On September 18, 2025, the National Institute of Standards and Technology (NIST) published two post-quantum cryptography (PQC) guidance documents: the final version of Special Publication 800-227, Recommendations for Key-Encapsulation Mechanisms, and an initial public draft of Cybersecurity White Paper (CSWP) 48, Mappings of Migration to PQC Project Capabilities to Risk Framework Documents.
According to NIST’s announcement, SP 800-227 describes the basic definitions, properties, and applications of key-encapsulation mechanisms (KEMs) and provides recommendations for implementing and using KEMs securely. The publication underwent a public comment period that closed on March 7, 2025, and a virtual workshop was held in February 2025 to gather additional input. SP 800-227 provides operational guidance complementing the PQC algorithm standards published by NIST in August 2024, including FIPS 203 (ML-KEM).
CSWP 48, published the same day by NIST’s National Cybersecurity Center of Excellence (NCCoE), maps PQC migration capabilities demonstrated in the NCCoE Migration to PQC project to security objectives and controls in the NIST Cybersecurity Framework 2.0 and SP 800-53 Rev. 5. The draft was open for public comment through October 20, 2025. The mappings are intended to help organizations integrate PQC migration into existing risk management frameworks rather than treating it as a standalone engineering project.
Together, the two publications advance the practical implementation toolkit for organizations transitioning to quantum-resistant cryptography, building on the three PQC algorithm standards (FIPS 203, 204, and 205) finalized in August 2024.