Migrating from Traditional Algorithms to Post-Quantum Cryptography: What Your Organization Needs to Know

February 5, 2026

Over the past several years, there has been a steady drumbeat of warnings about the impact of quantum computing on traditional encryption methods, with consistent calls for organizations – both within the federal government and across the private sector – to begin the work of migrating to post-quantum cryptography (PQC). While this issue is highly complex and technical, at a high level--quantum computers, which use “qubits” that perform mathematical algorithms “exponentially faster than a classical computer,”[1] will soon be capable of breaking traditional encryption methods that are used to protect data and systems. Experts’ estimates vary on when this threat to current encryption practices will be realized, though some estimate as soon as three to five years.[2] Migrating to PQC will help organizations continue to protect data and systems, even in the wake of quantum computing. 

In this post, we will explore the magnitude and complexity of the transition to PQC confronting organizations and the guidance federal agencies are providing to help facilitate the transition within federal systems and beyond. Whether supplying a federal agency, manufacturing technology or software, providing services, or using encryption to secure data or other assets, organizations should be tracking guidance on this issue to understand and consider the range of best practices developing in real time for this transition; in the case of government contractors, it is key to understand the requirements regarding the timing of the transition.   

Key Federal Government Reports and Guidance on PQC

  • In 2018, the National Quantum Initiative Act was signed into law to ensure continued U.S. leadership in quantum information science and technology applications.
  • On May 4, 2022, the White House issued National Security Memo 10 (NSM 10) on Promoting United States Leadership in Quantum Computing While Mitigating Risks to Vulnerable Cryptographic Systems, which “directed specific actions for agencies to take as the United States begins the multi-year process of migrating vulnerable computer systems to quantum-resistant cryptography.”
  • In August 2023, the Cybersecurity and Infrastructure Security Agency (CISA), the National Institute of Standards and Technology (NIST), and the National Security Agency (NSA) jointly warned about the impact of quantum computing on traditional encryption methods. They urged organizations to begin migrating to PQC immediately, emphasizing that “cyber actors could target our nation’s most sensitive information now and leverage future quantum computing technology to break traditional non-quantum-resistant cryptographic algorithms” using a strategy known as “harvest now, decrypt later.” Further, the agencies stressed that vendors supplying critical infrastructure must prepare for a future where products, services, and protocols will need to be “updated, replaced, or significantly altered” to use quantum-resistant algorithms.
  • On August 13, 2024, NIST released three principle PQC standards, “which are mandatory for federal systems,”[3] and recommended other organizations “begin applying these standards now to migrate their systems to quantum-resistant cryptography.”[4] NIST is also working on backup and alternative algorithms. 
  • Throughout 2025, NIST continued to urge organizations that have not started the migration to PQC to begin doing so immediately given the complexity of the transition and the need to minimize disruption to critical systems. NIST’s National Cybersecurity Center of Excellence (NCCoE) has an ongoing project on the Migration to Post-Quantum Cryptography.
  • The Trump Administration continues to identify quantum technology and research as a priority. On January 23, 2026, CISA released, and will update, Product Categories for Technologies That Use Post-Quantum Cryptography Standards – a list of categories of products typically acquired by the federal government where PQC-capable products are widely available. This list was required by Executive Order 14306, Sustaining Select Efforts to Strengthen the Nation’s Cybersecurity (issued June 6, 2025), and its purpose is to identify for federal agencies the categories of products where they should only acquire PQC-enabled products.
  • President Trump is also expected to issue an Executive action on quantum technology increasing the urgency around the transition from traditional algorithms to PQC. The Executive action is expected to provide further directives to federal agencies on the migration of hardware, software, and services to PQC.

PQC Transition Plans and Deadlines for Federal Systems

NSM 10 establishes 2035 as the target date for widespread adoption of PQC across federal systems. In NISTIR 8547, Transition to Post-Quantum Cryptography Standards, NIST provides the plan for federal agencies to transition from quantum-vulnerable algorithms to the FIPS PQC standards, consistent with NSM 10. 

For civilian networks, under NIST 8547 the deadlines are:

  • 2031: Quantum vulnerable algorithms with 112-bit security strength are deprecated for federal systems. Deprecated algorithms at the 112-bit security level may be used by federal systems as they migrate to PQC.
  • 2035: Quantum vulnerable algorithms with greater than 128-bit security are disallowed after 2035 for federal systems and required to transition to PQC.

For National Security Systems (NSS), the following transition plans and deadlines are determined by the Committee on National Security Systems Policy 15, Use of Public Standards for Secure Information Sharing (CNSSP 15), and the NSA Commercial National Security Algorithm Suite 2.0 (CNSA 2.0).

