Quantum threats are not just a future problem. Attackers can intercept encrypted data today and hold it until quantum computing makes it easier to break tomorrow.
As quantum computing capabilities evolve, traditional cryptographic standards—including RSA, Diffie-Hellman, and ECC—face growing security risks. Because these algorithms underpin today’s global network traffic security, their susceptibility to quantum-based decryption necessitates that organizations start moving toward quantum-resistant cryptographic (QRC) protocols.
A primary concern is the “harvest now, decrypt later” threat, where adversaries collect encrypted data now with the goal of decrypting it once quantum technology matures. For network and security teams, this shifts quantum readiness from a long-term concern to a near-term planning priority.
That is why Cisco uses a full-stack post-quantum cryptography (PQC) architecture to help protect data throughout its entire lifecycle. By deploying quantum-safe algorithms starting at the hardware boot level, Cisco extends protection across the network stack, while helping organizations prepare for evolving quantum security requirements such as CNSA 2.0.
What is Cisco full-stack PQC?
Announced at Cisco Live Amsterdam 2026, Cisco full-stack PQC extends protection across every layer of the network stack, from secure boot to data transport. By integrating NIST-approved PQC algorithms from secure boot processes to data transport protocols, Cisco helps provide end-to-end protection for networking infrastructure.
Cisco C9000 Smart Switches are the industry’s first enterprise switches to support full-stack PQC. Rather than limiting PQC to data in transit, Cisco C9000 Smart Switches embed quantum-safe algorithms at the hardware boot level and in the data plane. In practice, Cisco full-stack PQC helps protect both the device and the transport layer. This provides a future-proof foundation for enterprise network security from initial power-up through data transmission.
How Cisco full-stack PQC protects the network
From the moment a Cisco switch is turned on, before any network traffic is allowed, Cisco Secure Boot verifies the authenticity and integrity of the software running on the device. This hardware-rooted chain of trust helps prevent tampered or malicious code from running, reducing the risk that a compromised device could undermine network security or expose data passing through the device.
The secure boot sequence verifies each stage of the boot process, starting with the Trust Anchor module (TAm) loading the microloader securely. The microloader then validates and loads the bootloader, which in turn verifies and loads the operating system. Rooted in tamper-resistant hardware, this sequence helps establish trust in the software before the device begins normal operation.
As quantum capabilities mature, that chain of trust must also evolve to remain resilient against future attacks. By integrating PQC into the secure boot process, Cisco helps ensure that the hardware-rooted chain of trust remains resilient against those threats.
Applying PQC across the entire stack—from the silicon layer up to the application level—helps organizations protect device integrity and strengthen defenses against future decryption and signature-forgery attacks. Ultimately, Cisco full-stack PQC provides the cryptographic agility needed to help secure tomorrow’s network while reinforcing trust in today’s infrastructure.
Core capabilities of Cisco full-stack PQC
Cisco full-stack PQC helps secure both devices and data across the network through these key capabilities:
- Secure boot with hardware-anchored trust: Cisco C9000 Smart Switches use a TAm embedded in FPGA hardware to establish a quantum-resistant chain of trust only found in Cisco devices. Cisco digitally signs all images using private keys stored securely in the build environment, while public keys are embedded in the TAm hardware. During boot, the TAm verifies the microloader, which then verifies the BIOS/bootloader and the IOS XE image, establishing a chain of trust.
- Quantum-resistant transport security: Cisco IOS XE introduces lattice-based ML-KEM algorithms to strengthen key exchanges in SSH, MACsec, IPsec, and TLS protocols. This helps maintain the security of encrypted data even against quantum-enabled adversaries.
- Comprehensive transport plane protection: PQC is applied to multiple network layers, including Layer 2 (MACsec) and Layer 3 (IPsec), to help protect data confidentiality across campus and WAN environments.
The full-stack PQC road ahead
Cisco continues to enhance PQC capabilities with ongoing platform improvements scheduled through 2026 and beyond. For organizations planning long-lived campus and branch infrastructure, Cisco full-stack PQC represents an important first step in preparing networks for the quantum era with standards-based protection embedded throughout the infrastructure stack.
Explore Cisco network switches and
enhance your post-quantum security
