The Department of War has initiated a strong push for post-quantum encryption (PQC), which signals a significant shift in national security strategies aimed at countering threats from quantum computing. Their new strategy involves establishing a centralized oversight framework dedicated to PQC, including measures for identifying vulnerable systems, coordinating migration roadmaps, and developing the necessary cryptographic technologies.
This directive follows a recent executive order mandating that all federal contractors comply with NIST’s PQC standards by 2030. Additionally, the order dictates that the Secretary of Commerce must start a pilot project for PQC migration within the next 180 days, with completion required by the end of 2027. Federal contractors will soon need third-party certification of their compliance with the Cybersecurity Maturity Model Certification (CMMC), which will adopt PQC standards, eliminating the previous protocol of self-attestation.
Experts, including Jordan Kenyon from Booz Allen Hamilton, emphasize the urgency of adopting PQC for both national and economic security. The executive order sets critical deadlines for implementing key establishments by December 2030 and transitioning to PQC for digital signatures in high-impact systems by December 2031.
Gartner analysts have advised enterprises to prepare for increased governmental intervention, anticipating that regulations from various governments will create compliance challenges. They recommend that organizations compile an inventory and remediation program for PQC, engage with vendors about their timelines, begin using automated cryptographic bills of materials by 2027, transition to TLS 1.3 by 2028, and complete the transition for high-value systems by 2030. Currently, less than 10% of organizations support PQC for critical data and systems—a figure projected to rise to 80% by 2030. Delays in adoption could result in costs that are at least twice as high for organizations that haven’t started piloting PQC by 2027.
QuSecure’s Garfield Jones pointed out the looming obstacles posed by legacy systems, which are often integral to operations in many organizations. These systems can be crucial for services where outdated technology might affect safety, such as medical devices. While cloud vendors are moving towards implementing PQC solutions, on-premise systems may require more innovative approaches.
The Department of War has recommended that organizations prioritize full network upgrades to meet PQC requirements rather than relying on proxy solutions, underscoring the need for comprehensive system updates to ensure security against the quantum threat. This aggressive timeline reflects an urgent call for organizations to adapt to the evolving cryptographic landscape as quantum computing capabilities advance.
For further details, you can read more about the topic on the Department of War’s strategy document.
