diff --git a/src/lib.rs b/src/lib.rs
index 377edab514..3da9d4d233 100644
--- a/src/lib.rs
+++ b/src/lib.rs
@@ -12,6 +12,9 @@
 // See the License for the specific language governing permissions and
 // limitations under the License.
 
+use once_cell::sync::Lazy;
+use std::env;
+
 pub mod admin;
 pub mod app;
 pub mod assertions;
@@ -42,3 +45,7 @@ pub mod xds;
 
 #[cfg(any(test, feature = "testing"))]
 pub mod test_helpers;
+
+#[allow(dead_code)]
+static PQC_ENABLED: Lazy<bool> =
+    Lazy::new(|| env::var("COMPLIANCE_POLICY").unwrap_or_default() == "pqc");
diff --git a/src/tls/lib.rs b/src/tls/lib.rs
index a1706756a4..18e46d0c89 100644
--- a/src/tls/lib.rs
+++ b/src/tls/lib.rs
@@ -14,6 +14,8 @@
 
 use super::Error;
 
+#[allow(unused_imports)]
+use crate::PQC_ENABLED;
 use crate::identity::{self, Identity};
 
 use std::fmt::Debug;
@@ -68,14 +70,20 @@ pub(super) fn provider() -> Arc<CryptoProvider> {
 
 #[cfg(feature = "tls-aws-lc")]
 pub(super) fn provider() -> Arc<CryptoProvider> {
-    Arc::new(CryptoProvider {
+    let mut provider = CryptoProvider {
         // Limit to only the subset of ciphers that are FIPS compatible
         cipher_suites: vec![
             rustls::crypto::aws_lc_rs::cipher_suite::TLS13_AES_256_GCM_SHA384,
             rustls::crypto::aws_lc_rs::cipher_suite::TLS13_AES_128_GCM_SHA256,
         ],
         ..rustls::crypto::aws_lc_rs::default_provider()
-    })
+    };
+
+    if *PQC_ENABLED {
+        provider.kx_groups = vec![rustls::crypto::aws_lc_rs::kx_group::X25519MLKEM768]
+    }
+
+    Arc::new(provider)
 }
 
 #[cfg(feature = "tls-openssl")]