Preparing Federal Systems for Post-Quantum Security: A Strategic Approach

Federal agencies face an urgent timeline to protect their most sensitive data from quantum computing threats. Quantum computers leverage physics principles like superposition and entanglement to perform calculations faster than classical computers, posing a significant threat to current encryption standards. Adversaries employ “harvest now, decrypt later” tactics, collecting encrypted data to store until there is a quantum computer powerful enough to break the encryption. The National Institute of Standards and Technology (NIST) released standardized Post-Quantum Cryptography (PQC) algorithms designed to withstand quantum attacks, ensuring long-term data security. The U.S. Federal Government has also issued guidance urging Federal agencies to update their IT infrastructure and deploy crypto-agile solutions that utilize today’s classical encryption algorithms and provide the ability to upgrade to PQC algorithms to combat this threat.

With the Cloud Security Alliance projecting cryptographically relevant quantum computers by 2030, agencies must implement these quantum-resistant algorithms before current security measures become obsolete.

The Quantum Threat Landscape

Current public key infrastructure (PKI), which underpins the internet, code signing and authentication, faces an existential threat from quantum computing. This vulnerability extends beyond theoretical concerns to three specific risk areas affecting Federal systems:

  1. Harvest Now, Decrypt Later: Attackers intercept communications and data today, storing them until quantum computers can break the encryption—potentially exposing Government secrets and sensitive information.
  2. Forged Signatures: Quantum capabilities could enable impersonation of trusted entities, allowing attackers to load malicious software to long-life devices or create fraudulent financial transactions that impact both commercial and Federal Government systems.
  3. Man-in-the-Middle Attacks: Advanced quantum computing could facilitate access to secure systems, potentially compromising military command and control (C2) environments, disrupting critical infrastructure and interfering with elections.

The most vulnerable assets are those containing long-lived data, including decades of trade secrets, classified information and lifetime healthcare and personal identifiable information. Short-lived data that exists for hours or months faces considerably less risk from quantum-enabled decryption.

Post-Quantum Cryptography Standards and Timeline

The standardization of quantum-resistant algorithms represents the culmination of an eight-year process spearheaded by NIST. In August 2024, NIST published its final standards for three critical algorithms:

  • ML-KEM (formerly Crystals-Kyber) | FIPS 203 | Key Encapsulation
  • ML-DSA (formerly Crystals-Dilithium) | FIPS 204 | Digital Signature
  • SLH-DSA (formerly HSS/LMS) | FIPS 205 | Stateless Hash-Based Signature

A fourth algorithm, FND-DSA (formerly Falcon), is still pending finalization. Simultaneously, NIST has released Internal Report (IR) 8547, providing comprehensive guidelines for transitioning from quantum-vulnerable cryptographic algorithms to PQC.

The National Security Agency’s (NSA) Commercial National Security Algorithm Suite 2.0 (CNSA 2.0), released in September 2022 with an FAQ update in April 2024, outlines specific PQC requirements for National Security Systems. These standards have become reference points for Federal agencies beyond classified environments, establishing a staggered implementation timeline:

  • 2025-2030: Software/firmware signing
  • 2025-2033: Browsers, servers and cloud services
  • 2026-2030: Traditional networking equipment
  • 2027: Begin implementation of operating systems

Crypto Agility and Transition Strategy

It is essential for Federal agencies to deploy crypto-agile solutions that provide the ability to quickly modify underlying cryptographic primitives with flexible, upgradable technology. This capability allows organizations to support both current algorithms and future quantum-resistant ones without hardware replacement.

