Over the last few months, a number of large companies announced expedited timelines for transitioning to post-quantum cryptography. These announcements signaled a growing industry consensus that quantum computing research breakthroughs could lead to cracking long-standing encryption standards earlier than previously estimated. Now, the federal government is also shifting its timelines.
Now the White House accelerated this momentum, with the President signing Executive Order 14409, Securing the Nation Against Advanced Cryptographic Attacks, and the Office of Management and Budget (OMB) issuing M-26-15, “Execution of the Migration to Post-Quantum Cryptography.” Taken together, these two documents make clear the window for transitioning to Post-Quantum Cryptography (PQC) is no longer far on the horizon–particularly for complex, legacy, or hard-to-replace systems.
In order to prioritize risk, the White House has outlined a new vision for automating visibility, policy and compliance for cryptographic readiness. And, while these new documents set explicit expectations for the public sector, they also send signals to industry regarding timelines and prioritization for transitioning systems to quantum-resistant cryptography.
Technology leaders should also take note of the governance: the White House will require agency executive leadership buy-in for PQC migration, making it a key factor in IT resource funding and planning. With significant cost implications for major system migrations, leadership will be on the hook for managing cost-optimization and developing a precise understanding of risk management and mitigation, which will be critical to properly and efficiently manage taxpayer dollars.
Finally, these two documents lay out expectations for government contractors and prioritize assistance for critical infrastructure’s transition.
Below we break down what to expect, who is affected, and how automation and other PQC readiness assessments can empower organizations to efficiently and effectively secure their environments.
Timelines The Executive Order (EO 14409) establishes strict, accelerated timelines for federal agencies to transition High Value Assets (HVAs) and High Impact Systems to NIST-approved PQC standards. Specifically, agencies must transition these critical systems to PQC for key establishment by December 31, 2030, and for digital signatures by December 31, 2031.
In its memorandum implementing the Executive Order, OMB delineates expectations in more detail, requiring civilian agencies to deliver a comprehensive PQC Migration Plan within 120 days that include the following lines of effort:
Strategy, planning, and discovery (2026 - 2027);
Pilots and early migration of prioritized systems (2027 - 2028);
Prioritized migration of PQC for key establishment (2028 - 2030);
Prioritized migration to the use of PQC for digital signature (By 2031); and,
Completing the migration of remaining systems (By 2035).
The U.S. Department of War’s (DoW) Post Quantum Cryptography (PQC) Strategy lays out even more aggressive requirements: quantum-resistant cryptography on high-impact systems by 2030 and across its entire force by 2031.
Many U.S. government contractors (such as those who provide software, cloud services, or handle sensitive federal data) will also be expected to transition their own environments and coordinate migration with their federal counterparts.
Automating Cryptographic InventoriesOMB notes that the “foundation of the migration plan is a dynamic, continuously updated inventory of all cryptographic assets,” and recommends automation wherever possible to map the cryptographic environment and its dependencies, as well as enforce policy compliance. DoW also recommends leveraging automated cryptography discovery and inventory (ACDI) tools.
The U.S. government rightly notes that manual approaches to cryptographic discovery do not and cannot scale to meet the complexity of modern IT environments. Navigating this transition will require deep, continuous visibility into cryptographic posture across complex environments.
Defining and Using Cryptographic Bills Of MaterialThe Executive Order tasks NIST and CISA with setting public guidance describing what the federal government will require as minimum elements for a Cryptographic Bill of Material (CBOM) by March 2027. These baselines will be helpful in a field that is rapidly evolving. For private and public entities alike, this lays the groundwork for a future where CBOMs are an expected deliverable alongside software, changing how the market tracks and audits cryptographic dependencies.
OMB’s Memorandum lays out the groundwork for this future, recommending that agencies leverage a centralized CBOM “to provide a real-time view of the agency's cryptographic posture,” including a wide range of cryptographic elements.
Context-Driven Prioritization for High Risk Systems M-26-15 instructs agencies to prioritize their migration based on risk, focusing first on High Value Assets (HVAs), High Impact Systems, and other systems holding highly sensitive data expected to remain mission-sensitive in 2030.
There are hundreds if not thousands of HVAs and High Impact Systems across the federal government. Effectively, these two classifications include most systems that are critical to government functionality, mission, or maintain sensitive information.
