OMB issues instructions for agency migration to quantum-proof encryption

da-kuk/Getty Images

Featured eBooks
Efficiency, After a Year of DOGE
Read Now

CDM

Read Now

Future-Ready Workforce

Read Now
Insights & Reports
AI Triage for Lawful Intelligence: Maximizing Data Value at Scale
Presented By SS8
Download Now
From alert chaos to site reliability excellence
Presented By Cribl
Download Now
Alexandra Kelley By Alexandra Kelley,
Staff Correspondent, Nextgov/FCW

By Alexandra Kelley

|

Agencies are expected to undertake two actions in service of enhanced security: execute a phased migration of cryptographic systems to prepare for quantum computing risk; and submit a PQC migration plan to OMB.

The Office of Management and Budget issued a memorandum to federal agencies on Wednesday outlining the steps they need to take to migrate select government systems to post-quantum cryptography, or PQC, an encryption standard intended to withstand the anticipated code-breaking capacity of a fault-tolerant quantum computer.

The memo expands on requirements outlined in President Donald Trump’s June 22 executive order on government PQC migration. The guidance has been in the works for approximately a year, with a draft version first reported in July 2025 by Nextgov/FCW

Multiple aspects from the draft memo made it into the final version, such as requirements for federal agencies to conduct inventories of their digital networks. The final version placed priority on migrating legacy systems and high-value assets.

Wednesday's final guidance also requires agencies to report their inventorying efforts as a part of required PQC migration plans. These plans must be delivered to OMB and the Office of the National Cyber Director within 120 days of the memo being published. In keeping with the draft, these timelines are intended to be phased, spanning efforts to plan, discover, pilot and eventually fully migrate digital networks to PQC. 

The memo also instructs agencies to ensure that their vendor-supplied software meets PQC requirements by referencing the Cybersecurity and Infrastructure Security Agency’s “Product Categories for Technologies That Use Post-Quantum Cryptography Standards” lists. 

While vendors are not explicitly required to submit PQC migration timelines like agencies are, agency program offices will need to ensure that their requirements for software vendors include PQC-readiness and cryptographic agility. Agency migration plans must also include an individual protocol for “third-party coordination.” 

Automation remains central to inventory and migration management.

“Given the scale and complexity of Federal IT environments, manual approaches to discovery and management of cryptography are often insufficient,” the memo reads. “Agencies should use automation when feasible and appropriate to achieve a comprehensive and continuously updated understanding of their cryptographic posture.”

Agencies have until 2035 to reach the full migration phase of their PQC transition.

NEXT STORY: Senator plans to propose quantum initiative reauthorization as part of NDAA