Transitioning to Post-Quantum Cryptography: What Federal Agencies Must Do Now

From IC Insider Thales Trusted Cyber Technologies

By Gina Scinta, Deputy CTO, Thales Trusted Cyber Technologies

Has your agency begun its strategy for transitioning to post-quantum cryptography (PQC)? If you’re not fairly far along now, you’re actually a bit behind. New guidance from the administration this past March, along with a memo from the Department of War last year, is ramping up the urgency. In fact, some of the stalwart cryptographic solutions used in the federal sector will be given the axe in the next five years.

Fortunately, there are some simple steps you can follow to start gearing up for your PQC transition. We’ll address those steps in a moment, but let’s first understand the context of this increasingly pressing need for dealing with security in a post quantum world.

Cyber Strategy and the Push for Infrastructure Security

March 2026 saw the release of this administration’s Cyber Strategy for America. The strategy organizes priorities around six “pillars of action,” each of which has direct implications for both federal contractors and agency cybersecurity teams. Two of those pillars are particularly relevant to this discussion: securing critical infrastructure and modernizing and securing federal government networks.

The modernization pillar in particular calls for accelerating the adoption of cybersecurity best practices, PQC, zero-trust architecture, and the transition to the cloud. This is part of the administration’s desire to have decisions made and implemented at the agency level more quickly.

PQC is becoming essential in securing federal networks. And, the Cyber Strategy comes as the Department of War has announced prioritization of solutions using NIST- approved, CNSA 2.0-listed PQC algorithms in lieu of previously-accepted quantum resistant solutions that make use of symmetric key management protocols. The Department will cease to test, pilot, use, or procure commercial solutions using these symmetric key technologies for quantum resistance. So, for agencies and contractors still relying on any of those solutions, the clock is running.

Why the urgency? Experts project the first cryptographically relevant quantum computers could emerge as early as the next decade.

Protecting systems from the quantum computing threat can’t wait until 2030. Harvest now, decrypt later schemes involve collecting data encrypted with classical algorithms today and decrypting it once a sufficiently powerful quantum computer exists. Intelligence, personnel records, and operational communications being transmitted right now are being targeted with this in mind. This is not a future problem.

Meanwhile, past cryptographic migrations across federal landscape have taken over a decade. From a purely historical perspective, things are already behind schedule.

On top of all this guidance, it’s important to remember that NIST released its first finalized PQC standards in August 2024, and is now in the process of deprecating specific cryptographic primitive algorithms and schemes on a set schedule. Agencies that have not migrated before those cutoff dates will be running deprecated cryptography in critical systems.

A Migration Memo to the Department of War

Back in November 2025, the Department of War released a memo titled, “Preparing for Migration to Post Quantum Cryptography.” The memo was directed to senior Pentagon leadership, combat commands and field activity directors, and laid the groundwork for migrating to PQC. (This guideline memo builds on the Quantum Computing Cybersecurity Preparedness Act of 2022, which requires agencies develop a PQC transition timeline based on their assessment of how they use potentially vulnerable cryptography.)

“Advancements of Quantum Information Science (QIS) and cryptanalytically relevant quantum computers requires expedited migration to quantum-resistant cryptography to safeguard the Department’s information systems, communications, and personnel,” the November 2025 memo reads.

It goes on to say, “The migration to post quantum cryptography (PQC) must not only be planned and executed with deliberate urgency to maintain warfighter lethality and information dominance in the DoW global ecosystem, but also strategically coordinated…To achieve this level of coordination, we must identify PQC migration points of contact for information sharing and create processes for streamlining intake and prioritization of PQC solutions to support certification activities and timelines.”

The Department’s memo stresses that agencies must receive cryptographic intake and deployment approval before testing, evaluating, piloting, investing in, using, or deploying any quantum-resistant or quantum-resilient technologies. It also bans outright a set of technologies for use in providing confidentiality, authenticity, or integrity on DoD networks:

• Quantum Key Distribution (QKD)
• Solutions combining QKD with other cryptographic keys
• Quantum communications or networking
• Non-local quantum randomness generation
• Non-FIPS random number generation

 

Providing quantum resistance in solutions using cryptographic pre-shared keys (PSK) not provisioned through NSA Key Management Infrastructure for Type 1 devices will be sundowned on December 31, 2030. Symmetric Key Establishment, Agreement, and Distribution Protocols will be eliminated a year later, on December 31, 2031.

