Alison King, the vice president of government affairs at Forescout, explains how agencies can take a structured approach to moving to post-quantum cryptography.
The next major shift in federal cybersecurity is already underway: preparing for the impact of quantum computing on today’s encryption.
Across government, there is broad recognition that current cryptographic standards will not hold indefinitely. In recent years, the core question has never been if quantum computing will disrupt today’s encryption, but how soon. The timeline continues to accelerate and compress, with companies like Google updating its own deadline for migrating systems to post-quantum cryptography (PQC) to 2029 as recently as March.
Recent executive momentum reflects that accelerating reality. Building on National Security Memorandum 10, the federal approach has moved from standards and planning toward execution, signaling that PQC readiness is no longer a future-state discussion but an immediate operational requirement.
The stakes are clear and uniquely high in the public sector. This is not a simple patching exercise. Agencies will need to identify, prioritize, and replace cryptographic dependencies — the encryption tools and protections built into their systems to secure data and communications — across all systems. They also must then confirm the new protections are working correctly. This process will be applied to systems that may have been built over decades and that often support mission-critical operations, making this a complex undertaking that demands precision and thorough validation.
Earn CPE credit: The latest webinar from the Billington CyberSecurity Cyber and AI Outlook Series will focus on the real-world risks facing AI deployments across the federal landscape. Register now!
What happens next will depend on how effectively agencies translate urgency into coordinated action.
Zero trust offers a recent, instructive example, as it generated real momentum at the policy level. Agencies adopted language, strategies were written, and leadership signaled commitment. But while it established a strong policy foundation and clear direction, implementation didn’t necessarily translate evenly across agency environments. Some advanced key elements quickly, while others progressed more gradually as they worked through resource, prioritization and coordination challenges.
The risk with quantum readiness is nearly identical, as there’s no shortage of agreement that quantum computing will break today’s encryption. What’s less clear is whether agencies are building the internal frameworks to act on that agreement in a coordinated way. If not, “quantum ready” will become another umbrella term that’s widely endorsed but inconsistently defined.
Clear ownership, shared definitions and sequencing matter. Building on recent federal direction including executive actions that emphasize inventory and accelerated implementation, agencies can take a structured approach:
Prioritization depends on visibility. A clear view of where vulnerable cryptography exists is the starting point for any PQC effort.
That includes legacy systems, embedded devices and external dependencies that may not be fully accounted for in existing inventories.
Without that visibility, prioritization becomes guesswork. Teams may focus on highly visible systems while less obvious risks remain unaddressed. Over time, those blind spots can become points of exposure.
Sign up for our daily newsletter so you never miss a beat on all things federal
A comprehensive cryptographic inventory is the starting point, providing the foundation for execution. It allows agencies to identify risk, sequence remediation and align efforts across teams based on a shared understanding of their environment.
Even with visibility, execution does not happen automatically.
PQC readiness cuts across technical, operational and acquisition functions. Security teams may understand the risk, but procurement cycles, budget timelines and competing priorities can slow progress if they are not aligned from the outset.
Recent federal direction calls for phased migration but translating that guidance into measurable progress requires coordination across leadership, engineering and acquisition teams. That progress also needs to be measured. Agencies should define concrete milestones for inventory, prioritization, remediation and validation, then track progress against those milestones over time. Agencies need a dedicated senior leader in charge of driving alignment, tracking progress and ensuring that quantum readiness is implemented consistently across the full team.
Simply put, quantum readiness must be agencywide in mindset, even if implementation is phased over time.
While the path forward is increasingly well defined from a policy standpoint, implementing a transition to quantum-resistant cryptography at scale requires sustained investment across funding, workforce expertise and program management. Many agencies are still working to define cost estimates, build internal capabilities and align resources with long-term transition plans.
Without that foundation, progress can become uneven. Teams may understand what needs to happen but lack the resources to move at the pace required.
Ensuring consistent execution will depend on aligning funding, staffing and oversight with the urgency of the transition so that efforts can scale across systems and agencies, rather than advancing in isolated pockets.
Without that alignment, even well-established priorities can slow under operational pressure. Accelerated timelines increase urgency, but they also increase the need for resources, coordination and oversight to ensure consistent progress across agencies.
Read more: Commentary
The focus on execution is clear. The challenge now is ensuring agencies have the capacity to deliver on it. Otherwise, even well-defined priorities risk becoming, in practice, an unfunded mandate.
The direction is clear: Federal agencies understand the risk, and policy has established a strong foundation for moving forward.
What comes next is execution, which requires sustained alignment between the chief information officer and chief financial officer across fiscal years.
That means translating urgency into coordinated action across systems, teams and timelines. It means establishing visibility, aligning ownership and ensuring that resources match the scale of the transition ahead.
Agencies that approach PQC readiness as a teamwide effort, integrated into modernization, procurement and risk management, will be best positioned to make steady, measurable progress. Agencies should treat PQC readiness not as a compliance exercise, but as a modernization imperative tied directly to the integrity of mission-critical systems and long-lived data.
The challenge has moved beyond defining the path forward. Now, it’s time to move along that path — consistently, at scale and with the capacity to sustain it over time.
Alison King is the vice president of government affairs at Forescout.
Copyright © 2026 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.
Leave a Reply