A comprehensive transition strategy includes seven critical steps:

  1. Awareness: Understand the challenges, risks and necessary actions to prepare for quantum threats.
  2. Inventory and Prioritize: Catalog cryptographic technologies and identify high-risk systems—a process the Cybersecurity and Infrastructure Security Agency (CISA) mandated via spreadsheet submission last year.
  3. Automate Discovery: Implement tools that continuously identify and inventory cryptographic assets, recognizing that manual inventories quickly become outdated.
  4. Set Up a PQC Test Environment: Establish testing platforms to evaluate how quantum-resistant algorithms affect performance, as these algorithms generate larger keys that may impact systems differently.
  5. Practice Crypto Agility: Ensure systems can support both classical algorithms and quantum-resistant alternatives, which may require modernizing end-of-life hardware security modules.
  6. Quantum Key Generation: Leverage quantum random number generation to create quantum-capable keys.
  7. Implement Quantum-Resistant Algorithms: Deploy PQC solutions across systems, beginning with high-risk assets while preparing for a multi-year process.

Practical Implementation of PQC

Thales, Preparing Federal Systems for Post Quantum Security, blog, embedded image, 2025

Federal agencies should look beyond algorithms to consider the full scope of implementation requirements. The quantum threat extends to communication protocols including Transport Layer Security (TLS), Internet Protocol Security (IPSec) and Secure Shell (SSH). It also affects certificates like X.509 for identities and code signing, as well as key management protocols.

Hardware security modules (HSMs) and high-speed network encryptors serve as critical components in quantum-resistant infrastructure. These devices must support hybrid approaches that combine classical encryption with PQC to maintain backward compatibility while adding quantum protection.

The National Cybersecurity Center of Excellence (NCCoE) is coordinating a major post-quantum crypto migration project involving more than 40 collaborators, including industry, academia, financial sectors and Government partners. This initiative has already produced testing artifacts and integration frameworks available through NIST Special Publication (SP) 1800-38.

Crypto Discovery and Inventory Management

Automated discovery tools represent a crucial capability for maintaining an accurate and current inventory of cryptographic assets. Unlike the one-time manual inventories many agencies completed in 2022-2023, these tools enable continuous monitoring of cryptographic implementations across the enterprise.

Several vendors offer specialized solutions for cryptographic discovery, including InfoSec Global, Sandbox AQ and IBM. These tools can:

  • Discover and classify cryptographic material across environments
  • Identify which assets are managed or unmanaged
  • Determine vulnerability to quantum attacks
  • Support centralized crypto management and policies

The Cloud Security Alliance has coined the term “Y2Q” (Years to Quantum) as an analogy to the “Y2K bug,” highlighting the need for systematic preparation. However, the quantum threat represents a potentially more significant risk than Y2K, with a projected timeline that places a cryptographically relevant quantum computer capable of breaking current cryptography by April 14, 2030.

Moving Forward with Quantum-Resistant Security

The transition to post-quantum cryptography is not optional for Federal agencies—it is an imperative. While the process requires significant investment in time and resources, the alternative—leaving sensitive Government data vulnerable to decryption—poses an unacceptable risk to national security.

Agencies should begin by evaluating their existing cryptographic inventory, prioritizing systems with long-lived sensitive data and developing implementation roadmaps aligned with NIST and NSA timelines. By taking incremental steps today toward quantum-resistant infrastructure, Federal organizations can ensure their critical information remains secure in the quantum computing era.

To learn more about implementing quantum-resistant security in Federal environments, watch Thales Trusted Cyber Technologies’ (TCT) webinar, “CTO Sessions: Best Practices for Implementing Quantum-Resistant Security.”

Carahsoft Technology Corp. is The Trusted Government IT Solutions Provider, supporting Public Sector organizations across Federal, State and Local Government agencies and Education and Healthcare markets. As the Master Government Aggregator for our vendor partners, including Thales TCT we deliver solutions for Geospatial, Cybersecurity, MultiCloud, DevSecOps, Artificial Intelligence, Customer Experience and Engagement, Open Source and more. Working with resellers, systems integrators and consultants, our sales and marketing teams provide industry leading IT products, services and training through hundreds of contract vehicles. Explore the Carahsoft Blog to learn more about the latest trends in Government technology markets and solutions, as well as Carahsoft’s ecosystem of partner thought-leaders.

Key Insights from Global Cyber Innovation Forum 2025 

The 2025 Global Cyber Innovation Forum served as a premier gathering where cybersecurity’s most pressing challenges meet collaborative solutions.  

