Federal agencies face an urgent timeline to protect their most sensitive data from quantum computing threats. Quantum computers leverage physics principles like superposition and entanglement to perform calculations faster than classical computers, posing a significant threat to current encryption standards. Adversaries employ “harvest now, decrypt later” tactics, collecting encrypted data to store until there is a quantum computer powerful enough to break the encryption. The National Institute of Standards and Technology (NIST) released standardized Post-Quantum Cryptography (PQC) algorithms designed to withstand quantum attacks, ensuring long-term data security. The U.S. Federal Government has also issued guidance urging Federal agencies to update their IT infrastructure and deploy crypto-agile solutions that utilize today’s classical encryption algorithms and provide the ability to upgrade to PQC algorithms to combat this threat.
With the Cloud Security Alliance projecting cryptographically relevant quantum computers by 2030, agencies must implement these quantum-resistant algorithms before current security measures become obsolete.
The Quantum Threat Landscape
Current public key infrastructure (PKI), which underpins the internet, code signing and authentication, faces an existential threat from quantum computing. This vulnerability extends beyond theoretical concerns to three specific risk areas affecting Federal systems:
- Harvest Now, Decrypt Later: Attackers intercept communications and data today, storing them until quantum computers can break the encryption—potentially exposing Government secrets and sensitive information.
- Forged Signatures: Quantum capabilities could enable impersonation of trusted entities, allowing attackers to load malicious software to long-life devices or create fraudulent financial transactions that impact both commercial and Federal Government systems.
- Man-in-the-Middle Attacks: Advanced quantum computing could facilitate access to secure systems, potentially compromising military command and control (C2) environments, disrupting critical infrastructure and interfering with elections.
The most vulnerable assets are those containing long-lived data, including decades of trade secrets, classified information and lifetime healthcare and personal identifiable information. Short-lived data that exists for hours or months faces considerably less risk from quantum-enabled decryption.
Post-Quantum Cryptography Standards and Timeline
The standardization of quantum-resistant algorithms represents the culmination of an eight-year process spearheaded by NIST. In August 2024, NIST published its final standards for three critical algorithms:
- ML-KEM (formerly Crystals-Kyber) | FIPS 203 | Key Encapsulation
- ML-DSA (formerly Crystals-Dilithium) | FIPS 204 | Digital Signature
- SLH-DSA (formerly HSS/LMS) | FIPS 205 | Stateless Hash-Based Signature
A fourth algorithm, FND-DSA (formerly Falcon), is still pending finalization. Simultaneously, NIST has released Internal Report (IR) 8547, providing comprehensive guidelines for transitioning from quantum-vulnerable cryptographic algorithms to PQC.
The National Security Agency’s (NSA) Commercial National Security Algorithm Suite 2.0 (CNSA 2.0), released in September 2022 with an FAQ update in April 2024, outlines specific PQC requirements for National Security Systems. These standards have become reference points for Federal agencies beyond classified environments, establishing a staggered implementation timeline:
- 2025-2030: Software/firmware signing
- 2025-2033: Browsers, servers and cloud services
- 2026-2030: Traditional networking equipment
- 2027: Begin implementation of operating systems
Crypto Agility and Transition Strategy
It is essential for Federal agencies to deploy crypto-agile solutions that provide the ability to quickly modify underlying cryptographic primitives with flexible, upgradable technology. This capability allows organizations to support both current algorithms and future quantum-resistant ones without hardware replacement.
A comprehensive transition strategy includes seven critical steps:
- Awareness: Understand the challenges, risks and necessary actions to prepare for quantum threats.
- Inventory and Prioritize: Catalog cryptographic technologies and identify high-risk systems—a process the Cybersecurity and Infrastructure Security Agency (CISA) mandated via spreadsheet submission last year.
- Automate Discovery: Implement tools that continuously identify and inventory cryptographic assets, recognizing that manual inventories quickly become outdated.
- Set Up a PQC Test Environment: Establish testing platforms to evaluate how quantum-resistant algorithms affect performance, as these algorithms generate larger keys that may impact systems differently.
- Practice Crypto Agility: Ensure systems can support both classical algorithms and quantum-resistant alternatives, which may require modernizing end-of-life hardware security modules.
- Quantum Key Generation: Leverage quantum random number generation to create quantum-capable keys.
- Implement Quantum-Resistant Algorithms: Deploy PQC solutions across systems, beginning with high-risk assets while preparing for a multi-year process.
Practical Implementation of PQC
Federal agencies should look beyond algorithms to consider the full scope of implementation requirements. The quantum threat extends to communication protocols including Transport Layer Security (TLS), Internet Protocol Security (IPSec) and Secure Shell (SSH). It also affects certificates like X.509 for identities and code signing, as well as key management protocols.
Hardware security modules (HSMs) and high-speed network encryptors serve as critical components in quantum-resistant infrastructure. These devices must support hybrid approaches that combine classical encryption with PQC to maintain backward compatibility while adding quantum protection.
The National Cybersecurity Center of Excellence (NCCoE) is coordinating a major post-quantum crypto migration project involving more than 40 collaborators, including industry, academia, financial sectors and Government partners. This initiative has already produced testing artifacts and integration frameworks available through NIST Special Publication (SP) 1800-38.
Crypto Discovery and Inventory Management
Automated discovery tools represent a crucial capability for maintaining an accurate and current inventory of cryptographic assets. Unlike the one-time manual inventories many agencies completed in 2022-2023, these tools enable continuous monitoring of cryptographic implementations across the enterprise.
Several vendors offer specialized solutions for cryptographic discovery, including InfoSec Global, Sandbox AQ and IBM. These tools can:
- Discover and classify cryptographic material across environments
- Identify which assets are managed or unmanaged
- Determine vulnerability to quantum attacks
- Support centralized crypto management and policies
The Cloud Security Alliance has coined the term “Y2Q” (Years to Quantum) as an analogy to the “Y2K bug,” highlighting the need for systematic preparation. However, the quantum threat represents a potentially more significant risk than Y2K, with a projected timeline that places a cryptographically relevant quantum computer capable of breaking current cryptography by April 14, 2030.
Moving Forward with Quantum-Resistant Security
The transition to post-quantum cryptography is not optional for Federal agencies—it is an imperative. While the process requires significant investment in time and resources, the alternative—leaving sensitive Government data vulnerable to decryption—poses an unacceptable risk to national security.
Agencies should begin by evaluating their existing cryptographic inventory, prioritizing systems with long-lived sensitive data and developing implementation roadmaps aligned with NIST and NSA timelines. By taking incremental steps today toward quantum-resistant infrastructure, Federal organizations can ensure their critical information remains secure in the quantum computing era.
To learn more about implementing quantum-resistant security in Federal environments, watch Thales Trusted Cyber Technologies’ (TCT) webinar, “CTO Sessions: Best Practices for Implementing Quantum-Resistant Security.”
Carahsoft Technology Corp. is The Trusted Government IT Solutions Provider, supporting Public Sector organizations across Federal, State and Local Government agencies and Education and Healthcare markets. As the Master Government Aggregator for our vendor partners, including Thales TCT we deliver solutions for Geospatial, Cybersecurity, MultiCloud, DevSecOps, Artificial Intelligence, Customer Experience and Engagement, Open Source and more. Working with resellers, systems integrators and consultants, our sales and marketing teams provide industry leading IT products, services and training through hundreds of contract vehicles. Explore the Carahsoft Blog to learn more about the latest trends in Government technology markets and solutions, as well as Carahsoft’s ecosystem of partner thought-leaders.