  • 2025: Certain NSS currently validated against a National Information Assurance Partnership or Commercial Solutions for Classified profile must have transitioned by December 31, 2025.
  • 2027: All new acquisitions for NSS are required to use NSA-approved quantum resistant algorithms pursuant to CNSSP 15.
  • 2035: All NSS are required to be quantum-resistant by 2035 per NSM 10.

For both NSS and other Department of War (DoW) systems and devices, the following deadlines are provided by the DoW Chief Information Officer (CIO) Memorandum entitled Preparing for Migration to Post Quantum Cryptography dated November 20, 2025 (“November 20 Memorandum”):

  • 2030: Symmetric keys shall be phased out and replaced no later than December 31, 2030.
  • 2030: Pre-shared keys shall be phased out and replaced with NIST-approved asymmetric PQC algorithms no later than December 31, 2030.

Some of these deadlines are accompanied by specific exceptions. To comply with these deadlines, organizations need quantum-safe compatible hardware, software, and firmware that has been developed, tested, certified, and integrated into technology infrastructures, a process NIST notes in past cryptographic transitions has taken 10 to 20 years. Further, the PQC transition will be larger in scale than previous transitions involving a single public-key algorithm because all cryptographic algorithms must be replaced.

Of note, the Office of Management and Budget (OMB) is working on a memorandum under the Quantum Computing Cybersecurity Preparedness Act to provide direction to agencies on transition timing and migration of IT to PQC. Currently agencies are required to submit a prioritized inventory of information systems and assets, excluding NSS, that contain cryptographic systems vulnerable to a quantum computer to OMB and CISA on an annual basis. In the November 20 Memorandum, the DoW CIO announced upcoming plans to release a DoW PQC Strategy and DoW-wide task to identify, inventory, and report all cryptography used in systems.

Key Federal Transition Steps

Cryptographic Inventory. To prepare for quantum threats, NIST’s guidance holds that federal agencies and other organizations should begin by identifying where cryptography is used across their systems. NISTIR 8547 emphasizes that understanding current cryptographic use through a cryptographic inventory is essential for effective planning. CISA, NSA, and NIST joint guidance on quantum readiness recommends correlating cryptographic inventories with inventories available through existing programs and policies. NIST recommends organizations should assess risk exposure and prioritize updates to sensitive systems, data, and other assets. NIST also developed a crypto agility maturity model based on the NIST Cybersecurity Framework 2.0 to assist organizations in the continuous measurement of progress in adopting crypto agility (discussed below) across their environments.

Cryptographic Roadmap. CISA, NSA, and NIST joint guidance recommends as a best practice for ”organizations – especially those that support critical infrastructure” – to develop a migration roadmap to plan and scope the transition to PQC. The roadmap should first target the systems and protocols protecting critical processes and sensitive and critical assets with quantum vulnerable algorithms.  

Crypto Agility. NIST recommends suppliers build crypto agility into new systems and assets, and procuring organizations should require crypto agility when they buy new technology. NIST defines crypto agility as “the capabilities needed to replace and adapt cryptographic algorithms in protocols, applications, software, hardware, firmware, and infrastructures while preserving security and ongoing operations.” Enhancing crypto agility across systems and supply chains will be critical to managing evolving threats and ensuring long-term resilience during cryptographic transitions. Organizations will need to coordinate with vendors to ensure alignment on crypto agility given the variety of differing approaches based on sectoral, organizational, and technical context.

Government Contractors’ Role in the Federal Transition

The federal transition plan outlined in NSM 10 and by NIST also impacts government contractors that provide services and capabilities that must adhere to FIPS standards. Government contractors supplying or operating NSS are required to implement the NIST-approved quantum resistant algorithms – ML-KEM and ML-DSA described by NIST in FIPS 203 and 204 – in the NSS by 2031 under the CNSA Suite 2.0 and explained in the related CNSSA 2.0 Quantum Computing FAQ. The FAQ serves as “recommended guidance for the Department of Defense … and Defense Industrial Base.” 

To comply with these deadlines, government contractors will need to integrate PQC into the products and services they provide to federal agencies for NSS, a process that is complex and time consuming.  

The Cybersecurity Branch Director for OMB noted in the Fall of 2025 that for the transition to PQC on the agency side, the “responsibility means ensuring that when contracts are drafted, assurances are included to avoid needing a complete overhaul of systems when they become outdated.”  

Additional resources for government contractors are available from the U.S. General Services Administration (GSA), including its Post-Quantum Cryptography Buyer’s Guide, which offers practical steps for agencies and contractors to assess cryptographic systems, plan migrations, and procure quantum-safe solutions for NSS. Contractors also may be able to leverage GSA acquisition vehicles like Highly Adaptive Cybersecurity Services (HACS) to access vetted cybersecurity services.