Hosted by  Forgepoint Capital, Snowflake, Forescout, Google Cloud and Carahsoft at the Embassy of Canada in Washington, D.C., the Forum brought together a curated audience of influential cyber leaders from across the globe, including industry executives, Government officials, policy leaders, venture capitalists and thought leaders from academia and the non-profit sector.  

This annual event provided a platform for critical discussions on emerging threats, technological innovation and strategic partnerships essential for securing our digital infrastructure. Five key themes stood out throughout the sessions: 

  • National Security Threats with Supply Chain Vulnerabilities 
  • The Rise and Race to AI Dominance 
  • The Edge of Quantum Transformation 
  • Typhoon of Attacks on Critical Infrastructure 
  • Streamlining Cybersecurity Compliance 

National Security Threats with Supply Chain Vulnerabilities 

The digital supply chain, specifically software and applications civilians use, have increasingly become a source of critical national security vulnerabilities. Government officials and industry leaders warn that software and digital platforms sourced from foreign adversaries have reshaped the threat landscape by implanting foreign influence in the U.S. technology ecosystem.  

Technology serves as a funding mechanism for adversaries and comes with a hidden price of mass data collection, making it easier for threat actors to access sensitive information and transform traditional cyberattacks. The lack of transparency in certain nation-states raises concerns on regulatory consequences, potentially giving adversaries a strategic edge in information warfare and creating a blind spot in the global tech supply chain.  

U.S. leaders emphasize the necessity for regulated technology supply chains and accelerated Federal certifications, specifically FedRAMP, to ensure innovation does not come at the cost of national security. 

Rise and Race to AI Dominance 

With the rise of artificial intelligence (AI), data has become the modern form of power. Foreign adversaries are striving to build or gain access to data pipelines to fuel their AI models, bypassing privacy in a way that allows them to train AI models much faster than has been possible in America. The U.S. must counter this by accelerating our own AI model training and innovation, while safeguarding privacy and data integrity.  

Government and industry experts state that AI is being underutilized across U.S. operations. The current administration has streamlined AI usage through Executive Order 14179: Removing Barriers to American Leadership in Artificial Intelligence and Executive Order 14277: Advancing Artificial Intelligence Education for American Youth. Additionally, AI should be deployed when combating advanced cyberattacks and automating routine cybersecurity efforts such as threat detection, incident response and vulnerability identification. 

The Edge of Quantum Transformation 

Emerging technologies such as quantum computing are rapidly approaching mainstream adoption. The massive amount of encrypted data currently stored in secret could be vulnerable to decryption within the next 5 to 10 years. This hovering threat has made the development and deployment of post-quantum cryptography a top priority for the U.S. Government. The race to post-quantum cryptography and quantum computers has not just been an urgency for the U.S. and its allies, but also for adversarial nation-states. 

Typhoon of Attacks on Critical Infrastructure 

Advanced persistent threat (APT) groups such as Salt Typhoon, Volt Typhoon and Flax Typhoon have already infiltrated critical infrastructure systems, often using “living off the land” techniques. These public and well documented attacks are considered digital terrorism, disrupting U.S. critical infrastructure operations and stealing intellectual property.  

In response, the U.S. Government is prioritizing cyber hygiene, secure-by-design and the development of an integrated and robust defense system. Agencies, technology providers and critical infrastructure operators are heavily encouraged to collaborate through information sharing, adoption of emerging technologies and routine threat assessments. The severity of these cyberattacks have increased substantially, highlighting the urgency for a more proactive and coordinated national response from the U.S. Government. 

Streamlining Cybersecurity Compliance 

The current cybersecurity regulatory landscape presents a fragmented maze of overlapping requirements that hinder both innovation and effective security implementation. Government and industry security teams are overwhelmed by conflicting standards across Federal, State and agency-specific frameworks. Organizations must navigate multiple compliance frameworks—FedRAMP, National Institute of Standards and technology (NIST) requirements, Cybersecurity Maturity Model Certification (CMMC) and various state requirements—creating redundant processes that drain resources without enhancing security. 