For future solutions, underlying technology must include crypto agility.

Crypto Agility: The Requirement Behind the Requirement

As organizations prepare for the post‑quantum era, crypto agility becomes essential—enabling systems to adopt PQC algorithms rapidly, minimize operational disruption, and remain resilient as cryptographic standards evolve. Many long‑established cryptographic programs have already internalized these principles, giving them the architectural headroom to absorb PQC’s larger key sizes and increased computational demands with minimal friction. NIST’s Cybersecurity White Paper CSWP 39 reinforces this need by detailing the tradeoffs, operational challenges, and interoperability considerations inherent in achieving true cryptographic agility.

For agencies, the actionable takeaway is clear: every modernization or procurement decision should explicitly require demonstrable crypto‑agility, ensuring that systems acquired today can adapt to tomorrow’s PQC mandates instead of becoming tomorrow’s technical debt. This shifts crypto agility from an abstract aspiration to a concrete acquisition criterion that safeguards mission longevity.

As organizations transition into the post‑quantum era, crypto agility becomes essential—enabling systems to rapidly adopt PQC algorithms, minimize operational disruption, and stay resilient against evolving cryptographic threats.

Seven Steps to a PQC Transition Strategy

So what are the steps agencies must take in developing their PQC transition strategy? There are seven:

• Awareness
• Inventory technology/prioritize systems
• Automate crypto discovery
• Automate inventory
• Set up a PQC test environment
• Practice crypto agility
• Apply quantum key generation and implement quantum-resistant algorithms

 

Let’s take a quick look at each step.

Awareness. Your transition strategy is a top-down initiative. Leadership must be fully aware of the challenge: not only the risks, but the specific actions required to meet them. The harvest now, decrypt later threat means that PQC migration isn’t a future budget line, it’s an active operational risk.

Inventory cryptographic technologies and prioritize high-risk systems. The Office of the National Cyber Director (ONCD) provided specific instructions to federal agencies on inventorying their cryptographic systems. ONCD directed agencies to submit prioritized cryptographic inventories by May 2023. For many, unfortunately, that was a paper exercise. A manual process is less precise than one using available electronic tools, and your cryptographic footprint has grown since that submission.

Automate crypto discovery. Crypto inventory is not a one-time task. Organizations continuously create new cryptographic instances across their environments. Automated discovery is the only practical way to maintain an accurate picture. You cannot migrate what you have not mapped.

Automate discovery and inventory. Multiple vendors offer automated cryptographic discovery tools. Assess what is available and match tools to your environment. Automated tooling surfaces cryptographic dependencies that manual processes miss entirely.

Set up a PQC test environment. Now that the NIST standards are finalized, it is time to upgrade your environment for testing. As previously noted, PQC algorithms generate larger keys, and the performance impact of those larger keys could affect your systems in ways you had not anticipated. Test before you deploy at scale.

Practice crypto agility. Supporting both classical and PQC algorithms simultaneously is what makes an organization crypto agile. Devices and platforms being procured today must be capable of this. If they are not, you have to begin modernizing those systems now.

Apply quantum key generation and implement quantum-resistant algorithms. The foundation of encryption is the quality of the cryptographic keys. Organizations should leverage a quantum random number generator (QRNG) to produce high-quality entropy as the basis for all keys and cryptographic operations. Encryption solutions must use the standardized NIST PQC algorithms, or be crypto-agile with a clear and near-term upgrade path to them.

The administration’s Cyber Strategy, the Department of War phase-out deadlines, and the NIST deprecation schedule all point in the same direction: Cryptographically dangerous quantum computers are coming, and the threat is real.

Agencies should plan their transition strategies now work. Automate your crypto discovery, stand up a PQC test environment, require crypto agility in new procurements, and prioritize migration on your highest-risk systems first.

Industry has been working on this for years. Agencies need to close the gap.

About Thales TCT

Thales Trusted Cyber Technologies, a business area of Thales Defense & Security, Inc., protects the most vital data from the core to the cloud to the field. We serve as a trusted, U.S. based source for cyber security solutions for the U.S. Federal Government. Our solutions enable agencies to deploy a holistic data protection ecosystem where data and cryptographic keys are secured and managed, and access and distribution are controlled.

For more information, visit www.thalestct.com

About IC Insiders

IC Insiders is a special sponsored feature that provides deep-dive analysis, interviews with IC leaders, perspective from industry experts, and more. Learn how your company can become an IC Insider.