Post-quantum cryptography: A federal modernization moment

For decades, modern encryption has quietly underpinned nearly every federal mission system. It protects sensitive citizen data, secures interagency communications, validates software updates and anchors digital identity. It works so seamlessly that it’s often invisible – until it isn’t. 

Post-quantum cryptography (PQC) changes that dynamic – not because today’s systems are failing, but because the mathematical assumptions behind much of today’s public-key encryption will not hold indefinitely in a world of sufficiently capable quantum computing. As that capability evolves, so must the cryptographic standards that protect mission-critical systems.    

For federal agencies, this is a moment for strategic foresight and deliberate action.

Why post-quantum cryptography matters for federal civilian agencies

The cryptographic algorithms widely used today, such as the Rivest-Shamir-Adleman (RSA) algorithm and elliptic curve cryptography, derive their strength from mathematical problems that are extraordinarily difficult for classical computers to solve. Quantum algorithms, most notably Shor’s algorithm, demonstrate that those problems could be solved dramatically faster on a large-scale, fault-tolerant quantum computer. 

Such machines are not yet operational at the scale required to break modern encryption. Even so, adversaries are already operating under a “harvest now, decrypt later” model, stockpiling encrypted data now with the expectation that they may be able to decrypt it in the future. Meanwhile, federal agencies manage data with confidentiality requirements measured in decades. Retirement records, healthcare data, tax information, sensitive research and highly classified defense and intelligence data  often outlive the technology that first secured them. 

With long-term data protection mechanisms facing a credible near-term threat, there is a strong impetus for federal agencies to begin adopting quantum-resistant algorithms immediately.  

Quantum-resistant encryption is more than an algorithm upgrade

As NIST advances post-quantum cryptography standards, agencies are recognizing a broader reality: asymmetric cryptography is deeply embedded across enterprise environments. 

Public-key mechanisms anchor:

• Public key infrastructure (PKI) hierarchies
• Transport Layer Security (TLS) secured web traffic
• Virtual private network (VPN) gateways
• Code signing and software integrity validation
• Identity and access management systems
• Firmware authentication and device trust

Unlike previous cryptographic transitions, such as retiring the Secure Hash Algorithm 1 (SHA-1) or older TLS protocols, PQC affects the mathematical foundation of trust across the enterprise.

For federal CIOs and CISOs, this elevates the issue from a technical update to an architectural modernization effort. 

The hidden challenge: Cryptographic visibility across federal IT environments

One of the most practical obstacles   in post-quantum migration is visibility.

Across many federal environments, cryptographic functions are buried beneath layers of applications, embedded in third-party components or integrated into legacy systems deployed years, or even decades, ago. Documentation is often incomplete. Vendor implementations vary. Custom-developed applications may rely on hard-coded or outdated libraries.

This complexity is not an anomaly; it reflects the cumulative, layered evolution of federal IT environments overtime.

However, it does mean that quantum-resistant encryption planning must begin with a clear understanding of where and how cryptography operates across the enterprise. Without that visibility, sequencing and prioritization become guesswork.

Aligning post-quantum migration with federal IT modernization initiatives

Federal civilian agencies are already executing major transformation efforts, including zero trust architecture implementation, cloud migration, secure software development mandates and supply chain risk management enhancements. 

Post-quantum cryptography intersects with — and should be embedded within — these broader transformation efforts. Identity architectures, certificate management systems, DevSecOps pipelines and software supply chains will all be touched by the transition to quantum-resistant standards. Treated in isolation, PQC can create friction. Aligned strategically, it can reinforce existing modernization investments.

Seen in this context, post-quantum cryptography is not a standalone compliance requirement. It is part of a broader cryptographic modernization cycle within federal IT. 

Building cryptographic agility for long-term federal resilience

The transition to post-quantum cryptography is unlikely to be the last major cryptographic evolution federal agencies will face. This makes cryptographic agility, a system’s ability to adapt to new algorithms without large-scale disruption, an enduring capability objective. Agencies that design systems, procurement strategies and governance models with algorithm flexibility in mind will be better positioned for future change, whether driven by quantum advancements or other cryptographic developments.

For federal civilian agencies, the conversation has moved beyond “if” and “when” toward “how”:

• How should agencies assess their cryptographic footprint?
• How should they prioritize systems based on mission impact and data longevity?
• How can modernization cycles be aligned with emerging standards while maintaining interoperability and mission continuity?

These are strategic planning questions grounded in enterprise architecture, lifecycle management and long-term resilience.

Post-quantum cryptography represents a rare inflection point — an opportunity to deliberately reinforce the foundations of digital trust across federal systems. Approached with intention, it can help strengthen governance, improve cryptographic visibility and support mission continuity for decades to come.

The transition will unfold over years, not months. But the architectural decisions that will define its success begin now.

Post-quantum readiness is less about predicting “Q-Day” and more about building durable cryptographic agility into enterprise architecture. To learn more about how Leidos has approached its post-quantum cryptography migration, read the white paper.

GET THE WHITE PAPER HERE