Federal agencies are no longer asking if they need to transition to post-quantum cryptography — they are being directed to do so. Mandates such as OMB M-23-02 and evolving NIST guidance have established clear expectations around cryptographic inventory, risk assessment and migration planning. Yet across government, a consistent challenge remains: how to operationalize these requirements without disrupting mission systems or creating long-term technical debt.

At the same time, emerging threats such as Harvest Now, Decrypt Later are accelerating urgency, particularly for agencies managing sensitive data with long-term confidentiality requirements. Adversaries are already collecting encrypted data today with the expectation of decrypting it in the future, reinforcing the need to act now not later.

This session will focus on bridging the gap between policy and execution. Attendees will gain a practical understanding of how to:

• Translate Federal mandates into actionable programs and timelines
• Prepare their agency for cryptographic discovery and inventory efforts
• Evaluate whether existing tools and architectures can support PQC migration or where gaps exist
• Prioritize systems and data based on mission risk and longevity
• Implement crypto-agility strategies that reduce rework and future migration cost

We will also discuss how agencies can approach training, governance and cross-team coordination to ensure system owners, security teams and leadership are aligned on both requirements and execution.

Importantly, this is not about introducing new complexity it is about building a sustainable, compliant cryptographic foundation. Cryptography remains one of the most tightly regulated components of federal cybersecurity and failure to align with validated standards can directly impact procurement, compliance and mission assurance.