Quantum threats are already here: 5 steps federal agencies should take now
Quantum computing will soon break today’s encryption methods. When it does, what once took billions of years will take hours.
The risk isn’t just about the future, it’s already underway.
Adversaries are actively collecting encrypted data with the expectation they can decrypt it as technology advances, exposing sensitive information, revealing how agencies operate and creating new opportunities to exploit the systems people rely on every day. For federal agencies, that makes quantum readiness a current mission issue, not a theoretical one.
As post-quantum cryptography (PQC) standards begin to take shape, driven in part by efforts like the NIST Post-Quantum Cryptography Consortium, where Leidos is actively contributing, agencies must begin translating awareness into action.
That shift, and what it looks like in practice, was the focus of a recent FedInsider webinar, where government and industry experts, including Leidos’ Joe Kovba, discussed what PQC means for federal systems.
As PQC evolves, agencies should begin preparing now. Here are five steps to get started.
- Know where you rely on encryption
You can’t protect what you can’t see. Agencies need a clear picture of where encryption is embedded across networks, applications, endpoints and cloud environments. Gaps in visibility quickly become gaps in protection, especially when planning for cryptographic transitions at scale. Protect what matters most first
Not all systems can be modernized at once. Focus first on mission-critical systems and data with long life cycles — information that must remain secure for decades. Retirement records, healthcare data, tax information and classified intelligence are especially vulnerable to future decryption.Kovba, senior director for technology transition, noted that agencies can also look at where they are applying AI to help readily identify high-value datasets and shortcut a potentially lengthy prioritization process.
Build systems that can adapt
Encryption standards will continue to evolve. Systems should be designed to evolve with them. As Kovba noted, post-quantum algorithms are “believed, not proven” to be secure from attack, and agencies are “always one mathematical breakthrough away” from having to redeploy their cryptography again.That’s why cryptographic agility — the ability to update cryptographic algorithms without overhauling entire systems — will be essential. This applies not only to data protection, but also to identities, access controls and digital signatures that underpin trust across environments.
- Make vendors part of the solution
Today’s procurement decisions shape tomorrow’s risk posture. Agencies should set clear expectations for quantum-resistant standards in vendor requirements and contracts. - Move now, incrementally
Quantum readiness is not a single upgrade. It’s a phased transformation. Start with targeted pilots, assign ownership and build momentum over time. As Kovba put it, “Get started! Have no fear, draw a line in the sand and take action.”
The future of encryption is changing faster than you think
Quantum risk doesn’t start the day a new computer comes online; it’s already here.
While standards continue to mature, the direction is clear. Agencies are moving from awareness to action, but many are still early in the journey. They will need partners who can translate standards into real-world systems across complex environments.
Preparing for a post-quantum future is not just a cybersecurity upgrade. It is a strategic modernization effort that can help agencies reduce long-term risk, protect sensitive data and sustain mission continuity.
Agencies that act now will be better positioned to stay secure as the future arrives.