To address this, industry leaders are advocating for regulatory harmonization initiatives. Federal agencies are working to align various compliance frameworks while updating modernization strategies to build interoperability. By aligning around core standards like NIST 800-53 and implementing automated compliance tools, agencies can reduce complexity while maintaining robust cybersecurity postures. Forum participants agreed: harmonized regulations are essential to enabling secure innovation without compromising oversight. 

The Global Cyber Innovation Forum demonstrated that securing America’s digital future requires unprecedented coordination between Government agencies, private industry and international allies. As adversaries continue exploit emerging technologies, the U.S. must respond with unified strategies that streamline regulations, accelerate innovation and sustain global cyber leadership. The insights shared offer a critical roadmap for defending against tomorrow’s threats in a rapidly evolving digital landscape. 

Visit Carahsoft’s Resource Hub to dive deeper into the key takeaways, expert perspectives and resources from the 2025 Global Cyber Innovation Forum. 

Quantum Computing’s Latest Breakthrough: Why Government Encryption Standards Face a New, Unexpected Threat

Last week, international scientists made headlines by successfully cracking a 50-bit RSA encryption integer using D-Wave’s Advantage quantum computer. While it’s true that a 50-bit key is vastly smaller than the 2048-bit keys used in modern RSA encryption, the significance of this achievement lies in how it was done. Unlike traditional attacks based on Shor’s algorithm and quantum gate computers, the researchers utilized a quantum annealing system, designed for optimization rather than direct factoring. This shift in approach raises important questions about the timeline for when quantum computers could crack full-scale RSA encryption, potentially accelerating the threat to current cryptographic standards far sooner than expected.

Marion Square Quantum Computing and Cybersecurity Blog Embedded Image 2024

For years, the vulnerability of public key encryption has been understood primarily as a factoring problem, since the security of encryption algorithms like RSA relies on the difficulty of factoring large composite numbers. Shor’s algorithm, widely regarded as the most probable path to breaking public key encryption, is designed specifically to factor these numbers exponentially faster than classical methods, posing a significant future threat to encryption systems. However, in a surprising turn, the international researchers in this recent attack used a quantum annealing computer, which is designed for optimization tasks, not factoring. This innovative approach represents a completely different method of breaking RSA encryption, highlighting that the threat from quantum computing may emerge from unexpected directions, advancing the risk timeline beyond what many experts anticipated.

This breakthrough also underscores the growing versatility of quantum annealing in solving problems once thought exclusive to gate-based quantum computers. Traditionally, annealing systems have been seen as ideal for optimization problems in fields such as logistics, material science, and machine learning—not for cryptographic attacks. However, the international researchers effectively re-framed RSA decryption as an optimization challenge, unlocking new potential in quantum annealing. While quantum annealing computers like D-Wave’s systems were not originally designed for factorization tasks, this achievement raises important questions about their ability to scale to larger key sizes and tackle more complex encryption algorithms. If quantum annealing can be adapted for cryptography at higher levels, it could potentially shorten the timeline for when quantum computers might become a real-world threat to encryption standards. Though hurdles remain, this new approach widens the scope of quantum threats to cryptographic systems, showing that the race to quantum-safe encryption may need to accelerate.

In conclusion, this breakthrough in quantum annealing highlights the increasing urgency for federal agencies to prioritize their post-quantum encryption (PQE) transition. The rapid evolution of quantum computing, coupled with the potential for new cryptographic vulnerabilities, underscores the need to meet the milestones set by NSM 10 and OMB 23-02. Agencies that have not yet initiated or fully engaged in this process risk falling behind as quantum advancements accelerate. The time to act is now—establishing cryptographic leadership, conducting comprehensive inventories, and securing appropriate resources are critical first steps. Preparing today will ensure the resilience of federal systems in a quantum-enabled future.

To learn about the latest standards set forth by NIST and how Marion Square can support your Quantum Computing and compliance initiatives, view our webinar, “Mastering NIST PQE Standards: A Guide for Federal Compliance.”