Introduction
Quantum computing is changing the risk profile of long-retention public records. While large-scale quantum attacks are not yet operational, adversaries can already capture encrypted data and decrypt it later once quantum capabilities mature. For records that must remain confidential or verifiable for decades, this creates a time-shifted exposure that traditional security planning does not address.
This article explains why long-retention public records face a distinct post-quantum risk, summarizes the standards and government guidance shaping post-quantum migration, and presents a practical roadmap for governments and regulated organizations to assess exposure, prioritize systems, and plan a structured transition based on authoritative sources such as NIST, CISA, and the UK National Cyber Security Centre.
Why long-retention public records face a different risk profile
Most enterprise security models assume confidentiality only needs to hold for months or a few years. Public records rarely fit that assumption. Notices, permits, enforcement decisions, benefits records, procurement files, and regulatory correspondence are often retained for decades, sometimes permanently.
For these records, two risks matter simultaneously:
- Confidentiality risk: Widely deployed public-key cryptography, including RSA and elliptic-curve systems, is vulnerable to future quantum attacks. Data encrypted today may be readable later.
- Integrity and non-repudiation risk: Digital signatures that underpin official decisions must remain verifiable long after issuance, even as algorithms weaken and trust anchors expire.
Records authorities already recognize that cryptography affects long-term accessibility and preservation. The U.S. National Archives and Records Administration (NARA), for example, notes that encryption and rights-management mechanisms can complicate lawful access, transfer, and preservation of permanent records if not planned carefully.
Post-quantum readiness is therefore not just a cybersecurity issue. It is a records-management, legal, and public-trust concern.
The threat model is already acknowledged by governments
U.S. government guidance explicitly describes the risk of “harvest now, decrypt later”, warning that adversaries may collect encrypted data today for future decryption once quantum capabilities mature. This model is particularly relevant for data with long confidentiality or evidentiary lifetimes.
Unlike short-lived enterprise data, public records cannot rely on assumptions about near-term secrecy. Once compromised, the impact is permanent.
The standards landscape is no longer hypothetical
In August 2024, the National Institute of Standards and Technology (NIST) finalized and approved its first post-quantum cryptography standards as Federal Information Processing Standards (FIPS):
- FIPS 203 – ML-KEM (key establishment)
- FIPS 204 – ML-DSA (digital signatures)
- FIPS 205 – SLH-DSA (digital signatures)
These standards provide a concrete baseline for government systems and vendors operating in regulated environments.
At the same time, migration guidance emphasizes that the post-quantum transition is a multi-year effort. The UK National Cyber Security Centre (NCSC) has published post-quantum migration timelines extending to 2035, highlighting the need for early inventory, prioritization, and phased execution.
A practical roadmap for long-retention public records
1. Define what “long-retention” means in risk terms
Organizations should first identify records whose confidentiality or verifiability must hold beyond normal technology refresh cycles, often 10, 20, or 30 years or more.
CISA guidance stresses prioritizing data that would cause harm if decrypted in the future, even if current controls appear sufficient.
Outcome: A retention-linked risk register mapping record types to confidentiality horizon and evidentiary impact.
2. Build and maintain a cryptographic inventory
Most organizations underestimate where cryptography is embedded: TLS endpoints, document signing services, identity platforms, archival systems, APIs, SDKs, and vendor integrations.
The UK NCSC identifies cryptographic discovery and inventory as the first formal milestone in post-quantum migration.
Outcome: A cryptographic bill of materials (CBOM) covering algorithms, protocols, certificates, libraries, and dependencies by system.
3. Prioritize systems by exposure, retention, and transition complexity
For public records, the highest priorities typically include:
- External portals and APIs handling citizen or contractor data
- Identity and digital signing systems supporting official notices
- Archival and evidence repositories with multi-decade retention
ETSI guidance supports phased migration toward a fully quantum-safe state rather than simultaneous replacement across all systems.
Outcome: A ranked migration plan with owners, dependencies, and validation checkpoints.
4. Design for crypto-agility, not one-time replacement
Post-quantum algorithms will evolve. Readiness depends on crypto-agility: the ability to change algorithms and parameters without redesigning entire systems.
Aligning implementations with NIST-approved PQC standards reduces fragmentation and procurement risk.
Outcome: Architecture standards and procurement clauses that mandate algorithm agility and cryptographic transparency.
5. Plan explicitly for long-term signature verification
For many public records, authenticity must be provable long after issuance. ETSI standards on advanced electronic signatures describe mechanisms for preserving validation material and renewing trust over time—concepts that remain essential during post-quantum transition.
Outcome: A policy for evidence preservation, timestamping, and re-validation aligned with retention obligations.
6. Pilot before scaling
Controlled pilots allow organizations to assess performance impact, interoperability, operational readiness, and auditability before migrating high-assurance workflows.
NCSC guidance emphasizes staged execution to avoid disruption and evidentiary gaps.
Outcome: Documented pilot results with clear go/no-go criteria.
What policy-makers and procurement teams should require
For long-retention public records, requirements should be explicit and testable:
- Alignment with NIST PQC FIPS 203, 204, and 205
- A maintained cryptographic inventory and migration plan
- Evidence designs that support long-term verification
- Exportable, reproducible evidence suitable for audit and legal review
These criteria move post-quantum readiness from aspiration to demonstrable capability.
Conclusion
Post-quantum readiness is no longer about predicting when quantum computers will arrive. It is about recognizing that data can be copied instantly, while cryptographic and evidentiary transitions take years.
Governments and regulated organizations now have finalized standards from NIST, clear risk framing from CISA, and credible migration timelines from bodies such as the UK NCSC. For long-retention public records, delaying action creates asymmetric risk with little benefit.
Organizations that treat post-quantum readiness as part of records governance, linking retention, evidence, and crypto-agility, will be better positioned to preserve public trust and legal certainty in a post-quantum world.
