Close

New Research from CDW on Workplace Friction

Learn how IT leaders are working to build a frictionless enterprise.

Jul 08 2026
Security

A Guide to Quantum Key Distribution for the Federal Government

QKD offers a fundamentally different approach to securing communications, but cost, infrastructure and scalability challenges limit its federal adoption.

Preparing for the post-quantum era requires that federal agencies navigate a quantum security landscape that is far less unified than it often appears, with post-quantum cryptography (PQC) emerging as the primary strategy for protecting data from future quantum computing threats.

The National Institute of Standards and Technology (NIST) has standardized several post-quantum algorithms, the National Security Agency (NSA) has established migration timelines and agencies across government are itemizing cryptographic assets in preparation for a long-term transition.

Quantum key distribution (QKD), however, occupies a more uncertain position. The technology uses the principles of quantum mechanics to securely exchange encryption keys and detect potential interception attempts. Its promise has attracted interest from researchers, telecommunications providers and some highly regulated industries, but federal cybersecurity leaders remain focused primarily on PQC.

GET SECURE: Learn how federal agencies can boost security against threats.

In an emailed statement, a Cybersecurity and Infrastructure Security Agency spokesperson said the agency acknowledges the possibilities of QKD while continuing to prioritize post-quantum migration efforts.

“While we are currently focused on the migration to PQC, we are dedicated to advancing the understanding of this emerging field as well as the potential use cases and benefits,” the spokesperson said.

The Trump administration recently reinforced quantum technology as a national priority through an executive order directing agencies to advance quantum computing, networking and related technologies while assessing the security implications of increasingly powerful commercial quantum systems.

What Is Quantum Key Distribution?

Unlike traditional public-key cryptography, QKD is not designed to encrypt data directly. Instead, it provides a mechanism for securely distributing encryption keys between two endpoints.

“Quantum key distribution is something that can be done today,” says Sandy Carielli, principal analyst at Forrester.

In conventional cryptographic systems, symmetric keys are typically exchanged using public-key algorithms such as RSA or elliptic curve cryptography. Those algorithms are widely believed to be vulnerable to sufficiently powerful quantum computers. QKD takes a different approach.

“QKD is using fiber optics and quantum physics to pass key and key material between two particular points,” Carielli says. “Rather than use public key algorithms to share key material, you’re dealing with sending the information over fiber optics.”

The technology’s appeal stems from its ability to establish shared secrets without relying on the mathematical assumptions that underpin today’s public-key cryptography.

Click the banner below for cybersecurity strategy, assessments and program development.

 

How QKD Detects Eavesdropping

Most QKD systems are based on the BB84 protocol, developed in 1984, which uses quantum states to exchange encryption keys and reveal potential interception attempts.

Because measuring a quantum state alters it, any attempt to intercept the key exchange introduces detectable errors. In theory, that allows communicating parties to determine whether a transmission has been compromised.

The concept has made QKD attractive to organizations concerned about long-term data confidentiality and the possibility of future quantum-enabled attacks.

Why Some Federal Agencies Are Interested in QKD

Much of the federal discussion around quantum security centers on , in which adversaries collect encrypted information today with the expectation that future quantum computers may eventually break existing encryption schemes.

Andrew Benhase, principal cyber architect at Cisco, says organizations are looking for ways to reduce that risk even before full post-quantum deployments become available.

“The concept of operations is that we want to reset the mathematical problem for an adversary on a consistent basis,” Benhase says. “If there is a harvest now, decrypt later scenario, we reset the math problem every 48 hours.”

For certain highly sensitive communications links, QKD’s ability to securely distribute encryption keys can be appealing.

“I could imagine it would be of interest if you had two high-security data centers with a single pipe between them,” Carielli says.

Those types of point-to-point environments align closely with the use cases QKD was originally designed to address.

DISCOVER: Get zero-trust architecture right for security and governance.

Why PQC Remains the Primary Federal Path

Although QKD generates considerable interest, federal guidance continues to point overwhelmingly toward the transition to PQC.

Britta Hale, director of post-quantum cryptography at the Department of Defense Chief Information Office, explains that the department does not currently allow the use QKD or similar technologies for key distribution, confidentiality, authenticity or integrity purposes.

“QKD is a physics-based technology used to transport short data strings — like cryptographic keys — but does not meet our security requirements as a stand-alone technology for key distribution,” Hale says.

She adds that as a technology, QKD may have other transport uses outside of key distribution that are still being explored.

“To safeguard Department of War systems against both current and future quantum threats, we are focused entirely on PQC for key distribution, confidentiality, authenticity and integrity,” she says.

Hale points to the department’s recently released Post-Quantum Cryptography Strategy, which outlines its five-pillar roadmap to establish PQC as a secure foundation for the quantum era.

Benhase says he has encountered similar signals from federal officials.

“Their position is that they would like to move wholesale to post-quantum cryptography,” he says, referring to the NSA’s approach.

The preference is largely driven by practicality. Post-quantum cryptography can be implemented across internet traffic, cloud environments, enterprise applications and countless other systems without requiring specialized communications infrastructure.

“QKD is a very specific use case,” Carielli says. “It’s fairly limited, and it has cost to it, and it is to some extent unproven except for some smaller proofs of concept.”

By contrast, NIST-approved post-quantum algorithms have undergone years of public review and cryptographic analysis.

“The post-quantum algorithms have been through a pretty rigorous review,” Carielli says. “It doesn’t require special equipment.”

The QKD Infrastructure Challenge

As Carielli notes, the biggest obstacle to widespread QKD adoption may be neither security nor policy but infrastructure.

Unlike software-based cryptographic upgrades, QKD deployments require dedicated communications links and specialized hardware at both ends of a connection.

“You need a system on one end, a system on the other end, you need the communications mechanism,” Carielli says. “For fiber-optic cable, you might need repeaters in the middle to keep the signal strong enough.”

Distance creates additional challenges, particularly for agencies operating geographically dispersed networks. Those physical constraints can be difficult to justify when alternative post-quantum options are available.

Where QKD Fits in a Federal Strategy

For most federal IT leaders, the immediate challenge is less about selecting QKD and more about preparing infrastructure for the broader quantum transition.

“It starts with a spreadsheet,” Benhase says, noting that agencies must understand what systems they have, which products support emerging quantum-resistant technologies and what infrastructure will eventually need to be replaced.

Carielli says she recommends a similar approach.

“You have to understand your infrastructure and your ecosystem, do that cryptographic inventory, and then really ask yourself what’s highest-priority,” she says.

For most agencies, that process will lead directly toward NIST-approved post-quantum cryptography. For a small number of highly specialized environments, QKD may eventually become part of the conversation.

“I think you can ask about it and explore it,” Carielli says. “But you have to go in understanding the limitations.”

da-kuk/Getty Images