Insider Brief
- Federal agencies are being directed to begin incorporating post-quantum cryptographic standards into procurement to protect sensitive data from future quantum-enabled decryption.
- The Biden and Trump administrations have both supported policies requiring agencies to inventory critical IT systems and begin transitioning to NIST-approved quantum-safe encryption protocols.
- Despite growing awareness of quantum risks, only a small percentage of organizations have implemented quantum-safe solutions, with funding and integration challenges cited as key barriers.
Federal agencies are under growing pressure to begin incorporating post-quantum cryptographic (PQC) standards into procurement, as the government prepares for a future when quantum computers could crack today’s encryption systems.
Although experts do not expect quantum computers capable of breaking conventional encryption to emerge for at least a decade, federal cybersecurity leaders warn that adversaries may already be collecting sensitive data to decrypt once such systems arrive. According to Federal News Network, four lead agencies — CISA, the Office of the National Cyber Director, NIST, and the NSA — are coordinating the government’s post-quantum response and recently briefed federal IT officials on next steps for adoption.
“The awareness part, we’re really pushing it,” Jones said during an AFCEA Bethesda event, Federal News Network reports. “As those vendors start to adopt it, we’re starting to talk to the agencies about putting this into your acquisition documentation.”
Harvest Now, Decrypt Later
At the center of the effort is the push to future-proof federal data against what’s known as “harvest now, decrypt later” threats. These involve adversaries stealing encrypted government communications now in the expectation that powerful quantum systems in the future will be able to decipher them.
Todd Hemmen, section chief of the FBI’s Cyber Technical Analytics and Operations, said the threat of harvest now, decrypt later should trigger urgency on the part of agencies and their vendors.
“It’s very urgent, if you think through this idea of ‘harvest now, decrypt later,’” Hemmen said during the AFCEA Bethesda event, according to Federal News Network. “Our data today may be used against us at some future date. But there also should be process, should be thought in how we’re transitioning, because this is a big transition broadly and time is not necessarily with us, but we’re also not so pressed by time that we have to make decisions immediately.”
Update Acquisition Processes
In response, Federal News Network reports that agencies are being directed to update acquisition processes to include PQC support, following a series of governmental and executive orders.
One executive order mandated that the Cybersecurity and Infrastructure Security Agency publisha list of product categories where vendors support post-quantum cryptography by mid-July. Within 90 days of that publication, agencies must begin including PQC requirements in any solicitation involving those product types, ensuring that vendors are prepared to meet emerging federal encryption standards.
The standards themselves are being set by the National Institute of Standards and Technology, which finalized three post-quantum encryption protocols last year. But implementation has been slow. As Federal News Network indicates, a recent survey found that although 69% of organizations recognize the looming quantum risk, only 5% have started deploying quantum-safe encryption.
Federal agencies face not only technical and logistical hurdles but also financial ones. The Office of Management and Budget previously estimated that the transition to PQC will cost more than $7.1 billion over the next decade, a figure that excludes classified systems operated by the Defense Department and intelligence agencies. Many agencies have cited limited funding as a major obstacle to accelerating the shift, according to Federal News Network.
Still, the policy signals from the White House remain firm. The Biden administration issued multiple directives to prioritize quantum resilience by 2035, and notably, the Trump administration has allowed those policies to remain in effect. This continuity suggests bipartisan recognition of quantum computing’s potential to disrupt digital security — and the urgent need to get ahead of it.
