voluntary practice guide, not a standard and not a regulation, so it binds no one.

The short version:

  • SP 1800-38 is a NIST NCCoE practice guide, the federally produced how-to companion to the binding post-quantum mandates, run by project lead Bill Newhouse with a large public-private consortium.
  • It exists because NSM-10 section 3(c)(ii) directed NIST to establish a Migration to Post-Quantum Cryptography project at the NCCoE to work with the private sector on finding and fixing quantum-vulnerable systems.
  • It’s a voluntary practice guide. It binds no one. It demonstrates and recommends, it doesn’t mandate.
  • It comes in three volumes: A (Executive Summary), B (Cryptographic Discovery), and C (Testing Draft Standards for Interoperability and Performance). There is no Volume D.
  • It’s most useful to federal civilian agencies working their OMB M-23-02 discovery obligations, to vendors integrating post-quantum cryptography into products, and to enterprise architects designing a discovery-then-migration program in any sector.

Think of SP 1800-38 as the government’s test kitchen. The mandates set the date the new dish has to be on the menu. Before any agency has to cook it in front of paying customers, NIST and a room full of vendors make it first in a controlled kitchen, find out which pans crack under the heat, and publish the recipe cards. A practice guide like that is easy to overlook right up until it saves your team from burning its own first batch.

What is NIST SP 1800-38?

NIST SP 1800-38 is a Cybersecurity Practice Guide produced by the NCCoE, part of NIST, for its “Migration to Post-Quantum Cryptography” project. A practice guide in the SP 1800 series is a documented reference implementation: it walks through a real-world problem, builds an example solution with named collaborators, and publishes the approach, architecture, and security characteristics so others don’t have to start from a blank page. The project is led by Bill Newhouse, an NCCoE cybersecurity engineer, and it runs as a public-private consortium of cloud providers, security vendors, and cryptographic-tooling firms.

Source: NIST NCCoE, “Migration to Post-Quantum Cryptography,” project page.

A few things about its standing are worth being precise on, because they change how you cite it:

  1. It’s a practice guide, not a standard. The SP 1800 series demonstrates reference implementations. It sits apart from the SP 800 series (technical guidance) and the FIPS series (mandatory standards). A 1800-series guide shows one worked way to solve a problem; it doesn’t set a rule anyone has to follow.
  2. It was directed by policy, not issued as one. The project exists because NSM-10 section 3(c)(ii) told the Secretary of Commerce, through the Director of NIST, to stand it up. SP 1800-38 is the documented output of that directive, the lab work behind the policy, rather than the policy itself.
  3. It’s published in draft. The volumes have been released as preliminary drafts for public comment. Volume A came first (March/April 2023), with Volumes B and C released as preliminary drafts in December 2023, and the comment window running into 2025. [OPERATOR VERIFY: whether a final, non-draft SP 1800-38 has been formally published as of mid-2026, and the final publication date. Late-2025 reporting described an October-2025 release, but CSRC still surfaces preliminary-draft and withdrawn-draft records. Treat the “preliminary draft” status as authoritative until the CSRC final record is confirmed.]

Source: NIST CSRC, SP 1800-38 initial preliminary reviewed draft record; NCCoE, open public comment announcement for Volumes B and C.

Who does SP 1800-38 apply to, and does it bind anyone?

SP 1800-38 binds no one. It’s a voluntary practice guide, and its reach is by usefulness, not by force of law. An agency doesn’t demonstrate compliance with any mandate by adopting SP 1800-38; it demonstrates compliance through inventories and migration progress, and the practice guide is the reference that makes that work easier. Three audiences get the most out of it:

  1. Federal civilian agencies working their OMB M-23-02 cryptographic-inventory and discovery obligations. The discovery volume is the practical companion to M-23-02’s requirement to inventory cryptography at the algorithm level, and the NCCoE project is exactly the kind of public-private information exchange that NSM-10 and M-23-02 contemplate.
  2. Vendors and implementers integrating post-quantum cryptography into products. The interoperability findings in Volume C are a shared resource that spares the industry from each firm repeating the same compatibility testing in isolation.
  3. Enterprise architects in any sector building a discovery and migration program. The discovery-tooling examination in Volume B and the protocol-integration findings in Volume C transfer cleanly to commercial environments, even though the mandate behind the project is federal.

For a commercial team with no federal nexus, SP 1800-38 is still the best public starting point for designing a discovery-then-interoperability sequence, with the honest caveat that it’s a draft demonstration and its findings read as informative rather than as a compliance baseline.

How is SP 1800-38 structured?

