Agencies have four months to finalize quantum-ready migration plans

Overview

OMB has issued a memorandum requiring federal agencies to finalize post-quantum cryptography (PQC) migration plans within 120 days, with accelerated deadlines to transition high-impact systems by December 2030 and digital signatures by December 2031. The memorandum follows recent presidential quantum executive orders and establishes a five‑phase implementation timeline through 2035. For contractors this means PQC planning and migration must move from research to program execution: inventory crypto dependencies, prioritize high‑impact and sensitive systems, and ensure third‑party software purchases meet emerging quantum‑resistant encryption standards. Contractors who supply systems, services, or software to affected agencies should expect procurement, compliance, and statement‑of‑work changes that will accelerate requirements and create new capture priorities. Action is needed now to avoid being locked out of future solicitations or facing costly retrofit projects later.

Immediate Actions (This Week)

• [ ] Build a cross‑functional PQC working group (security, engineering, procurement, legal, capture).
• [ ] Run an expedited inventory of systems, services, and third‑party software that rely on public‑key cryptography or digital signatures; tag systems likely to be "high‑impact."
• [ ] Flag active proposals and pipelines that touch affected agencies and high‑impact systems; place holds for PQC review.
• [ ] Notify key subcontractors and vendors of the agency memo and request their PQC readiness roadmaps and timelines.
• [ ] Monitor for the official OMB memorandum text, agency implementation guidance, and related solicitations (do not assume final details until posted).

Short-Term Actions (30 Days)

• [ ] Draft a corporate PQC migration plan template you can adapt per contract, including risk tiers, remediation milestones, and validation steps aligned to the five‑phase timeline.
• [ ] Update procurement and SOW language templates to require vendor attestations on PQC compliance and crypto‑agility for new purchases.
• [ ] Prioritize a shortlist of high‑impact systems for targeted remediation planning and funding requests.
• [ ] Begin internal training for engineering and DevSecOps teams on PQC concepts and algorithm migration strategies.

Long-Term Actions (90+ Days)

• [ ] Execute migration pilots for at least one high‑impact system (algorithm substitution, interoperability testing, and fallback plans).
• [ ] Establish continuous supplier assurance: integrate PQC readiness into vendor risk assessments, periodic attestations, and contract milestones.
• [ ] Build testing and validation capability for quantum‑resistant algorithms and digital‑signature transitions, and plan for certificate and key lifecycle management changes.
• [ ] Incorporate PQC milestones into capture plans and proposal templates for affected agencies and contract vehicles.

Compliance Checklist

• [ ] NIST 800-171 (NIST Special Publication 800-171) — Assess cryptographic protections and document changes needed to support PQC migrations.
• [ ] NIST 800-53 — Map system security controls impacted by cryptographic algorithm changes and update control implementations and artifacts.
• [ ] CMMC (Cybersecurity Maturity Model Certification) — Evaluate CMMC dependencies on cryptographic controls and update practice/procedure evidence to reflect PQC migration.
• [ ] FedRAMP (Federal Risk and Authorization Management Program) — For cloud services, document PQC migration plans in authorization packages and coordinate with authorizing officials.
• [ ] FIPS 140-3 — Plan for module validation and cryptographic module lifecycle changes if PQC implementations require new or updated certified modules.
• [ ] FIPS 203 / FIPS 204 / FIPS 205 — Review any applicable federal identity, proofing, or authorization standards impacted by signature or crypto changes.
• [ ] ITAR (International Traffic in Arms Regulations) — If you support ITAR‑controlled projects, assess export controls implications of new cryptography implementations.
• [ ] FISMA — Ensure agency FISMA documentation and system security plans reflect PQC migration schedules.
• [ ] CNSA 2.0 — For systems in the most restrictive national security space, evaluate alignment and expected additional controls.

(Compliance scope TBD — re‑evaluate when official guidance and agency mappings are published for specific systems and contract vehicles.)

Resources

• OMB memorandum — text and implementation guidance (TBD pending source review) (TBD pending source review)
• Agency guidance index — monitor OMB, NIST, CISA, DOD, DHS (Department of Homeland Security), GSA (General Services Administration), DOE, Treasury, State, Intelligence Community for follow‑on guidance (TBD pending source review) (TBD pending source review)
• Related reference pages:
• Secure Operations Guide (/insights/secure-operations-guide)
• CMMC Compliance Guide (/insights/cmmc-compliance-guide)
• CUI (Controlled Unclassified Information)-Safe CRM Guide (/insights/cui-safe-crm-guide)

How Cabrillo Club Automates This

• Cabrillo Signals War Room — Already detected this event and delivered this briefing within minutes. War Room will continuously monitor the OMB memorandum, agency follow‑on guidance, and contract‑vehicle notices so your PQC working group receives alerts the moment official text or solicitations post. Use War Room to maintain a single, timestamped record of the memo, agency interpretations, and any policy changes that affect your contracts.
• Cabrillo Signals Match Engine — Automatically rescoring occurs when events like this change which opportunities are high priority. The Match Engine will rescore your opportunity pipeline based on affected agencies, the PQC timeline, and keywords (e.g., post-quantum, quantum-resistant, digital signatures). That reprioritization helps capture teams focus on solicitations where PQC readiness is a differentiator.
• Cabrillo Signals Intelligence Hub — Tracks the named agencies, NAICS codes, and contract vehicles in the event profile. Configure saved searches and alerts to watch for follow‑on solicitations on SAM.gov (System for Award Management) and other sources that match this event profile, and have the Intelligence Hub tag opportunities as PQC‑affected automatically.
• Proposal Studio (Proposal OS) — Generates compliance matrices and first‑draft technical approaches tailored to PQC migration requirements by reusing your past performance and win themes. Proposal Studio can produce a draft PQC migration section, a supplier assurance appendix, and a bid/no‑bid recommendation that factors in the updated timelines and risk tiers from the OMB memo.
• Proposal Studio Workflow Tracker — Triggers a 9‑gate capture workflow when an opportunity is flagged as PQC‑affected: routes technical and compliance reviews, collects vendor PQC attestations, tracks milestone deliverables for pilot testing, and builds an audit‑ready documentation package tied to the proposal.

Call to action: use your Cabrillo dashboard to enable the PQC saved searches in Signals, run an immediate pipeline rescore with the Match Engine, and open a War Room channel for your PQC working group to centralize incoming guidance and vendor responses.