Identifying which systems fall within these groups is only a first step. Agencies must use context-driven prioritization to understand where weak algorithms may exist within the system, and whether those weaknesses create risk that can be easily mitigated or must be managed through modernization or replacement.
This context-driven prioritization should also be extended towards identifying and neutralizing “Harvest Now, Decrypt Later” (HNDL) risks. This involves identifying potential areas of data exposure, whether through weak key exchange protocols or other weaknesses, where data is encrypted using quantum-vulnerable cryptography. This exposed data could be harvested by an attacker, and decrypted once a cryptographically relevant quantum computer (CRQC) is developed (also referred to as “Q-Day”).
Agencies have a multi-year, phased migration approach ahead of them, beginning with strategy, planning, and discovery over the coming year. Leveraging automated assessment allows agencies and their private sector partners to build a blueprint for this resilience by helping organizations assess PQC compliance in stages.
Continuous visibility into session key exchanges and SSL/TLS dependencies allows agencies to map their immediate threat surface instantly. This ensures federal migration resources are directed precisely where OMB and the National Cyber Director require them.
Cloud Migration, Modernization and Cost OptimizationUltimately, many systems will need to be modernized and replaced as part of a secure transition.
OMB’s Memorandum mandates that “[a]gencies must incorporate PQC upgrades into planned cloud migrations, software development lifecycles, and hardware refresh schedules to maximize efficiency and minimize costs.” For agencies planning cloud migrations from legacy systems, this means a fundamental shift in not only technologies, but skills and processes.
By starting with a foundation of visibility and embedding modern security in a cloud migration strategy, legacy systems can migrate the right functionality and technology into a cloud environment without introducing undue risk and poor cloud hygiene.
As urged by the OMB memorandum, agencies should take this transition as an opportunity to consider efficient management along with security. Agencies can integrate cost optimization during a cloud migration that maximizes the value received from cloud spend through visibility, rightsizing, automation, and accountability.
Many on-premise and legacy system costs are hidden in sunk costs, management overhead, and workforce time. Cloud cost optimization can yield major cost efficiency wins. Optimization establishes systematic practices during a migration to balance performance requirements with spending controls, maximizing the return on cloud investments. Using cloud cost optimization, agencies can prepare to:
Eliminate idle resources and poorly optimized software logic;
Rightsize resources, tracking computing needs over time to cut unnecessary expenditures.
Optimize pricing models, calculating in real time what pricing models work best for various workloads across varying clouds to drive multi-cloud decisionmaking.
Leverage visibility to create accountability, creating transparency for teams and leadership about what resources are being leveraged, who’s provisioning those resources, and why.
In all, leveraging an intentional approach to PQC migration that considers financial operations, as well as broader cloud and security modernization as part of the decisionmaking process, can yield long-term efficient and security gains.
Ensuring Cloud Service Provider Readiness Certain federal contractors will also have responsibilities under this upcoming sprint. For example, M-26-15 emphasizes that FedRAMP cloud services are expected to meet these PQC requirements in line with the shared responsibility model. But it also goes beyond that, suggesting that agencies should engage with their FedRAMP service providers to “delineate PQC migration responsibilities” within that model.
This is more than a distinction and carries significant operational weight. In modern, complex environments, role responsibility confusion can and does occur. Certain responsibilities in a shared responsibility model fall into a gray area where both the customer and the CSP influence the security outcome. With encryption, often there are matters of configuration and assumptions around default settings.
SaaS providers will need to work with agencies to better understand and verify if connected cloud services consumed are appropriately configured with PQC-compliant options.
The effects of this EO extend beyond FedRAMP in the federal supply chain. For federal government technology vendors and those storing sensitive data, PQC standards are ultimately going to become a matter of contractual compliance.
Within 180 days, the Federal Acquisition Regulatory Council (FAR Council) will publish a proposed rule requiring contractors to comply with National Institute of Standards and Technology (NIST)-approved Federal Information Processing Standards (FIPS) for Post-Quantum Cryptography (PQC) algorithms by December 31, 2030. This may put contractors on an even faster time horizon to complete transitions ahead of their agency counterparts.
