Agencies are being encouraged to consider post-quantum cryptographic standards in the acquisition process, as part of a multiyear push to secure sensitive data from exploitation.
The Cybersecurity and Infrastructure Security Agency, the Office of the National Cyber Director, the National Institute of Standards and Technology, and the National Security Agency are leading post-quantum cryptographic efforts.
Garfield Jones, associate chief of strategic technology at CISA, said those lead agencies hosted a call recently with more than 600 federal IT officials to discuss the adoption of post-quantum cryptography.
“The awareness part, we’re really pushing it,” Jones said during a May 13 event in Washington hosted by AFCEA Bethesda. “As those vendors start to adopt it, we’re starting to talk to the agencies about putting this into your acquisition documentation.”
While a quantum-relevant computer is not projected to become a reality for at least another decade, U.S. officials are concerned adversaries could steal data now and decrypt it in the future.
In a 2022 national security memorandum, former President Joe Biden set a goal for agencies to mitigate “as much quantum risk as feasible” by 2035. The Office of Management and Budget directed agencies to inventory their most sensitive IT assets and develop detailed post-quantum cryptography transition plans.
Biden also issued updated post-quantum requirements in a last-minute cybersecurity executive order in January. The Trump administration has notably not rescinded either of Biden’s cyber orders.
The January order directed CISA by mid-July to publish a list of product categories in which products support post-quantum cryptography. And 90 days after CISA publishes the list, agencies are required to take steps to include requirements for post-quantum cryptography in solicitations for any product that could support PQC.
NIST last year finalized three post-quantum cryptographic standards. And Jones said CISA is aiming to work with vendors to test their cryptographic solutions as the agency builds out the PQC products list.
“We’re going to try to work with vendors to make sure that they have those elements in there,” Jones said.
But many organizations are still in the early stages of moving to the new standards. A recent survey by security certificate company DigiCert found while 69% of organizations recognize the risks quantum computing poses, only 5% have implemented quantum-safe encryption.
Todd Hemmen, section chief of the FBI’s Cyber Technical Analytics and Operations, noted the government’s current plan for the decade-long transition requires both urgency and a “thought-driven, process-driven approach.”
“It’s very urgent, if you think through this idea of ‘harvest now, decrypt later,’” Hemmen said during the AFCEA Bethesda event. “Our data today may be used against us at some future date. But there also should be process, should be thought in how we’re transitioning, because this is a big transition broadly and time is not necessarily with us, but we’re also not so pressed by time that we have to make decisions immediately.”
Meanwhile, Jones said the PQC algorithms are “a little heavier” than traditional cryptography. He said agencies should understand potential implementation challenges, especially in areas like operational technology.
“We always tell people, just be prepared,” he said. “Work with your vendors to get their roadmap, roll it into your acquisition documentation and policy, so that you don’t have a surprise. It takes time to get it into the organization, getting the right architecture.”
In addition to technical and integration challenges, agency officials have also cited funding as a hurdle in transitioning to post-quantum cryptography. OMB has previously estimated the government’s transition to the new standards will cost roughly $7.1 billion over 10 years. And that estimate doesn’t include classified systems run by the Defense Department and the intelligence community.
Landon Van Dyke, senior advisor for technology adoption and strategy at the State Department, said it may be difficult for cybersecurity officials to secure funding for post-quantum cryptography compared to other tech priorities like artificial intelligence.
“When it comes to budget and trying to get the resources in, trying to get the support to actually do the implementation, it will be more of a challenge for the agencies to do this,” Van Dyke said during the AFCEA Bethesda event. “It’s not a thing that you’re going to actually see in the headlines. It’s not something that the executives are going to be able to play with. It’s something that we will say to them, ‘If you don’t do it, we’re in trouble.’ And they’ll ask, ‘Well, what’s my return?’ A quiet day will be your return.”
Copyright
© 2025 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.
