As the federal government prepares for post-quantum cryptography (PQC) adoption, officials from the National Institute of Standards and Technology (NIST) and the Office of Management and Budget (OMB) are weighing the budget, technical, and implementation hurdles that come with transitioning to a quantum-safe future.
Quantum computing is no longer a question of if, but when – and the big concern is what challenges stand in the way of getting quantum-ready. According to Andy Regenscheid, cryptographic technology group lead at NIST, the large-scale overhaul required to prepare systems for PQC is on a level never seen before.
“We’ve been through cryptographic algorithm migrations before, but those were in cases where it was going from an algorithm that was already deployed, just not widely used,” said Regenscheid while speaking at the 2025 Billington CyberSecurity Summit in Washington.
“Here’s a case where, in parallel, we are working on identifying the systems that we have that are using vulnerable cryptography,” he continued. “We are specifying the new technologies, the new algorithms … then we’ll get to a point where we can really do the deployment … of those technologies.”
To get to that deployment stage, Regenscheid explained that the federal government must undergo mass modernization efforts to support the new PQC algorithms, released by NIST last summer, which are larger than current encryption standards and can impact system performance.
“Many of the foundational protocols and applications have not yet been updated to support these new algorithms,” said Regenscheid, adding that “industry and implementers are looking to adapt those technologies, those standards, according to …these different performance characteristics of the algorithms.”
That large-scale transition requires a budget to make those shifts, which Nick Polk, director for the federal cybersecurity branch at OMB, said the federal government is looking to share costs with vendors.
“The migration to post quantum is not a standalone effort within each agency,” said Polk, explaining that instead of viewing all federal systems as being out of date, OMB is looking to incorporate modernization into the system life cycle.
“There is a shared responsibility between the vendors and the government,” Polk explained, adding that OMB will “expect vendors are going to integrate a lot of the required PQC algorithms into their products as part of their regular modernization refresh cycle, which is already under existing contracts.”
On the federal government’s side, Polk said that responsibility means ensuring that when contracts are drafted, assurances are included to avoid needing a complete overhaul of systems when they become outdated.
“The U.S. government budgets in one-year increments, and that means that the big bang modernizations are always until the end of time going to be, evidently, difficult to fit into that,” said Polk.
Outside of shared responsibility, Polk said that the federal government needs to look into how it can take modernization steps together instead of individual agencies progressing alone.
“One thing we’re really looking at is how, in partnership with [the Cybersecurity Infrastructure and Security Agency], we can work directly with those companies to migrate multiple agencies at the same time,” said Polk.
He added that OMB is also avoiding being path dependent, which he noted can be costly and less efficient.
“When there is an opportunity to use this … migration PQC to modernize other parts of our network stack and do it more efficiently, we need to take them, and that’s one thing we’re really encouraging agencies to do,” said Polk.
With the 2035 deadline for the federal government’s transition to quantum-safe systems looming, OMB is working to convince agency leaders to take the threat of quantum computing seriously without diverting resources from near-term defenses like multi-factor authentication and patching.
To maintain current defenses, Polk suggested that agencies strike a balance by testing PQC algorithms on their network to uncover hidden network issues that may later prevent them from completing their PQC migration.