5 Steps Agencies Can Take Now to Turn Quantum Uncertainty into PQC Readiness
Actionable tips for making the PQC transition across complex organizations, vendors, and mission-essential systems.
It is tempting to put off preparing for the next generation of cyber threats. After all, the kind of quantum computer that could break today’s encryption does not yet exist.
Much of the federal government depends on public-key cryptography for secure communications, digital signatures, identity, software updates, certificates, and key exchange. A sufficiently capable quantum computer could undermine many of the algorithms used for those functions. Post-quantum cryptography, or PQC, uses quantum-resistant algorithms to help protect those functions from future quantum attacks.
This kind of machine, known as a cryptanalytically relevant quantum computer (CRQC), has not yet been built. Some researchers believe it may never exist or could still be decades away. Others believe progress could move faster than expected.
No one knows when or whether a CRQC will become viable, but the risk is not entirely in the future. “Harvest now, decrypt later” attacks can begin today, and delaying action only increases the amount of sensitive data that can be exposed.
The potential consequences for national security, banking, and the internet are serious enough to warrant preparation. PQC migration is a resilience challenge that calls for the same planning discipline agencies apply to business continuity, crisis management, and organizational risk.
Government standards for PQC have already been published. The hard part is actually making the transition across complex organizations, vendors, and mission-essential systems. Five steps can help agencies get started.
- Stand Up a PQC Governance Program Immediately
Agencies should identify a PQC migration program manager and technical lead now. They also need roles and responsibilities that create accountability across the organization.
This work should include policies, procedures, contracts, and SLAs that reflect PQC migration requirements and deadlines. Agencies must also ensure they meet TLS 1.3 compliance.
- Start the CRQC-Vulnerable Asset Inventory in Parallel
Governance should not wait for a complete inventory of vulnerable assets, and the inventory should not wait for perfect governance. Agencies need to start both efforts in parallel.
A CRQC-vulnerable asset inventory gives agencies the foundation for everything that follows. It helps them understand where vulnerable cryptography exists, which systems and vendors are involved, and where migration is likely to be most difficult.
- Prioritize Systems and Data Using a Risk-Based Approach
Agencies do not need to migrate everything at once. They should start by triaging high-value assets and high-impact systems first.
Legacy systems should also be flagged early. If a system cannot be easily upgraded, agencies need time to develop a replacement plan or another path forward. Waiting too long could force rushed decisions later.
- Develop Transition Roadmaps
Once agencies begin implementing governance, inventorying assets, and prioritizing systems, they need to create transition roadmaps that can guide execution.
Those roadmaps should help agencies prepare to submit to a federal PQC task force, coordinate dependencies, manage deadlines, and keep the transition moving across programs, vendors, and mission owners.
- Plan for Disruption During the Transition
PQC migration will not be simple. Agencies should plan for unforeseen incidents by developing adaptable business continuity plans that keep operations running during the transition.
They should also create incident response plans and playbooks for when things go wrong. A migration of this scale will require not only technical planning, but operational readiness.
Federal Mandates Require Action Now
Federal policy increasingly reflects the operational reality. The White House issued Executive Order 14412, followed by the Office of Management and Budget’s Memorandum M-26-15, “Execution of the Migration to Post-Quantum Cryptography,” in June 2026. Together, they require agencies to catalog encrypted systems, prioritize their highest-risk assets, create cryptographic-agility architecture plans, coordinate with third-party vendors, and establish governance roles and responsibilities to meet compressed PQC timelines of 2030 for encryption and 2031 for authentication.
These mandates do not require certainty about when CRQCs are viable. They require action now.
Enterprise cryptographic migration is being treated as a long-term modernization effort that requires governance, planning, and coordinated execution across agencies and their technology partners.
PQC is becoming one of the largest modernization efforts in decades. This long-term resilience effort will require sustained leadership, planning, coordination, and execution. Agencies that build that foundation now will be in a far stronger position to see the transition through.

