Close

New Research from CDW on Workplace Friction

Learn how IT leaders are working to build a frictionless enterprise.

Jul 10 2026
Security

Why Federal Agencies Can’t Wait on Post-Quantum Cryptography

Leaders at the AWS Summit in Washington urged agencies to start migrating to PQC now.

Two White House executive orders turned the federal post-quantum cryptography (PQC) timeline into a compliance schedule on June 22. The orders direct high-value federal systems to move to National Institute of Standards and Technology (NIST) standards by 2030.

Eight days later, Amazon Web Services and hardware partner QuEra laid out a plan to bring fault-tolerant quantum computing to the cloud by 2028 at the AWS Summit Washington, D.C.

Click the banner below to read CDW’s latest white paper on building a secure customer experience.

 

AWS and QuEra Announce PQC Partnership

AWS rarely pre-announces hardware, but it did here for a reason: Eric Kessler, a senior manager for applied science at AWS, told the Washington audience the company will put QuEra's Libra processor on Amazon Braket by 2028, supporting up to one million operations across hundreds of logical qubits — the point at which quantum computers cross from studying themselves to running the first useful scientific workloads. Kessler said AWS made the announcement early so customers could “engage early” and be “run ready” when the device arrives.

The same error-correction advances that make useful science possible also move a cryptographically relevant quantum computer — one that can break two of the leading cryptography algorithms — from “someday” to “this decade.”

Kessler said the industry can now “see the trajectories” to large-scale algorithms, and that before the end of the decade “we will likely see devices that could get into the realm of becoming cryptographically relevant.”

A credible 2028 fault-tolerant machine shortens every agency’s timeline to transition to post-quantum cryptography.

The Orders That Set the Quantum Clock in Motion

QuEra co-founder Nathan Gemelke flagged the shift from the event stage: “If you were reading the news last week, there were two executive orders that came out of the White House regarding quantum.”

Executive Order 14412, “Securing the Nation Against Advanced Cryptographic Attacks,” accelerates federal PQC migration; Executive Order 14413, “Ushering in the Next Frontier of Quantum Innovation,” launches a national push to build a discovery-scale quantum computer.

Some key changes in the executive orders include:

  • Agencies must transition high-value assets and high-impact systems to PQC for key establishment by Dec. 31, 2030, and for digital signatures by Dec. 31, 2031.
  • Each agency head has 30 days to name a PQC migration lead reporting to the CIO.
  • These dates land materially ahead of the previous 2035 target set under the prior National Security Memorandum 10.

The mandate reaches contractors, not just agencies. The order directs the FAR Council to propose a rule requiring covered contractors to comply with NIST’s FIPS — including PQC algorithms — by Dec. 31, 2030. It also directs NIST to run a PQC migration pilot, to be completed by the end of 2027.

ACCOMPLISH THE MISSION: Modernize your agency’s IT inrastructure.

The NIST Standards are Ready — and Already in the Cloud

The algorithms agencies must adopt are already finalized. NIST published its first three post-quantum standards in August 2024 — FIPS 203 (ML-KEM, key encapsulation), FIPS 204 (ML-DSA, signatures), and FIPS 205 (SLH-DSA). NIST’s guidance is blunt: Start integrating now, because “full integration will take time.”

The migration path exists in production today. AWS has deployed the NIST standards across core services: AWS Key Management Service, Amazon S3 and CloudFront use hybrid ML-KEM key exchange to blunt “harvest now, decrypt later” attacks, and KMS and Private Certificate Authority support ML-DSA signatures. For agencies, the near-term work is inventory and prioritization, not waiting on tooling.

“Our customers already today can upgrade the encryption within AWS to the latest protocols that we believe to be quantum-safe,” Kessler said. “And we have published a public roadmap where we support how that migration toward a quantum-safe cryptographic posture can happen.”

DARPA Is Vetting the Timeline

Agencies making early bets have an independent check on vendor claims. QuEra is a Stage B participant in the Defense Advanced Research Projects Agency Quantum Benchmarking Initiative, the program designed to vet competing quantum technologies; the company also runs benchmarking work with Los Alamos National Laboratory and the University of California, Berkeley.

Gemelke was candid that timelines are compressing faster than the field expected. Since QBI began about nine months earlier, the projected time to useful capability had “drifted down,” which he attributed partly to “the power of capital.”

For federal agencies, DARPA’s benchmarking is a helpful independent check on vendor promises.

Federal CIOs Should Prepare for PQC Migration in the Next 18 Months

PQC Migration is a risk-minimization effort, and it starts with knowing what you have. Five moves define the near-term work:

  1. Name and empower a PQC migration lead — required within 30 days of the order — with a mandate over agencywide cryptographic inventory.
  2. Inventory high-value assets and high-impact systems and rank them by exposure to long-lived confidential data most at risk from “harvest now, decrypt later” attacks.
  3. Prioritize key establishment first (2030) over signatures (2031), matching the order’s own sequencing.
  4. Turn on hybrid PQC where cloud services already offer it — updated TLS policies, KMS, ACM — under the shared-responsibility model.
  5. Prepare procurement language now, ahead of the FAR rule that will bind contractors to FIPS PQC compliance by 2030.

The threat that once lived in the mid-2030s now has a compliance calendar attached. Agencies that treat 2030 as the real deadline, and start with inventory rather than tooling, will be run-ready when the hardware arrives.

“Even if we assign only a 10% chance that this will happen before the end of the decade, that is still a much larger risk than you would tolerate in any other security context,” Kessler said. “The time to really modernize to PQC is now, because it’s a probabilistic risk minimization effort.”

gorodenkoff/Getty Images