Agencies Go Beyond Planning as Post-Quantum Deadlines Near

Federal agencies are beginning the long process of transitioning to post-quantum cryptography, and General Services Administration officials have begun embedding these requirements into acquisition processes.

Driven by NIST standards and federal mandates, agencies are inventorying systems, identifying high-value assets and developing migration plans ahead of a Jan. 2, 2030 implementation deadline.

Progress, however, remains uneven across government, according to Rosa Underwood, senior cybersecurity adviser at the General Services Administration’s Federal Acquisition Service.

“The spectrum is everything, from not being prepared or being partially [prepared],” Underwood told GovCIO Media & Research. “Agencies are mandated to have already started inventory. That’s the first step. That’s the critical step.”

Underwood said GSA is incorporating post-quantum cryptography requirements into acquisition processes to help agencies translate policy mandates into procurement efforts.

“GSA is leading the charge across FAS … since the issuance of the OMB memo M-23-02,” Underwood said. “We facilitated experiments and pilots to improve digital security. We’ve identified talent needs, developed education and awareness activities for the acquisition workforce.”

By standardizing requirements and encouraging crypto-agile technologies, the agency hopes to accelerate adoption across both government and industry.

“We want to make sure that our industry partners are implementing those PQC standardized algorithms to protect the sensitive data in their systems that support federal agencies, so it’s also a supply chain risk perspective,” Underwood said.

She added that GSA provides resources through buy.gsa.gov, including a Quantum Information Science and Technology guidebook and a dedicated PQC Buyer’s Guide to help agencies develop technical requirements and ensure new acquisitions are crypto-agile.

PQC Implementation Challenges

In 2024, the Office of Management and Budget estimated that federal agencies would need $7.1 billion between 2025 and 2035 to migrate prioritized systems to post-quantum cryptography.

Larger agencies such as the War Department generally have greater resources to identify cryptographic assets and develop migration strategies, while smaller agencies often face staffing, funding and technical expertise challenges.

The Pentagon has long prioritized its inventorying process for post-quantum cryptography migration. Last year’s directive by then-acting CIO Katie Arrington required components to inventory and phase out legacy asymmetric protocols, including weapons systems, by Dec. 31, 2030.

“[DOW] may be further prepared than say Surface Transportation Board, for example, just looking at resources,” Underwood told GovCIO Media & Research. “[Funding] could be a hindrance on how well or where they are in the preparedness state.”

That disparity creates implementation risks, particularly for legacy systems that may require significant work before they can support post-quantum cryptography.

While OMB requires agencies to submit an updated inventory annually, the structured tracking mechanism for this effort is not public information. CISA, the Office of the National Cyber Director and OMB track inventorying via an automated submission pipeline hosted on the OMB MAX platform.

Prathibha Rama, a computer engineer at Johns Hopkins University Applied Physics Laboratory, said agencies should prioritize older hardware and embedded systems early in the transition process.

“There’s older hardware, [and] you might have embedded systems involved in that, and those are also systems that you want to focus on early on,” she said at GovCIO Media & Research’s CyberScape Summit in April. “There’s going to be more engineering creativity and feats that are involved in updating those systems.”

One major driver of urgency is the “harvest now, decrypt later” strategy employed by foreign adversaries. Under that approach, encrypted information is collected today with the expectation that future quantum computers will eventually be able to decrypt it.

“The most important thing to think about is this idea that data right now is still vulnerable even if quantum computers can’t yet break public key cryptography,” Rama said. “You can only control how you behave, not how others do … Quantum computers are going to be here, whether we like it or not.”

Regardless of budgets and mandates, agencies cannot afford to wait to begin migration efforts.

“We’re not going to get an email that says ‘Q Day is coming.’ We’re not going to get a ‘save the date’; it’s just going to happen,” Underwood said.