Quantum readiness: Preparing federal agencies for tomorrow’s cyber threat

Quantum computing still sounds impossibly sci-fi, but the technology and its underlying theory continue to advance. Federal government leaders, engineers and developers need to be ready for the changes quantum computing will bring.

Within the next few years, quantum computers with cryptographic relevance may be ready to break widely used encryption schemes, putting sensitive data across U.S. critical infrastructure and the federal government at risk. Data that may be secure today could be easily decrypted in the future once quantum capabilities reach scale.

There is real urgency for agencies to adopt proactive risk mitigation. Adversaries are already harvesting encrypted data to decrypt in seconds once quantum power becomes available. Quantum computing is still largely the province of academia—just as the internet was in the late 1980s—but with start-ups and large established companies investing heavily in research and development, its broader availability is only a matter of time.

Two directives currently provide a path for agencies to prepare for the advent of quantum. National Security Memorandum 10, directs agencies to prioritize the adoption of quantum-resistant cryptography by 2035, establishing partnerships with industry, academia and state, local and tribal governments to help meet the goal. Office of Management and Budget Memorandum M-23-02 requires agencies to comply with NSM-10 and provides detailed guidance on implementing its requirements.

More mandates may be coming soon. Congress has introduced the National Quantum Cybersecurity Migration Strategy Act of 2025, which builds on the existing guidance and the earlier National Quantum Initiative Act, passed in 2018. 

Given existing directives and anticipated new legislation, agencies can proactively prepare for the quantum world by following these five steps.

1. Inventory all cryptographic systems: Identify where encryption is used, which algorithms and protocols are in place, and the sensitivity of the data they protect.  Implementation of Automated Post-Quantum Cryptography Discovery and Inventory (ACDI) tools, based on CISA’s recommendations, can help maintain the agency’s cryptographic asset inventory.  Agencies can leverage existing tools, such as those CGI has deployed under CISA’s Continuous Diagnostics and Mitigation (CDM) program, to assist in this process.
2. Develop a migration roadmap: With the results of the inventory as a guide, develop a phased migration roadmap that aligns with the National Institute of Standards and Technology (NIST)’s post-quantum cryptography standards and the Cybersecurity and Infrastructure Security Agency (CISA)’s Post-Quantum Cryptography Initiative. This plan should include pilot testing of quantum-safe algorithms, timelines for transition and strategies for crypto-agility to ensure systems can adapt to future cryptographic updates.
3. Prioritize high-risk systems: Identify the most vulnerable systems and migrate them to PQC first. There are tools that can support threat modeling and risk scoring.
4. Adopt post-quantum cryptography: These encryption algorithms are theoretically as secure as possible against future quantum attacks. Adopting them now and continuing to update them as cryptographers develop more sophisticated systems puts an agency in a ready state when the first quantum attack occurs.
5. Build quantum-aware teams: To build quantum-aware teams and instill true quantum readiness, federal agencies should invest in specialized training for cybersecurity professionals that covers the fundamentals of quantum computing, its cryptographic implications, and the evolving threat landscape. This includes equipping teams with the skills to evaluate quantum-resistant algorithms, manage crypto-agile systems, and lead the transition to post-quantum cryptographic standards with confidence and foresight.

Preparing for quantum in federal agencies

Many federal agencies are already moving ahead with quantum readiness. At the Quantum World Congress 2025, held in September in College Park, MD, leaders across industries shared insights aligning to these five steps.

At the event, U.S. Postal Service Chief Information Officer Pritha Mehra told the audience that USPS is proactively assessing its cryptographic posture.

The USPS has launched several concurrent initiatives to build quantum readiness, including migration roadmaps that prioritize critical systems and work toward automated Public Key Infrastructure and certificate management, enabling the USPS to update them continuously rather than every two years.

These measures lay the foundation for future technology upgrades and implementations to protect the service’s systems and data from quantum threats.

Conclusion

The age of quantum computing is approaching, and organizations across all government and industry sectors need to be ready. Learn how CGI Federal can help U.S. federal agencies enhance their cybersecurity posture.