U.S. cybersecurity and intelligence agencies are intensifying efforts to integrate post-quantum Cryptography Push(PQC) into federal acquisition processes as part of a broader push to secure sensitive data from future threats. Leading the charge are the Cybersecurity and Infrastructure Security Agency (CISA), the Office of the National Cyber Director, the National Institute of Standards and Technology (NIST), and the National Security Agency (NSA).
During a recent event hosted by AFCEA Bethesda on May 13, Garfield Jones, associate chief of strategic technology at CISA, said the agency recently held a virtual meeting with over 600 federal IT officials to promote awareness and encourage integration of PQC into procurement documentation. “The awareness part, we’re really pushing,” Jones emphasized. “We’re starting to talk to the agencies about putting this into your acquisition documentation.”
Although practical quantum computers capable of breaking current encryption may be years away, federal officials are concerned about the risk of adversaries collecting encrypted data now and decrypting it later, a strategy known as “harvest now, decrypt later.”
Policy Directives Drive PQC Adoption Despite Transition Hurdles
The federal government’s focus on post-quantum Cryptography was formalized in 2022 through a national security memorandum issued by then-President Joe Biden, which called on agencies to reduce quantum-related risks by 2035. This was reinforced by a cybersecurity executive order in January, which remained in place under the Trump administration. The order requires CISA to publish a list of product categories supporting PQC by mid-July. Within 90 days of that publication, agencies must begin incorporating quantum-safe standards into relevant product solicitations.
To support this transition, NIST has already finalized three PQC algorithms. Jones noted that CISA is actively working with vendors to test and validate products against these standards, ensuring readiness for the government-wide rollout. However, implementation remains uneven. A survey by DigiCert revealed that while 69% of organizations are aware of quantum computing risks, only 5% have adopted quantum-safe encryption.
Todd Hemmen, section chief of the FBI’s Cyber Technical Analytics and Operations, emphasized the need for urgency and caution in equal measure. “It’s very urgent if you think through this idea of ‘harvest now, decrypt later,’” Hemmen said. “But there should also be a process. This is a big transition.”
Funding, Complexity Pose Challenges for Quantum-Ready Infrastructure
Transitioning to post-quantum Cryptography is not without significant challenges. The algorithms, described by Jones as “a little heavier” than traditional ones, may strain operational technology systems and require updates to organizational architecture. “It takes time to get it into the organization,” he advised. “Work with your vendors to get their roadmap.”
Beyond the technical hurdles, funding has emerged as a major concern. The Office of Management and Budget (OMB) estimates the transition will cost around $7.1 billion over the next decade — excluding classified systems managed by the Department of Defense and intelligence agencies.
Landon Van Dyke, senior advisor for technology adoption at the State Department, noted that securing funds for PQC implementation is more difficult than for more visible technologies like artificial intelligence. “It’s not something you’ll see in the headlines,” Van Dyke said. “But if you don’t do it, we’re in trouble. A quiet day will be your return.”
