The Office of Management and Budget (OMB) has issued government-wide guidance directing federal agencies to accelerate their migration to post-quantum cryptography (PQC), requiring agencies to prioritize their most critical systems and submit detailed migration plans within 120 days.
The June 24 memorandum implements President Donald Trump’s June 22 executive order on securing the nation against advanced cryptographic attacks.
The guidance excludes national security systems. Federal agencies are instructed to mitigate “as much quantum risk as feasible” by Dec. 31, 2030.
“Strong cryptography has enabled the United States Government to protect Federal information, securely deliver critical services to the American people, and guard against cyber-enabled fraud,” OMB Director Russell Vought wrote in the memo. “The Trump-Vance Administration has made support of strong cryptography throughout the Government and private sector a priority.”
The guidance reflects growing concern that future cryptographically relevant quantum computers could eventually break many of today’s widely deployed public-key encryption algorithms.
While such computers are not yet known to exist, OMB said advances in quantum computing could make current encryption vulnerable within the next decade, requiring agencies to begin transitioning now to National Institute of Standards and Technology (NIST)-approved post-quantum cryptographic algorithms.
In August 2024, NIST unveiled its first set of encryption algorithms designed to withstand cyberattacks from a quantum computer, which agencies can implement immediately.
OMB directed agencies to prioritize the migration of high impact systems, high value assets, and any other systems containing highly sensitive information or deemed particularly vulnerable to quantum-enabled attacks.
Agencies are also instructed to establish governance structures that extend responsibility beyond chief information officers and chief information security officers to agency leadership more broadly.
Each agency must submit a PQC migration plan to OMB and the Office of the National Cyber Director within 120 days. Plans must include a risk-based system prioritization strategy, migration milestones, funding and staffing estimates, governance responsibilities, third-party coordination plans, and strategies for achieving cryptographic agility.
The memo also outlines a phased government-wide migration schedule beginning with planning and system inventories in 2026 and 2027, followed by pilot deployments and prioritized migration of key establishment functions through 2030.
Then, OMB said agencies should migrate digital signatures in 2031 and fully migrate remaining systems by 2035.
OMB also instructed agencies to integrate PQC requirements into cloud modernization efforts, hardware refresh cycles, and software development processes rather than treating quantum migration as a standalone initiative.
“Systems incapable of supporting PQC or hybrid cryptography must be identified and given priority for replacement or decommissioning,” Vought wrote.
Within 60 days, OMB said the General Services Administration will establish an interagency working group on modernizing Federal Identity, Credential, and Access Management to support PQC.
The memorandum encourages agencies to expand the use of automation to identify cryptographic assets, monitor compliance, and maintain continuously updated inventories. It also calls on agencies to coordinate with vendors, cloud service providers, the Cybersecurity and Infrastructure Security Agency, and NIST to support implementation and ensure commercial technologies incorporate post-quantum cryptography capabilities.
OMB said it will continue working with the Office of the National Cyber Director, NIST, and the Cybersecurity and Infrastructure Security Agency to monitor agency progress and issue additional guidance as needed.