SP 1800-38 is published in three volumes, A through C, each aimed at a different reader. There is no Volume D. The split matters because the executive audience and the engineering audience need different documents, and because the two hardest early phases of a migration, discovery and interoperability, get a volume each.

VolumeTitleWhat it coversPrimary audience
AExecutive SummaryA high-level overview of the project’s purpose, audience, and findings.Executives, program owners, decision-makers
BQuantum Readiness: Cryptographic DiscoveryThe approach, architecture, and security characteristics of automated tools that discover where public-key cryptography is used across an estate.Security architects, engineers running discovery
CQuantum Readiness: Testing Draft Standards for Interoperability and PerformanceInteroperability and performance testing of draft post-quantum algorithms inside real protocols and infrastructure.Implementers, protocol and product engineers

Source: NIST CSRC, SP 1800-38 draft record; NCCoE, project page.

What does the cryptographic discovery work (Volume B) show?

Volume B is the demonstration that you can’t migrate cryptography you can’t find, so automated discovery of where and how public-key cryptography is used is the prerequisite to everything else. The volume exercises contributed discovery tools to establish baseline capabilities, and it lays out several things a reader can act on:

  1. A functional test plan that runs the contributed discovery tools to establish what they can and cannot detect.
  2. A use-case scenario that scopes the demonstration to a realistic environment.
  3. An examination of the threats the demonstration addresses.
  4. A multi-faceted approach to starting discovery that most organizations can begin today.
  5. A high-level architecture that integrates the contributed tools into one discovery workflow.

This is the technical substrate beneath the CBOM discipline. Volume B is a published, vendor-neutral examination of what automated Cryptographic Discovery tooling actually does, where it falls short, and how to architect a discovery effort, which is what populates a CBOM in the first place.

Source: NIST NCCoE, “Migration to Post-Quantum Cryptography,” Volume B preliminary draft.

What does the interoperability and performance testing (Volume C) show?

Volume C is the demonstration that a post-quantum algorithm which breaks a TLS handshake or a certificate chain isn’t deployable, so it takes interoperability out of the abstract and into a documented test environment. The volume identifies compatibility issues between quantum-ready algorithms and existing protocols, resolves those issues in a controlled non-production environment, and reduces the time individual organizations would otherwise spend repeating the same testing for their own migrations.

Source: NIST NCCoE, “Migration to Post-Quantum Cryptography,” Volume C preliminary draft.

The testing integrated draft post-quantum algorithms into widely used protocols and infrastructure, reported to include TLS 1.3, SSH, QUIC, X.509 certificates, and hardware security modules. [OPERATOR VERIFY: the exact protocol list and which specific products were tested per the final Volume C. The protocol set here is corroborated by secondary reporting and should be checked against the published Volume C text before any client-facing citation.]

Because the draft testing predated final standardization, the documentation referenced the competition-era CRYSTALS-Kyber and CRYSTALS-Dilithium names that became ML-KEM and ML-DSA. Much of the interoperability work connects to hybrid deployment design, since a transitional deployment combines a classical and a post-quantum algorithm, and hybrid combinations are exactly where interoperability tends to break first.

Source: postquantum.com, “NIST SP 1800-38 PQC release” (secondary reporting; flagged for operator verification above).

Who are the collaborators?

SP 1800-38 is a public-private consortium, which is part of what gives it weight: the findings come from real products tested together, rather than from a single vendor’s marketing. The project launched in 2022 with a small founding group and grew to dozens of collaborators.

Reported participants include major cloud and platform providers and cryptographic-tooling vendors, for example AWS, IBM, Microsoft, Samsung SDS, Entrust, PQShield, and wolfSSL, alongside government participants including NSA and CISA. [OPERATOR VERIFY: the current complete collaborator roster and exact count. Secondary sources report figures around 47 collaborators as of 2025, which should be confirmed against the NCCoE project page before citing a number.]

Source: postquantum.com, “NIST SP 1800-38 PQC release” (secondary reporting; flagged for operator verification above).

How does SP 1800-38 relate to the mandates and the standards?