Additionally, within 270 days, the FAR Council will propose rules requiring many contractors to incorporate cryptographic vulnerabilities into their VDPs. This explicitly includes testing for a lack of encryption and the use of non-FIPS approved algorithms.
The International ContextBeyond the US, other nations are also setting requirements for transitioning key systems to quantum resistant cryptographic algorithms.
Many nations are targeting 2035 for full transition (including Japan, Canada, and the European Union). However, those timelines are moving targets, and increasingly being qualified with earlier milestones. The European Union is targeting the transition of critical infrastructure to PQC by 2030, with Germany providing additional guidance to require a full transition by 2032. Meanwhile, Australia is seeking to complete transition by 2030, and India has a dual track roadmap, with full migration by 2029 or 2033 depending on the sector.
In France and Singapore, software certifications will be affected if vendors do not transition by 2027. After that date, all private companies seeking a visa-certification in France or a Cyber Trust mark in Singapore will need to prove they have implemented quantum resistant cryptographic algorithms.
Ultimately, organizations operating internationally must navigate an ever-shifting policy landscape featuring a mix of baseline milestones and hard-and-fast requirements. These will depend on what sectors these companies and their customers are working within–and those factors will likely vary country-to-country.
Critical Infrastructure ProvidersThe President’s executive order on post-quantum cryptography calls on the federal government “to assist critical infrastructure owners and operators in developing their PQC migration plans.”
CISA and other Sector Risk Management Agencies already provide these industry verticals with information sharing and other services to support cyber resiliency. Additional targeted services and support guided by intelligence could make a significant difference in the quantum resilience of the broader U.S. infrastructure.
Funding for the State and Local Cybersecurity Grant Program (SLCGP) is another way the Federal government can support the migration of critical infrastructure. In the Congressional report language to reauthorize this program, the Committee noted that state and local governments are “oftentimes at the frontlines of U.S. cyber defense.”
Citing how state and local governments “continue to face persistent threats” from nation-state actors and other sources, major associations representing state and local government leaders sent a letter to Congressional appropriations leadership urging them to fund the existing program. Wiz has also voiced support for the program.
Looking AheadThe transition to Post-Quantum Cryptography is a massive undertaking that will ripple across the technology ecosystem, shifting modernization plans and driving new systems architecture.
Checklist-driven compliance is not sufficient to support the complexity of this migration. Instead this transition offers agencies an unparalleled opportunity to adopt advanced security approaches that will provide a nuanced understanding of risk, restructuring defenses for the decades ahead.
In the near term, in leveraging Wiz's automated CBOM generation, continuous cloud-native context, and risk-based prioritization, federal agencies and their industry partners can confidently build their PQC Migration Plans. Wiz ensures that organizations can map their dependencies today, address immediate legacy cryptographic debt, and guarantee that their most critical missions remain secure.
How Wiz Can HelpTo meet this moment, Wiz built a PQC readiness lens that integrates cryptographic assets upon our graph architecture. This allows organizations to visualize enriched cryptographic properties alongside software and cloud resource inventories. By continuously updating visibility into dependencies and encryption throughout the environment, Wiz enables organizations to immediately surface weak algorithms and identify where legacy encryption remains, driving automated cryptographic discovery across the environment.
Featuring built-in detections for relevant encryption standards and leveraging multiple scanning methodologies, Wiz surfaces cryptographic metadata directly within an environment's inventory and eliminates cryptographic blind spots. The platform highlights PQC-supported vs. non-supported software based on specific components and version numbers, allowing customers to see exactly when a library or application begins to support PQC-ready standards. These key data points are ultimately exportable via an inventory, which can be used to create a CBOM.
Additionally, Wiz can help analyze cost, usage, ownership, and resource relationship data within its Security Graph so teams can find waste and act on it with full infrastructure context.
Other Resources
Catch our on-demand webinar as Wiz Research and Government Affairs experts break down the current state of PQC and how to prepare.
Wiz’s analysis on the State of Post-Quantum Cryptography (PQC) provides a deep-dive on how the industry is preparing for the future of encryption.
Use Wiz’s PQC Tester to check if a web domain supports Post-Quantum Cryptography.
Learn more about Google Cloud’s commitment to PQC readiness, how the company is helping customers prepare for a post-quantum future, and broader resources for the cloud ecosystem.
