PQC Best Practices for Federal Agencies
An introduction to post‑quantum cryptography and guidance for federal agencies to inventory cryptographic assets, identify quantum‑vulnerable systems, and prepare for PQC migration.
Unlike classical computers that process information sequentially using binary states (1’s and 0’s), quantum computers leverage quantum mechanical properties such as superposition and entanglement to perform parallel calculations at unprecedented scales. This quantum advantage enables them to solve certain mathematical problems exponentially faster than classical systems. This ability will make traditional encryption algorithms including RSA, Diffie-Hellman, and Elliptic Curve Cryptography (ECC) vulnerable to attack and essentially obsolete.
The transition to post-quantum cryptography (PQC) is not merely a technical upgrade, it represents a fundamental shift in how federal agencies must approach cybersecurity. With experts projecting that cryptographically relevant quantum computers (CRQCs) may emerge within the next decade, agencies cannot afford to delay preparation.
As far back as 2022, the National Security Memorandum 10 (NSM-10) mandated that all federal agencies begin implementing PQC standards to protect vulnerable systems before quantum threats materialize. The cyber-focused Executive Order 14306 issued in June of 2025 directed the National Security Agency and the Office of Management and Budget to issue government agency standards for PQC by December 2025 so that tougher security protections are in place by 2030.
In this series we’ll detail three critical requirements established by federal PQC guidance:
Starting in the next section and continuing over the next few weeks, we will lay out guidelines agencies can follow to ensure they meet compliance requirements while also maintaining mission-critical security capabilities throughout their quantum transition.
Understanding Your Agency’s Cryptographic Landscape
Let’s start this journey by taking a look at what we have in place. The foundation of any successful post quantum cryptography (PQC) transition begins with a comprehensive understanding of an organization’s cryptographic landscape. OMB M-23–02 provides detailed guidance for conducting systematic inventories that identify systems vulnerable to quantum attacks.
Federal agencies must catalog all systems that rely on public-key cryptography, with particular emphasis on high-value assets (HVA) and FISMA high-impact systems. This inventory process requires collaboration between cybersecurity teams, system administrators, and business process owners.
Look beyond IT
The inventory process should extend beyond obvious cryptographic applications to include embedded systems, Internet of Things (IoT) devices, and legacy infrastructure that may contain hidden cryptographic dependencies.
For example, a federal building’s HVAC system may use IoT sensors that authenticate to the network using RSA certificates, while legacy industrial control systems may rely on embedded cryptographic modules for secure communications that are not immediately apparent to IT teams. Similarly, network printers, surveillance cameras, and even elevator control systems often contain cryptographic components that could be vulnerable to quantum attacks. Documentation should include detailed technical specifications, vendor information, maintenance schedules, and interdependencies between systems. This comprehensive mapping enables agencies to prioritize migration efforts based on risk levels and operational impact, ensuring that the most critical systems receive attention first while maintaining continuity of essential services.
Comprehensive mapping supports prioritization
In documenting the cryptographic algorithms currently in use, agencies should also note their implementation contexts, data sensitivity levels, and operational criticality. Documentation should include detailed technical specifications, vendor information, maintenance schedules, and interdependencies between systems.
This comprehensive mapping enables agencies to prioritize migration efforts based on risk levels and operational impact, ensuring that the most critical systems receive attention first while maintaining continuity of essential services.
In our next post, Engaging Vendors to Prepare Your Supply Chain for the Post-Quantum Era, we’ll look at how to engage vendors to ensure your supply chain is ready for the post-quantum reality.