Industry News

White House Memo Urges Federal Agencies to Prepare for Post-Quantum Cryptography

Photo of Marin Ivezic Marin Ivezic Follow on X Send an email November 20, 2022
13 minutes read
M-23-02 PQC

November 20, 2022 – The White House Office of Management and Budget (OMB) has issued a new memorandum that could reshape federal cybersecurity for the coming quantum era. OMB Memorandum M-23-02, titled “Migrating to Post-Quantum Cryptography,” was released on November 18, 2022 and directs U.S. federal agencies to begin the urgent process of preparing their systems for post-quantum cryptography (PQC). This policy move is a clear acknowledgment that future quantum computers will pose a serious threat to today’s encryption – and that the government must act now to safeguard sensitive data before those quantum attacks materialize.

M-23-02: “Migrating to Post-Quantum Cryptography.” In this eight-page memo, OMB Director Shalanda Young instructs all executive branch departments and agencies to accelerate efforts toward quantum-resistant encryption. The guidance is “transitional” – laying groundwork now, even before new PQC standards are finalized by NIST (expected in the next couple of years). Key points from the memo include:

  • Inventory of Vulnerable Systems: Agencies must catalog their cryptographic systems that use algorithms vulnerable to quantum attacks (e.g. RSA, Diffie-Hellman, elliptic-curve cryptography). By May 4, 2023 – six months from the memo’s release – and annually thereafter through 2035, each agency must submit a prioritized inventory of information systems and assets that rely on quantum-vulnerable encryption. This inventory focuses first on high-impact systems and High Value Assets (HVAs) – essentially the government’s most sensitive or critical systems – and any other systems deemed particularly at risk of quantum cryptanalysis. The memo even defines “cryptographic systems” broadly to include any hardware or software that handles key exchange, encrypted connections, or digital signatures, underscoring that no usage of current encryption can be ignored.
  • Designate a Crypto Migration Lead: Within 30 days of the memo, every agency must appoint a cryptographic inventory and migration lead – a point person to coordinate the agency’s PQC transition efforts. This ensures accountability and leadership for what will likely be a multi-year project in each organization. OMB and the White House Office of the National Cyber Director (ONCD) are also standing up a new interagency working group (with NIST, NSA, CISA, FedRAMP and others) to share tools, testing guidance, and best practices for the PQC migration. In other words, the federal government is organizing a whole-of-government approach to this challenge.
  • Assessing Risks and Resources: Agencies’ inventory reports must include detailed information about each vulnerable cryptographic system – the algorithms in use (e.g. RSA-2048, ECDSA P-256), what the system is used for (key exchange, signatures, etc.), key lengths, the system’s FIPS 199 security impact level (low/med/high), whether it’s a commercial product or custom, and so on . This level of detail will help identify where quantum-vulnerable encryption protects high-value data that needs long-term security. Notably, if a system contains data that must remain confidential through 2035 and beyond, it should be prioritized, since an adversary could record its encrypted data now and decrypt it later with a future quantum computer. Within 30 days of submitting the inventory, agencies also have to deliver an assessment of the funding required to migrate those systems to PQC. This implies OMB is lining up budgeting and resource plans to support the crypto modernization effort.
  • Testing and Next Steps: While NIST is still finalizing new cryptographic standards, the memo encourages agencies (especially with CISA’s help) to begin testing emerging post-quantum solutions in real-world environments as soon as possible. It suggests working with software vendors to try out candidate quantum-safe algorithms in systems like web browsers, cloud services, network devices, and other encryption endpoints . These pilot implementations – run in parallel with existing approved algorithms – will help uncover practical issues and ensure that once standards are official, agencies can deploy them with confidence. OMB calls for NIST, CISA, and others to establish a mechanism for sharing testing information within 60 days. Future guidance will follow once NIST’s PQC standards are finalized, but the clear message is: don’t wait idly for that day. Start preparing now.

In essence, M-23-02 operationalizes earlier high-level directives (it cites National Security Memorandum 10 from May 2022) by giving civilian agencies “marching orders” to kick off the quantum-secure migration process. It aligns with the Biden Administration’s broader cybersecurity strategy – including the move toward Zero Trust Architecture, which depends on “ubiquitous use of strong encryption” across federal systems. By mandating inventories, leadership assignments, and testing, the memo sets the foundation for a coordinated transition to quantum-resistant cryptography across the U.S. government.

