⚛️ Post-Quantum Preparedness

Your compliance data,
on a documented path to post-quantum protection.

The UK NCSC expects organisations handling sensitive data to complete a cryptographic inventory and migration plan by 2028, and full migration by 2035. PICMS started early. Today, all cryptographic operations in our application code go through a single audited wrapper. Our internal Cryptographic Bill of Materials documents every primitive, where it is used, and how it would migrate to NIST FIPS 203/204 algorithms when those become available in our runtime. Automated data retention reduces our “harvest now, decrypt later” exposure by removing data we no longer need.

Start Free Trial Read our public CBOM

The UK NCSC and ICO have published guidance asking organisations handling sensitive data to inventory their cryptographic surface by 2028 and complete migration to post-quantum algorithms by 2035. PICMS has chosen to start early. Our cryptographic posture, documented inventory, and migration plan are designed to meet those dates — and to give your ISMS a vendor whose work is already showing on the page.

Built around Annex A.8.24

What we've already done

These are not roadmap items. Every control below runs in production today and is documented in our internal Cryptographic Bill of Materials — available to your auditor on request.

Cryptographic Bill of Materials Live

Every cryptographic primitive in our application code is inventoried and classified by quantum vulnerability. All in-application cryptography is symmetric (AES-256-GCM, HMAC-SHA-256, SHA-256) — no asymmetric primitives are invoked in PICMS source code. Transport-layer TLS and identity-token verification inherit the AWS and Auth0 cryptographic stacks, which are on their own published PQC roadmaps. Live and queryable at picms.com/cbom.json.

Crypto-Agile Architecture Live

PICMS centralises symmetric cryptographic operations through a single wrapper module (crypto-provider.js). This concentrates our hash, HMAC, AES-GCM, and CSPRNG calls behind one audited entry point — the foundation an organisation needs in order to migrate algorithms quickly when NIST post-quantum primitives become available in our runtime.

Data Retention Policies Live

Briefing-cache rows older than 90 days are hard-deleted daily; fleet-learning-patterns older than 2 years are archived to a separate table on the same schedule. Every cleanup run writes a row to retention_cleanup_log with table, policy, row count, and timestamp.

Customer-Verifiable Signed Exports Live

Weekly S3 export bundles are signed with both an HMAC-SHA-256 (PICMS-internal) and an Ed25519 detached signature that any customer can verify independently with just the public key — no PICMS contact required. The public key, a zero-dependency verifier script, and a fingerprint published in /cbom.json are all live. Sidecar <key>.sig file carries both signatures + a plaintext SHA-256.

What this means for your ISMS

Choosing PICMS gives you documented evidence across multiple ISO 27001 controls — without lifting a finger.

A.8.24 Use of Cryptography (ISO 27001:2022)

Your platform vendor maintains a public Cryptographic Bill of Materials covering every primitive used in PICMS application code, available at picms.com/security/cbom. This supports the documentation expectations of A.8.24 (use of cryptography) when PICMS is in scope of your ISMS as a supplier.

Crypto-Agility as a Control

The wrapper architecture demonstrates that algorithm migration has been planned for symmetric-cryptography callsites. Auditors can inspect the wrapper, the public CBOM, and our published PQC roadmap to see the planned transition path and current state.

Data Minimisation & Retention

Automated retention policies with daily enforcement and a complete audit trail. Reduces the “harvest now, decrypt later” attack surface by ensuring data doesn't persist beyond its useful life.

Export Integrity Assurance

Each weekly S3 export bundle is signed with both an HMAC-SHA-256 (PICMS-internal) and an Ed25519 detached signature. Your auditor can verify any bundle independently with just the published public key plus a zero-dependency Node script — no PICMS server contact, no shared secret. Sidecar dual-hash verification (SHA-256 plaintext digest + HMAC-SHA-256 over gzipped bytes) with constant-time comparison. Migration path to ML-DSA (NIST FIPS 204) documented for the wrapper module when Node ships it.

NCSC Guidance Alignment

PICMS's posture aligns with the NCSC's "Preparing for Quantum-Safe Cryptography" guidance: inventory your cryptographic assets, plan for agility, and prioritise long-lived data.

ICO Data Protection by Design

The ICO expects controllers to consider future threats under UK GDPR Article 25. Choosing a crypto-agile platform demonstrates proactive data protection by design and by default.

The clock is already running

The NCSC and ICO are not waiting for quantum computers to arrive before expecting organisations to act. Here is where we are.

August 2024

NIST Post-Quantum Standards Finalised

NIST published FIPS 203 (ML-KEM, lattice-based key encapsulation), FIPS 204 (ML-DSA, lattice-based digital signatures), and FIPS 205 (SLH-DSA, hash-based signatures) as the first three post-quantum cryptographic standards.

NIST IR 8413 / PQC Standardisation Project
2024 – 2025

NCSC Publishes Migration Guidance

The UK National Cyber Security Centre published "Preparing for Quantum-Safe Cryptography" — urging organisations to inventory their cryptographic dependencies, identify long-lived data, and build migration roadmaps now, not after quantum computers arrive.

NCSC Quantum-Safe Cryptography Guidance
May 2026 — Now

PICMS publishes its PQC Position

Cryptographic Bill of Materials live at picms.com/security/cbom, with the live algorithm configuration queryable at picms.com/cbom.json. Cryptographic inventory complete; symmetric-crypto wrapper live in production; migration path documented — two years ahead of NCSC's 2028 inventory deadline.

PICMS PQC Sprint — April 2026, position published May 2026
By 2028

NCSC Inventory & Plan Deadline

The UK National Cyber Security Centre expects organisations handling sensitive data to have completed a cryptographic inventory and documented their migration plan by 2028. PICMS aims to be a vendor whose own work is already showing on the page when your auditor asks.

NCSC PQC Migration Guidance, Phase 1
By 2035

NCSC Full Migration Deadline

NCSC guidance asks organisations handling sensitive data to complete migration to NIST post-quantum algorithms by 2035. Data encrypted today with RSA-2048 or ECC P-256 that is harvested now and stored by adversaries could be decrypted retroactively once a cryptographically relevant quantum computer is available — the “harvest now, decrypt later” threat. Organisations without a documented plan and an agile architecture risk emergency migrations under pressure.

NCSC PQC Migration Guidance, Phase 3 / ETSI QSC
⚛️

2028 will arrive whether you've planned for it or not.

Your compliance data deserves a platform that treats cryptographic controls as an engineering discipline, not a checkbox. Start your free trial — or read the security & compliance roadmap.

Start Free Trial Read our Security & Compliance Roadmap