Quantum readinessCisco NetworkingCisco SD-WANCiscoSecurity
Article9 minute read

Building a Quantum-Safe Foundation: WWT and Cisco Accelerate Post-Quantum Readiness

In a rapidly evolving cybersecurity landscape, advances in quantum computing pose a significant threat to current encryption methods.

In this article

This article was written by Nathan Nielsen from WWT, Sumant Mali and Arvind Gangadharan Ramalingam from Cisco.

A cryptographically relevant quantum computer (CRQC) could, in the future, decrypt data that's encrypted today through "harvest now, decrypt later" (HNDL) attacks. With regulations and compliance requirements catching up, it is in the best interest of organizations and governments to get ahead of this by having a post-quantum strategy in place that safeguards their infrastructure. WWT and Cisco are partnering together to accelerate post-quantum readiness by leveraging the Cisco 8000 Series Secure Routers, to help organizations stay secure and compliant.

The following is an estimated timeline based on current industry conditions. As noted, the current-state assessment should already be underway or begin shortly.

 Compliance and regulatory requirements

The threat of decryption of sensitive information by quantum computers has prompted a global response by various regulatory authorities. 

  • CNSA 2.0 (Commercial National Security Algorithm Suite 2.0) is the National Security Agency's (NSA) updated suite of cryptographic algorithms designed to provide security against future quantum computing threats
  • Australian Signals Directorate (ASD) provides guidance in the Information Security Manual (ISM) on protecting against post-quantum threats
  • Government of Canada emphasizes a structured approach to transition cryptographic systems to quantum-resistant algorithms
  • UK National Cyber Security Centre (NCSC) outlines a strategic framework for organizations to transition their cryptographic systems to quantum-resistant algorithms
  • The Indian Telecommunications Engineering Centre (TEC) provides a comprehensive framework for organizations to plan and execute the transition to post-quantum cryptography (PQC)

This coordinated global effort underscores the urgency for organizations to proactively prepare their cryptographic infrastructure, ensuring long-term resilience and compliance in the face of advancing quantum capabilities.

Moving from regulatory compliance to operational readiness requires a proactive approach to infrastructure design. Organizations must deploy solutions that not only meet today's standards but are also flexible enough to adapt to the cryptographic landscape of tomorrow. The Cisco 8000 Series Secure Routers provide the necessary foundation, enabling enterprises to align their network architecture with global compliance and regulatory requirements.

 Cisco 8000 Series Secure Routers

The Cisco 8000 Series Secure Routers are designed to protect your branch offices, campuses, and data centers against the emerging threat of quantum computing. Built with crypto agility at their core, these devices allow organizations to seamlessly update cryptographic algorithms through software as new post-quantum standards evolve. As malicious actors increasingly employ "harvest now, decrypt later" (HNDL) attacks, these routers are engineered to protect sensitive data in transit. 

The Cisco 8000 Series Secure Routers deliver a complete post-quantum strategy across two key dimensions:

  • Quantum-Safe Communications: protecting data in transit through post-quantum-enabled encryption and authentication protocols
  • Quantum-Safe Products: ensuring the integrity of the device itself through secure boot and hardware-anchored trust

 Early field trial results

WWT and Cisco teamed up during the early field trial analysis of the Cisco 8000 Series Secure Routers and ran through an extensive list of testing scenarios. Across various models within the product family, PQC readiness was validated by implementing Module-Lattice-Based Key Encapsulation Mechanism (ML-KEM) cryptography (FIPS 203 standard published by NIST) within the following solutions:

  • IKEv2 IPsec: ML-KEM tunnels were established and verified for quantum-safe key exchange and data integrity. The system seamlessly fell back to classical DH in mixed environments without connectivity issues. This allows for a hybrid implementation that facilitates a phased migration to a PQC-ready architecture.
  • DMVPN: Testing confirmed reliable hub-and-spoke and spoke-to-spoke tunnels, including NHRP resolution and co-existence of ML-KEM/classical DH algorithms.
  • FlexVPN: ML-KEM was successfully negotiated within IKEv2 proposals across hub-spoke topologies, with certificate-based authentication (RSA-sig via PKI trustpoints) confirmed on both hub and spoke devices.
  • MACsec with EAP-TLS: Layer 2 encryption using ML-KEM via EAP-TLS 1.3 was validated, as was the fallback to TLS 1.2 for non-PQC devices. 
  • SSH: SSH client and server functionalities with hybrid ML-KEM implementation were validated with OpenSSH and PuTTY clients. ML-KEM KEX negotiation succeeded reliably.

Note: It is important not to confuse key exchange with data encryption. ML-KEM is an asymmetric key encapsulation mechanism.  Rather than encrypting the actual data/payload, it uses a public/private key pair to establish a shared secret, which the protocol then uses to derive symmetric keys for bulk data encryption. Existing data encryption algorithms such as AES are unchanged.

