Agencies have four months to finalize quantum-ready migration plans

TL;DR

OMB has issued a memorandum requiring federal agencies to finalize post-quantum cryptography (PQC) migration plans within 120 days. The memorandum imposes accelerated deadlines for transitioning high-impact systems by December 2030 and for digital signatures by December 2031, and it establishes a five-phase implementation timeline through 2035. This follows President Trump's quantum executive orders and signals an agency-wide push to adopt quantum-resistant encryption across systems that handle sensitive data or high-value assets. Government contractors must prioritize PQC upgrades in existing systems and ensure third-party software purchases comply with new quantum-resistant encryption standards. Immediate implications include re-scoping active work, re-planning roadmaps for compliance, and updating proposals and bids to reflect PQC requirements. Contractors that delay will face higher technical and capture risk as agencies begin enforcing accelerated transition milestones.

Key Points

• What happened: OMB issued a memorandum requiring agencies to finalize post-quantum cryptography (PQC) migration plans and set a phased implementation through 2035.
• Who is affected: Segments named in the segmentation: NAICS 541512, 541513, 541519, 541330, 541511, 518210, 334290, 541690, 541715; agencies including OMB, DOD, DHS (Department of Homeland Security), CISA, NIST, GSA (General Services Administration), DOE, Treasury, State, and the Intelligence Community; market segments in Cybersecurity, IT Services, Defense, Cloud Services, Cryptography, Software Development, Systems Integration, Network Security, Critical Infrastructure, and National Security Systems.
• Timeline: Agencies must finalize PQC migration plans within 120 days; transition high-impact systems by December 2030; transition digital signatures by December 2031; five-phase implementation timeline continues through 2035.
• What contractors should do NOW: Inventory affected systems and contracts, prioritize PQC upgrades for high-impact systems and digital signing processes, insert quantum-resistance requirements into procurement and subcontracting language, update capture / proposal materials and compliance matrices, and notify program leadership and capture teams.

Who Is Affected

Affected segments include government contractors and suppliers operating in the listed market segments and NAICS codes, and entities doing work for the listed agencies. Specific NAICS codes, agencies, and contract vehicles are explicitly provided in segmentation and include:

• NAICS: 541512, 541513, 541519, 541330, 541511, 518210, 334290, 541690, 541715
• Agencies: OMB, DOD, DHS, CISA, NIST, GSA, DOE, Treasury, State, Intelligence Community
• Contract vehicles: SEWP, OASIS+, 8(a) STARS III, Alliant 3, CIO-SP4, GSA Schedule 70, ITES-SW2, VETS 2
• Compliance regimes called out in segmentation: NIST 800-171 (NIST Special Publication 800-171), NIST 800-53, CMMC (Cybersecurity Maturity Model Certification), FedRAMP (Federal Risk and Authorization Management Program), FIPS 140-3, FIPS 203, FIPS 204, FIPS 205, ITAR (International Traffic in Arms Regulations), FISMA, CNSA 2.0

Contractors performing work in Cybersecurity, Cryptography, Cloud Services, IT Services, Systems Integration, and Defense support functions should assume heightened priority and scrutiny on PQC readiness.

Frequently Asked Questions

Q: What is OMB requiring contractors and agencies to do?

A: OMB requires agencies to finalize post-quantum cryptography (PQC) migration plans within 120 days and to execute an accelerated transition for high-impact systems and digital signatures, following a five-phase implementation timeline through 2035. Specific implementation details and enforcement approaches are pending source review as agencies publish guidance.

Q: Which systems have the nearest hard deadlines?

A: The Summary specifies accelerated deadlines for high-impact systems by December 2030 and for digital signatures by December 2031. For exact definitions of “high-impact” systems and scheduling for specific programs, pending source review.

Q: What immediate changes should contractors make to proposals and procurements?

A: Contractors should prioritize PQC upgrades in existing systems, require quantum-resistant encryption standards in third-party software purchases, update compliance matrices and statements of work to reflect PQC requirements, and re-evaluate technical approaches for programs handling sensitive data or high-value assets. Specific contract clause language and solicitation requirements are pending source review.

Definitions

• Post-Quantum Cryptography (PQC): Cryptographic algorithms and protocols intended to resist decryption by quantum computers; the target of the migration plans described in the memorandum.
• Digital signatures: Electronic signature algorithms and schemes used to validate authenticity and integrity of digital data; subject to an accelerated transition deadline in the memorandum.
• Five-phase implementation timeline: The memorandum’s structure for rolling out PQC transitions across agencies through 2035.

Intelligence Response

• Cabrillo Signals War Room — Already detected this event and delivered this briefing. Continuously monitors regulatory changes, contract vehicles, and policy shifts to surface PQC-related memoranda and agency guidance.
• Cabrillo Signals Match Engine — Will automatically rescore opportunity pipelines and backlog when PQC-related priorities shift contractability, capture attractiveness, or technical fit.
• Cabrillo Signals Intelligence Hub — Tracks the listed agencies, NAICS codes, and contract vehicles and maintains saved searches that alert capture teams when follow-on solicitations or policy updates appear on SAM.gov (System for Award Management).
• Proposal Studio (Proposal OS) — Use to update proposal content, incorporate PQC compliance matrices, and generate bid/no-bid recommendations tied to the new PQC timeline.
• Proposal Studio Workflow Tracker — Use the 9-gate capture workflow to route PQC compliance reviews, produce audit-ready documentation, and manage capture milestones against the 120‑day and December 2030/2031 deadlines.

Who to notify: CIO/CISO — technical impact and remediation; Capture Manager — bid strategy and rescoping; Program Managers — delivery and schedule implications; Contracts lead — procurement / clause updates; Security / Compliance lead — gap remediation against listed compliance regimes. Start with these roles immediately.

First 48-hour playbook

• Hour 0–4: Alert CIO/CISO, Capture Lead, Program Managers, and Contracts via secured internal channel; run a high-level inventory of systems handling sensitive data or high-value assets. Reference Secure Operations Guide (/insights/secure-operations-guide).
• Hour 4–12: Use Cabrillo Signals Intelligence Hub saved searches to surface active solicitations and in-flight awards that may be impacted; tag high-risk contracts in Proposal Studio.
• Hour 12–24: Convene capture and technical SMEs to classify systems by impact and map to the memorandum’s accelerated deadlines; begin drafting PQC language for procurement and subcontracting.
• Hour 24–48: Configure Match Engine rescoring rules to prioritize PQC opportunities and initiate Proposal Studio workflows to update compliance matrices and win themes; notify legal and contracts to prepare clause amendments.

Related reading: CMMC Compliance Guide (/insights/cmmc-compliance-guide) and CUI (Controlled Unclassified Information)-Safe CRM Guide (/insights/cui-safe-crm-guide)