To date, the government has not issued broad requirements for contractors to implement PQC on their internal information systems, although agencies may impose contract-specific requirements for systems handling certain types of sensitive information. In addition, NIST 800-171 Rev. 3, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations, which likely will apply to Cybersecurity Maturity Model Certification (CMMC) for DoW contractors in the future, requires organizations to implement encryption “in accordance with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines.” Based on that language, if the forthcoming Executive action or other Administration initiatives seek to apply PQC to contractors’ information systems, contractors could be required to do so without modifications to their existing contracts if those contracts already require compliance with NIST 800-171 Rev. 3 via CMMC or other contract clauses. 

Important Considerations for Critical Infrastructure Owners and Operators and Other Private Sector Organizations

While NSM 10 and the NIST guidance are focused on federal systems, the guidance indirectly impacts the private sector, as NIST intends for it to be used on a voluntary basis to “inform the efforts and timelines of … industry, standards organizations [and other nonfederal organizations] for migrating information technology products, services, and infrastructure to PQC.” 

There are a number of considerations and best practices for non-federal organizations to evaluate as they address this looming risk.

  • The transition to PQC is complex and will require time and resources. Further, different sectors across critical infrastructure and the broader private sector will face unique sector-specific challenges during this transition. There will be no one-size-fits-all playbook for the transition, but companies should consider their own unique context and risk profile when adopting and implementing guidance and best practices about PQC migration.
  • Many industries are subject to federal and state regulatory requirements or industry standards regarding the use of encryption. Companies in these industries should be particularly mindful of their transition timeline and any PQC-related requirements that may arise.
  • Companies should monitor and be prepared for other drivers of the PQC migration, including through potential requirements in cybersecurity insurance policies.
  • As with security measures generally, companies should consider the relative sensitivity of data/systems when prioritizing PQC migration efforts, with a focus on sensitive data and data that has a “long shelf life” to best protect against the threat of harvest now, decrypt later techniques from bad actors.
  • Organizations rely on vendors for hardware, firmware, operating systems, and software components, and each have their own cryptographic dependencies. But generally speaking, vendor-readiness for the PQC transition varies. Companies should have an understanding of how vendors in their supply chain are planning for the migration to PQC and implementation of crypto agility and begin including contractual requirements for PQC and crypto agility where appropriate.
  • For many sectors, the transition will necessitate infrastructure upgrades and adjustments to procurement and supply chain strategies to support crypto agility and long-term interoperability. These challenges may make complying with rigid deadlines for the transition difficult.

***

Wiley’s Privacy, Cyber & Data Governance and Government Contracts teams stand ready to advise companies on the transition to PQC and evolving federal requirements and guidance.

[1] NSA, CNSA Suite 2.0 and Quantum Computing FAQ, Ver. 2.1 at 2 (Dec. 2024).

[2] Emily Harding, Director at the Intelligence, National Security, and Technology Program at the Center for Strategic and International Studies and Kemba Walden, President of the Paladin Institute and former National Cyber Director agreed on this timeline during an Oct. 1, 2025 Politico panel on the topic.

[3] According to NIST, “[t]hese standards specify key establishment and digital signature schemes designed to resist future attacks by quantum computers.” The standards are Federal Information Processing Standards (FIPS) 203, Module-Lattice-Based Key-Encapsulation Mechanism Standard (ML-KEM); FIPS 204, Module-Lattice-Based Digital Signature Standard (ML-DSA); and FIPS 205, Stateless Hash-Based Digital Signature Standard.

[4] NIST Post-Quantum Cryptography.

Wiley Connect

Sign up for updates

Wiley Rein LLP Cookie Preference Center

Your Privacy

When you visit our website, we use cookies on your browser to collect information. The information collected might relate to you, your preferences, or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. For more information about how we use Cookies, please see our Privacy Policy.

Strictly Necessary Cookies

Always Active

Necessary cookies enable core functionality such as security, network management, and accessibility. These cookies may only be disabled by changing your browser settings, but this may affect how the website functions.

Functional Cookies

Always Active

Some functions of the site require remembering user choices, for example your cookie preference, or keyword search highlighting. These do not store any personal information.

Form Submissions

Always Active

When submitting your data, for example on a contact form or event registration, a cookie might be used to monitor the state of your submission across pages.

Performance Cookies

Performance cookies help us improve our website by collecting and reporting information on its usage. We access and process information from these cookies at an aggregate level.

Powered by Firmseek