What makes these results particularly relevant for enterprise deployment is how the platform behaves in brownfield environments, where quantum-ready and legacy devices share the same network. A hard cutover is not realistic for most organizations, and the Cisco 8000 Series Secure Routers do not require one. ML-KEM is negotiated when both peers support it. When the far end does not, the platform falls back to classical algorithms and keeps traffic moving. Migration happens at your pace, device by device, without disrupting live operations.

Below is a table illustrating the various negotiation scenarios supported by hybrid key exchanges and fallback mechanisms:

Across every protocol tested, the results pointed to the same conclusion: the Cisco 8000 is production-ready for quantum-safe deployment today, and it handles the transition gracefully whether the peer is quantum-ready or not. As WWT Principal Solutions Architect Nathan Nielsen put it:

Ultimately, deploying the Cisco 8000 Series Secure Routers allows enterprises to confidently future proof their critical infrastructure and maintain data confidentiality in the post-quantum era.

 The WWT Advantage - leadership, solutions, and programs in this space

Post-quantum readiness is not a product you buy. It is a program you build. It takes strategic alignment, real technical depth, a validated lab environment, and a partner who has already done the hard work. WWT brings all of that.

WWT's PQC practice covers the full spectrum of what Cisco joint customers need to get this right.

Unmatched Cisco partnership

WWT is one of Cisco's top global partners across nearly every category, from architecture and security to services and sales. That depth of relationship means WWT customers get early access to emerging Cisco technologies, direct engagement with Cisco engineering teams, and the ability to co-develop solutions before they are broadly available. WWT's participation in the Cisco PQC Early Field Trial is a direct result of that relationship and a reflection of where WWT sits on Cisco's security roadmap.

The Advanced Technology Center (ATC): Test before you invest

WWT's ATC is one of the most advanced private technology labs in the world, built specifically for proof-of-concept testing, solution validation, and hands-on learning. It is where WWT conducted its PQC validation on the Cisco 8000 Series Secure Routers, and it is available to joint Cisco customers who want to do the same. Whether you need to validate ML-KEM tunnel behavior across your specific DMVPN topology, test mixed-algorithm fallback in your SD-WAN environment, or stress-test MACsec with EAP-TLS against your PKI infrastructure, the ATC gives you a safe, production-like environment to get those answers before they become production problems.

Security practice depth and certifications

WWT's security practice spans architecture, assessment, implementation, and professional services, with deep expertise across network security, zero trust, identity, and cryptographic infrastructure. Our engineers hold expert and advanced Cisco security certifications and work every day at the intersection of networking and security inside some of the most complex enterprise and government environments in the world. PQC demands exactly that combination: practitioners who understand cryptographic standards and know how they behave in real networks under real conditions.

PQC assessment and advisory services

WWT helps organizations figure out where they stand today and what they need to do next. Our PQC advisory engagements start with a cryptographic inventory, identifying where classical encryption lives across your network, applications, and data flows, and finish with a prioritized migration roadmap aligned to NIST post-quantum standards and applicable regulatory frameworks like CNSA 2.0. We put particular emphasis on helping organizations understand the "harvest now, decrypt later" risk as it applies to their specific data classification and retention posture, because that is where the urgency is most often underestimated. Our assessments address both quantum-safe communications and quantum-safe product considerations, including Secure Boot and hardware-anchored trust, to ensure a holistic view of your organization's quantum readiness posture.

PQC readiness workshop

WWT offers a structured Post-Quantum Cryptography (PQC) Readiness Workshop, a focused four-hour engagement designed for CISOs, CIOs, enterprise architects, and technical practitioners. The workshop cuts through the noise around the quantum threat, benchmarks your current cryptographic maturity using WWT's PQC Readiness Scorecard, and produces a high-level action plan for transitioning to quantum-safe algorithms. It is built to work across the full stakeholder spectrum, from the board and regulators to the engineers who will execute the migration. It wraps with practical guidance on de-risking the transition through hybrid mode strategy and ATC-based simulation.

Professional services for end-to-end deployment

For organizations ready to move from strategy to execution, WWT provides professional services to design and implement PQC-ready network architectures using the Cisco 8000 Series Secure Routers. From IKEv2 IPsec and DMVPN configuration to MACsec deployment and SSH hardening, our implementation engineers bring validated, production and lab-tested expertise to every engagement. 

Here is what the path from cryptographic inventory to full quantum-safe deployment looks like in practice.

Thought leadership you can build on

WWT publishes ongoing research and thought leadership on post-quantum cryptography at wwt.com, giving Cisco joint customers access to practitioner-grade content rather than marketing language, to help inform their internal strategies and stakeholder conversations. This article is one part of that broader commitment to helping our customers navigate one of the most consequential infrastructure transitions of the next decade.

The quantum threat is real, regulatory momentum is building, and the window to act before "harvest now, decrypt later" becomes "harvest now, decrypt today" is narrowing. WWT and Cisco are ready to help you close that window before your adversaries do.

 About the Authors

 Nathan Nielsen – Principal Solutions Architect | GS&A Cloud and Infra Solutions at WWT

Sumant Mali – Sr. Product Manager at Cisco

Arvind Gangadharan Ramalingam – Product Manager at Cisco

Technologies