Just six days after the June 22nd Executive Order, the Trump-Vance administration is directing federal agencies to begin a prioritized migration to post-quantum cryptography, aiming to defend against future cyber threats posed by advancements in quantum computing. The initiative, outlined in a memorandum released on June 24th, recognizes that Americans “depend heavily on encryption to protect their individual privacy and for everyday tasks such as starting their cars, paying for groceries, and messaging friends and family.” While a cryptographically relevant quantum computer capable of breaking current encryption standards does not yet exist, the administration asserts the need to proactively prepare, noting that such a machine “may yield a CRQC in the coming decade.” This migration directive excludes national security systems, indicating a separate, and likely more advanced, approach is already underway for those critical areas.
Executive Order Mandate for Post-Quantum Cryptography Migration
The recent Executive Order issued on June 22nd, directing a swift migration to post-quantum cryptography, underscores the Trump-Vance administration’s commitment to proactively address a looming threat to digital security. The directive signals a focused push to fortify federal systems against future decryption capabilities. This mandate carves out an exception for critical infrastructures, which are already subject to a separate, presumably more advanced, migration strategy. This distinction is surprising given the universal vulnerability to quantum decryption, suggesting national security agencies have been anticipating and addressing the challenge for some time. As implemented by this memorandum, the Executive Order aims to integrate post-quantum cryptography readiness into existing cybersecurity governance structures across all federal agencies, demanding accountability from leadership teams beyond just the CIO and CISO. Agencies are tasked with prioritizing systems based on impact, specifically targeting any system containing highly-sensitive data, for immediate migration.
The memorandum emphasizes a prioritized migration of all key systems by December 31st. Agencies are expected to leverage automation wherever possible to manage the scale and complexity of this undertaking, recognizing that manual approaches are often insufficient. The Department of Defense will spearhead an inter-agency working group focused on modernizing Federal Identity, Credential, and Access Management to support PQC integration. According to the memorandum, “Migration to PQC must be a primary information security consideration for agencies,” urging incorporation of these upgrades into existing system development lifecycles and hardware refresh schedules to maximize efficiency and minimize costs. Systems incapable of supporting PQC are to be prioritized for replacement or decommissioning, ensuring a future-proofed infrastructure capable of withstanding the quantum threat.
Unlike classical public-key cryptography, PQC uses algorithms believed to be sufficiently secure even against quantum computers.
CRQC Threat & NIST’s Post-Quantum Algorithm Standardization
The accelerating threat posed by potentially cryptographically relevant quantum computers (CRQC) has spurred the Trump-Vance administration into decisive action, formalized by an Executive Order issued on June 22nd. This directive is not merely a theoretical exercise in future-proofing; it’s a concrete push to migrate federal government systems to post-quantum cryptography (PQC) with a firm objective of mitigating quantum risk by December 31st. The urgency stems from the possibility that a sufficiently powerful quantum computer could render much of current encryption obsolete, potentially seizing control of systems and impersonating users. Central to this transition is the work of the National Institute of Standards and Technology (NIST), which has spent the last decade developing and standardizing PQC algorithms.
Unlike classical cryptography, PQC utilizes algorithms “believed to be sufficiently secure even against quantum computers.” NIST’s rigorous evaluation process, involving leading cryptographers and security researchers, aimed to identify algorithms resistant to compromise by a CRQC. The memorandum emphasizes a risk-based approach, requiring agencies to integrate PQC readiness into existing cybersecurity governance structures. Agencies are also directed to develop a PQC Migration Plan, submitted to the Office of Management and Budget and the Office of the National Cyber Director within 120 days.
A quantum computer of sufficient power and sophistication (a cryptographically relevant quantum computer, or CRQC) will be able to decrypt data protected by many forms of cryptography that are commonly used today and thwart existing authentication protocols.
The relentless pursuit of quantum computing capabilities is now directly influencing federal cybersecurity strategies. The memorandum emphasizes the importance of automation, recognizing that manual approaches are insufficient for managing the complexity of federal IT environments. Agencies are encouraged to leverage automated solutions for inventory management, policy enforcement, and compliance reporting, streamlining the process and ensuring continuous monitoring of cryptographic posture.
Through this process, many of the world’s most respected cryptographers and security researchers have thoroughly evaluated candidate algorithms to determine whether they could be compromised or broken by a CRQC.
PQC Integration with System Modernization & Cloud Migrations
The imperative to transition to post-quantum cryptography (PQC) is rapidly converging with ongoing efforts to modernize federal IT infrastructure and accelerate cloud adoption, creating a complex but potentially efficient pathway for securing sensitive data against future threats. This isn’t simply a matter of bolting on new algorithms; the memorandum released this week initiating this migration signals a fundamental shift in how agencies approach cybersecurity, demanding integration of PQC considerations into every stage of system development and resource planning. As outlined in OMB Circular No. A-130, agencies are now explicitly required to “consider information security…for all resource planning and management activities throughout the system development life cycle so that risks are appropriately managed,” with PQC now taking a central role in that assessment. This directive acknowledges the practical realities of maintaining vast and often outdated IT systems.
Agencies have already identified legacy systems where migration would be too difficult or costly, and the memorandum encourages incorporating PQC upgrades into planned cloud migrations, software development lifecycles, and hardware refresh schedules. This strategic alignment is crucial; attempting to retrofit PQC onto aging infrastructure would be prohibitively expensive and inefficient. Crucially, the memorandum extends beyond agency-owned systems, recognizing the increasing reliance on third-party cloud services. Agencies are expected to engage their FedRAMP-authorized providers to delineate PQC migration responsibilities within the shared responsibility model. CISA and the Department of Defense, in coordination with GSA, will spearhead PQC migration efforts for FedRAMP-authorized cloud service providers, as well as software-as-a-service (SaaS), platform-as-a-service (PaaS), and infrastructure-as-a-service (IaaS) solutions used across multiple agencies.
Americans depend heavily on encryption to protect their individual privacy and for everyday tasks such as starting their cars, paying for groceries, and messaging friends and family.
Trump-Vance Administration
FedRAMP & CISA Roles in Vendor/Third-Party PQC Adoption
The expectation that federal agencies will independently navigate the complex transition to post-quantum cryptography (PQC) overlooks a critical reality: a vast reliance on third-party vendors and cloud service providers. This isn’t simply about urging vendors to comply; it’s about establishing a clear pathway for integration and accountability within the shared responsibility model of cloud computing. CISA’s role is further defined by a recent publication, which serves as a crucial reference point for agencies evaluating vendor offerings. Agencies are instructed to ensure any requirements for products falling within these categories include PQC integration, effectively embedding cryptographic agility into procurement processes. This proactive stance aims to prevent vendor lock-in and ensure future compatibility with PQC standards.
This emphasis on vendor participation acknowledges that a fragmented approach, where each agency independently audits and validates vendor compliance, would be unsustainable given the limited timeframe and resources. The administration recognizes the limitations of manual processes in managing the vast and dynamic federal IT landscape. This push for automation isn’t merely about efficiency; it’s about achieving a “comprehensive and continuously updated understanding of their cryptographic posture,” a prerequisite for effectively mitigating quantum risk. The collaborative efforts between CISA, the Department of Defense, and the General Services Administration (GSA) are intended to streamline the process for vendors and agencies alike, ensuring a cohesive and effective migration to PQC across the federal government.
The core ZTA principle of “never trust, always verify” is compromised if the cryptography used for verification is vulnerable.