SP 1800-38 is the how-to layer that sits beneath the binding mandates and consumes the finalized standards. It’s the practical companion, never the deadline. Here’s how it lines up with the rest of the transition:

  1. NSM-10 is the policy origin. Section 3(c)(ii) directed NIST to establish the Migration to Post-Quantum Cryptography project at the NCCoE to work with the private sector on discovering and remediating systems that don’t use quantum-resistant cryptography. SP 1800-38 is that project’s documented output.
  2. OMB M-23-02 is the civilian-agency inventory and discovery directive. SP 1800-38’s Volume B discovery work is the tooling layer beneath M-23-02’s algorithm-level inventory requirement.
  3. NIST IR 8547 carries the deprecation and disallowance schedule, the deadline years. SP 1800-38 carries the lab demonstration of the early phases those deadlines require. One is the clock; the other is the how-to.
  4. CBOM is what discovery produces. Volume B’s discovery demonstration is the technical foundation for building one.
  5. Crypto-Agility is the destination. Discovery plus tested interoperability are the preconditions for replacing an algorithm quickly and safely, which is crypto-agility in practice.
  6. FIPS 203, FIPS 204, and FIPS 205 are the standardized algorithms the project tests and demonstrates.
  7. Harvest-now-decrypt-later is the threat model that makes discovery urgent, because you can’t prioritize protecting long-lived data until you know where the vulnerable cryptography lives.

Source: NSM-10, “National Security Memorandum on Promoting United States Leadership in Quantum Computing While Mitigating Risks to Vulnerable Cryptographic Systems,” May 4, 2022, §3(c)(ii).

Common misconceptions

  1. “SP 1800-38 is a mandate you have to comply with.” It’s a voluntary practice guide. It demonstrates and recommends; it binds no one. Compliance lives in the mandates it supports, like M-23-02 and NSM-10, not in the practice guide itself.
  2. “It’s a finalized NIST document.” The volumes have been published as preliminary drafts for public comment. The direction is firm, but treat the specifics as draft until the CSRC final record is confirmed. [OPERATOR VERIFY: final publication status as of mid-2026.]
  3. “SP 1800-38 is just another version of the FIPS standards.” It’s a different kind of document entirely. The FIPS standards define the algorithms; SP 1800-38 demonstrates how to find your old cryptography and test the new algorithms inside real protocols before you deploy them.
  4. “There’s a Volume D with the migration roadmap.” There are three volumes, A through C. No Volume D exists in any primary source, and the guide deliberately stops at discovery and interoperability rather than prescribing a full program.
  5. “It only helps the federal government.” The mandate behind it is federal, but the discovery-tooling and interoperability findings transfer cleanly to any enterprise. For a commercial team, it’s the best public starting point for a discovery-then-interoperability sequence.

Questions people ask

Is SP 1800-38 a law, a standard, or guidance? None of those, exactly. It’s a NIST NCCoE Cybersecurity Practice Guide, a voluntary reference implementation. It shows one worked way to run the early phases of a migration. The binding force lives in the mandates it supports, not in the guide.

Does my organization have to follow it? No. Nothing about SP 1800-38 is mandatory. Federal civilian agencies find it useful for their OMB M-23-02 discovery work, and enterprises in any sector use it as a starting reference, but adopting it is a choice, not an obligation.

What’s the difference between SP 1800-38 and NIST IR 8547? NIST IR 8547 carries the deadline years, the schedule that deprecates and disallows classical algorithms by 2030 and 2035. SP 1800-38 carries the lab demonstration of how to do the early work those deadlines force. One tells you when; the other shows you how.

Is SP 1800-38 finalized yet? The volumes have been published as preliminary drafts for public comment. [OPERATOR VERIFY: whether a final, non-draft version has been formally published as of mid-2026, and its date. Late-2025 reporting described an October-2025 release, but CSRC still surfaces preliminary-draft and withdrawn-draft records.]

Which protocols did the interoperability testing cover? Reported coverage includes TLS 1.3, SSH, QUIC, X.509 certificates, and hardware security modules. [OPERATOR VERIFY: the exact protocol list and tested products against the published Volume C text before any client-facing citation.]

Who runs the project, and who’s involved? The project is led by Bill Newhouse at the NCCoE and runs as a public-private consortium. Reported participants include AWS, IBM, Microsoft, Samsung SDS, Entrust, PQShield, and wolfSSL, alongside NSA and CISA. [OPERATOR VERIFY: the current complete roster and exact count.]

How does it help me build a cryptographic inventory? Volume B is the discovery layer. It’s a vendor-neutral examination of what automated Cryptographic Discovery tools can and cannot do, and discovery output is what populates a CBOM.

Where do I actually read it? The volumes and the project background live on the NCCoE project page at nccoe.nist.gov, with the formal publication records on NIST’s CSRC at csrc.nist.gov.


Everything here is the map, given freely. When your team needs SP 1800-38’s discovery-and-interoperability approach translated into a migration sequenced against your own systems, that’s what an alignment briefing is for.

Last verified 2026-07-09 · Maintained by Addie LaMarr, LaMarr Labs.