Agencies have four months to finalize quantum-ready migration plans
Federal officials have four months to draw up plans for migrating systems to encryption methods that could protect against the future cybersecurity threats posed by quantum computing.
In a new memorandum, the Office of Management and Budget set deadlines for agencies to establish migration plans for post-quantum cryptography (PQC), giving agency heads 120 days from its publication to finalize those documents. Per the memo, which was dated Wednesday but released publicly Thursday, the goal is to migrate “as much quantum risk as feasible by December 31, 2030.”
The memo comes days after the release of President Donald Trump’s anticipated quantum executive orders and establishes more specific requirements for agencies on the system security-focused directive.
Under the OMB guidance, agency migration plans must prioritize high-impact systems, high-value assets, and any other system with either highly sensitive data or that is vulnerable to quantum computing attacks. They’re also required to update governance structures — including the appointment of a new “migration lead” — and prioritize PQC upgrades to existing systems and the purchase of third-party software.
There will be five phases for implementation in those plans, beginning with a planning and discovery phase this year, moving to pilots and early migration over the next couple of years, hitting deadlines for priority migration in 2030 and 2031, and culminating in full migration in 2035.
While a quantum computer that could pose the threat of decryption — known as a cryptographically relevant quantum computer (CRQC) — isn’t known to exist yet, the technology is expected to eventually be able to crack the math that underpins classical encryption methods. As a result, both the public and private sectors have been hard at work coming up with new cryptographic methods to shield private information from those capabilities.
The new Trump orders and OMB memo are the latest efforts from the federal government to prepare its systems, and notably, one of them included new accelerated deadlines for agencies to transition to PQC.
That order gave agencies until the end of 2030 to transition all high-impact systems and high value assets to PQC for key establishment — a handshake-like process through which two or more entities establish a secret key to facilitate encryption. And by the end of 2031, the order further requires transitioning those same high value and high impact systems to PQC for digital signatures — a mathematical method for verifying the authenticity and integrity of things like data, messages or files.
In comparison, a Biden-era national security memo established a broad goal to migrate “as much of the quantum risk as is feasible by 2035.” That May 2022 memo and its timelines, however, came out before the government finalized its first encryption standards to thwart quantum computing threats in 2024. With those now in hand, the new timeline serves as a recalibration.
‘Q day’ unknown
Even with a faster timeline, however, agencies are racing against the unknown. While the roughly four-and-a-half-year timeline attempts to give government entities enough time to fortify their systems against future quantum computing threats, the catch is that it’s impossible to predict exactly when “Q-day” or the viability of that technology will be fully realized.
Until then, educated estimates are all government officials, companies, and researchers have to prepare for an anticipated quantum computing threat.
Some believe the new timeline is not fast enough.
Ann Dunkin, former chief information officer of the Department of Energy during the Biden administration, told FedScoop that while she’s glad to see the Trump administration continuing the commitments to quantum research and encryption, she said the 2031 deadline is “too late. Way too late.”
Dunkin pointed to “harvest now, decrypt later” tactics in which adversaries are likely already collecting encrypted information to unveil later with the advent of cryptographically-relevant quantum capabilities. In essence, that means that at some point adversaries already have information they could one day decrypt; the hope is only that the information is no longer relevant by the time the Q day arrives.
“Harvest now decrypt later is a real thing and the closer we get to Q day, the more harvested data will be useful,” Dunkin said in a written comment.
Additionally, Dunkin said that given current projections, there’s a chance that Q day could be before 2031 and government investment in quantum is likely to move that date even closer. “The current plan is likely to leave the vast majority of federal systems fully exposed to hackers on Q day,” she said.
Others, however, say that the timeline is likely the most practical expectation for federal agencies.
Phil Stupak, a former cyber official in the Biden-era Office of the National Cyber Director, told FedScoop that while the ideal is always to move faster, the question is whether that’s realistic. “I don’t know if it’s realistic to move faster,” he said.
However, there is also a possibility that even when a quantum computer could break existing encryption, the speed at which it’s able to do that will likely still be an issue, Stupak said. That means relevancy of the threat might actually be years beyond that date.
Overall, Stupak said that “the Trump administration did a good job on this executive order on the post quantum cryptography piece” and builds upon work under the Biden administration. “This executive order tries to very quickly put PQC requirements in place,” he said.
The order and memo follow work agencies carried out under the Biden administration to tally up all of their existing cryptographic systems via an inventory process and determine which ones were likely vulnerable to quantum computing threats. The Biden policy similarly prioritized high-impact and high value systems in that work.
Support needed
As agencies prepare for those deadlines, however, there are challenges outside their control.
In terms of hurdles for migration, Stupak listed two: Lack of commercially available PQC-compliant equipment from the private sector and support from Congress for the efforts.
On the first point, he noted that the private sector is farther along now than it was under the Biden administration, so there could be “some success,” but a high value asset can’t be replaced with an app. “You’ve either got to replace the whole thing with all the cryptographic algorithms on it, or not replace it,” he said.
Meanwhile on the second point, he emphasized that funding from Congress is crucial. “Congress is going to have to prioritize this and actually fund it, or it’s not going to happen,” he said.
For its part, the Wednesday OMB memo made an effort to address the issue of buy-in within agencies themselves, stating that the migration is not the responsibility of the chief information officer and chief information security officer alone. Rather, it said that work is a task that each agency’s leaders and front offices should share in.
Hemant Baidwan, former Department of Homeland Security chief information security officer under the Biden and Trump administrations, told FedScoop that the hurdle he saw was turning awareness of the problem among security leaders “into funded, measurable action across legacy systems, cloud services, applications, certificates, identity platforms, APIs, and vendor-managed environments.”
To that point, Baidwan praised the order, saying it “gives agencies a clearer path by forcing ownership, prioritization, and timelines. That matters because PQC migration cannot be treated like a normal technology refresh. It has to be managed as a mission risk program.”
In an emailed statement to FedScoop, Baidwan listed visibility into cryptography, dependency on the market and operational risk as challenges for agencies, and said that agencies will need funding, guidance, procurement support, and tooling to support their efforts.
“Congress can help by treating PQC migration as a modernization priority, not an unfunded compliance requirement,” Baidwan said.
He also said that common approaches that agencies share will be important. “Shared reference architectures, clear procurement language, cloud alignment, FedRAMP integration, and automated reporting will make a big difference,” he said.
Matthew McFadden, vice president of General Dynamics Information Technology’s Cyber Division, said that going forward it will be important to focus on the “shift-left side” where PQC is incorporated from the beginning. (Shift left is a software development term that describes moving testing to the early stages of a project.)
In a 2024 survey of government officials, GDIT found that while agencies were making progress, legacy systems, operational technology systems, and lack of planning were frequently cited as barriers to implementation of the new standards.
It takes time for industry to put forward and implement these new standards into their products, McFadden said. Those changes not only affect devices, but also cloud service providers and each product has to be assessed on an individual level. Agency decisionmakers have to work with acquisition teams to ensure that things they’re selecting are part of the roadmap.
McFadden called the directive “a great first step,” pointing specifically to its establishment of leads within the agencies and creation of a framework that will allow agencies better working with their contracting partners to support the process.
