The Department of War has recognized the national security threat posed by quantum computers and has put some teeth behind the federal government’s push for quantum-proof encryption. It announced plans for a centralized oversight structure for post-quantum encryption, scanning vulnerable systems, coordinating migration roadmaps, and developing post-quantum cryptography for defense needs.
The department has also released a strategy document which says it will update the Cybersecurity Maturity Model Certification (CMMC) to include PQC. As of this November, federal contractors will begin to be required to have third-party certification of CMMC compliance. Previously, they were allowed to self-attest, a much lower standard.
The DoW announcement comes just a day after an executive order requiring all federal contractors to comply with NIST’s post-quantum cryptography standards by the end of 2030. In addition, the president ordered the Secretary of Commerce to initiate a pilot project for PQC migration within the next 180 days — and the pilot needs to be completed by the end of 2027. (See related story: Presidential order addresses quantum computing gaps)
“Adopting PQC is imperative for both national and economic security,” says Jordan Kenyon, senior quantum scientist at Booz Allen Hamilton. “The US government just set an aggressive timeline.”
The executive order sets a deadline of December 2030 for key establishment and December 2031 for digital signatures in high-impact systems and assets.
In a report Tuesday, Gartner warned that enterprises should brace themselves for more government interventions — and the confusion and complexity that might result.
“The U.S. government’s EOs will likely spur accelerated intervention from all major governments and regional political blocs,” the firm said. “CISOs should be prepared for regulations to conflict and contain sovereignty requirements, which will complicate compliance.”
Gartner recommends that companies build a PQC inventory and remediation program in 2026 and engage vendors about their PQC timelines. In addition, companies should move to automated cryptographic bills of materials in 2027, transition to TLS 1.3 by 2028, and move all high-value and high-impact systems to PQC by 2030.
According to Gartner, fewer than 10% of organizations support post-quantum cryptography for high-value data and systems, but that is expected to increase to 80% by 2030. “Organizations that haven’t started piloting PQC by 2027 can expect to pay at least 200% more for their full PQC migration,” Gartner analysts predict.
“It’s no longer a ten-year runway,” says Garfield Jones, SVP of research and technology strategy at QuSecure, a cybersecurity vendor. “It’s two and a half years that we have to move in.”
According to QuSecure’s Jones, the hardest part of the transition will be in legacy systems.
“The cloud vendors have started to help out on that and have implemented the algorithms and implemented TLS,” he says. “But what about your on-prem solutions, your operational technology solutions, your legacy IT that can’t move to the cloud? The edge technology? Those are areas that you have to look at.”
Many OT systems are on a 20- or 30-year life cycle, he says, and organizations may not want to immediately replace them.
In some cases, old technology can be a matter of life and death. “I mean, you’ve got medical devices that carry very relevant information,” Jones says. “If your doctor is getting wrong information about you, then it’s a problem.”
One solution is to put a secure wrapper around the legacy systems, he says. “So you don’t have to take out all your OT and you can go on their natural refresh cycle.”
The Department of War recommends against this approach, however. “Proxy solutions for PQC should be avoided with a focus instead on actual network upgrades to PQC,” the department said in its post quantum cryptography strategy document.
Read more about quantum computing and HPC
- IBM sends signals with its $10 billion quantum pledge: “The quantum era is no longer ahead of us, it has started,” said IBM CEO Arvind Krishna in statement tied to news that the company is committing $10 billion to advancing quantum computing and commercializing the technology.
- New tool on AWS makes it easier to develop quantum error correction: Quantum computers are no longer a physics challenge but an engineering one, and quantum error correction is the heart of what’s going to make quantum computing a reality. A new tool uses AI-powered digital twins to make it easier for researchers to solve this challenge, and it’s available on AWS.
- Quantum computing is getting closer, but quantum-proof encryption remains elusive: The day when quantum computers will be able to break conventional encryption is rapidly approaching, but not all companies are prepared to implement post-quantum cryptography.
- China’s LineShine is the world’s fastest supercomputer: The debut of China’s LineShine on the June 2026 edition of the TOP500 rankings ends El Capitan’s run at the top the list and marks the first time a China-based system has led the rankings since Sunway TaihuLight in 2017.
- Curious about quantum? Check out training options from ISC2, IBM, AWS and more: ISC2 released a 30-minute primer on the cybersecurity implications of quantum computing. If you want to dig deeper, there are many quantum training options that don’t require going back to school for a PhD.
- Top quantum breakthroughs of 2025: 10 areas in which we’ve seen significant breakthroughs and milestones in quantum computing.