Why This Matters to the Cybersecurity Community

The OMB’s post-quantum cryptography memo is more than just another compliance checklist – it’s a wake-up call to the entire cybersecurity community. Here’s why it’s significant:

  • Acknowledging a Looming Threat: For years, security experts have warned that quantum computers will eventually break much of today’s encryption. With this memo, the U.S. government is formally acknowledging that threat at the highest levels and moving from talk to action. It’s a signal that the quantum risk is not science fiction, but a real national security concern with a ticking clock. As the memo starkly notes, a future “cryptanalytically-relevant quantum computer (CRQC)” could one day “compromise certain widely used cryptographic algorithms” that currently secure federal systems. In non-government terms, that means algorithms like RSA, ECC, and Diffie-Hellman – used in everything from HTTPS websites to VPNs and digital signatures – would no longer be trustworthy once sufficiently powerful quantum machines exist. Virtually every sector (financial, healthcare, technology, critical infrastructure, etc.) relies on these algorithms, so the repercussions extend far beyond government when they fall.
  • Harvest Now, Decrypt Later” – Acting Before It’s Too Late: Crucially, the memo emphasizes the risk of adversaries stealing encrypted data now to decrypt in the future. “Encrypted data can be recorded now and later decrypted by operators of a future CRQC,” OMB warns. This so-called “harvest now, decrypt later” tactic means that even data considered securely encrypted today (say, an intercepted classified communication or a tranche of personal medical records) could be exposed in a decade or two if stored and decrypted with a quantum computer. For the cybersecurity community, this raises the stakes: we must protect not only against present threats, but also future decryption of today’s secrets. Long-lived sensitive data – think state secrets, intellectual property, or anyone’s information that needs to stay confidential for years – is already at risk if we do nothing. The OMB memo matters because it compels action now to mitigate a threat that might only fully materialize years from now. It flips the usual reactive security paradigm on its head: we’re being asked to anticipate and outpace a fast-advancing technology.
  • PQC Goes From Academia to Policy: Post-quantum cryptography has been a hot topic in cryptographic research circles for a while, but this memo brings it front-and-center for practitioners and decision-makers. It effectively says quantum-resistant crypto is now a strategic priority. For cybersecurity professionals, that means PQC is no longer an abstract R&D project – it’s entering the realm of policy, procurement, and deployment. We’ll need to educate ourselves on the new algorithms and tools, many of which are based on very different math (lattices, hash-based signatures, etc.) than the RSA/ECC we’re used to. The memo forces conversations within organizations about crypto agility (can we swap out algorithms easily?), asset management (do we even know everywhere we use vulnerable crypto?), and vendor readiness (will our suppliers support PQC?). In short, it injects urgency into migrating to new encryption standards – which is often a slow, difficult change. By making it a mandate, OMB is catalyzing progress that might otherwise lag until a crisis.
  • U.S. Government Leadership and Market Signal: The federal government is the largest consumer of IT in the world, and its cybersecurity requirements often influence the broader market. This memo signals to vendors and the tech industry that quantum-safe encryption is a pressing demand. Companies that provide encrypted products or services to the government (from cloud providers to VPN and software vendors) now know that they must start integrating PQC into their offerings or risk losing out on federal contracts in the future. That has ripple effects: standards bodies, open-source projects, and tech firms are likely to accelerate efforts on PQC compatibility. The memo also complements the recent federal legislation (the Quantum Computing Cybersecurity Preparedness Act, signed in Dec 2022) that encourages government-wide adoption of quantum-resistant technology. Together, these moves say to the cybersecurity community: get ready for the post-quantum transition – the White House is.

Implications for Federal Agencies, Contractors, and the Wider Ecosystem

The ripple effects of OMB’s post-quantum migration mandate will be felt widely. Here’s a look at what it means for various stakeholders:

Federal Agencies: A Call to Action and Coordination

For federal civilian agencies, M-23-02 is effectively an order to get your cryptographic house in order. In practical terms, agencies now face an extensive effort to identify where and how every system under their purview uses cryptography.

This is non-trivial – encryption is deeply embedded in modern IT infrastructure, from obvious places (web servers, VPNs, email systems) to the obscure (hardcoded protocols in legacy systems, badge readers, IoT devices, etc.). Agencies will need to invest time and talent into crypto inventories and work across departments to gather this information.

The memo’s requirement to prioritize high-impact and high-value systems first is a sensible triage approach, but it still demands a comprehensive review. Many agencies will discover that they lack a clear picture of all the cryptographic modules running in their environment. This initiative therefore compels improvements in asset management and architectural documentation.

Agencies will also need to stand up internal teams or working groups for PQC migration. The designated “crypto lead” at each agency will likely coordinate with the OMB/ONCD working group, meaning they’ll be sharing progress and hurdles with peers across the government. This kind of collaboration is good news – it means agencies won’t be tackling the quantum challenge in isolation. We can expect shared tools (CISA is tasked with developing automated crypto discovery tools), playbooks, and perhaps government-wide contracts for solutions (GSA is already preparing acquisition vehicles to help agencies obtain compliant cryptographic tools and expertise).

Still, the operational burden on agencies shouldn’t be underestimated: they have to not only do the inventory, but continuously update it every year until 2035, and eventually implement the new algorithms in all affected systems. This will involve software updates, hardware replacements or upgrades (for devices like HSMs or smart cards), and rigorous testing to ensure security and performance aren’t compromised in the transition. Agencies will need to plan for this in their IT roadmaps and budget cycles now (hence the memo’s demand for a funding estimate). Those that procrastinate or treat this as a checkbox exercise risk falling behind, which could expose them to significant security gaps a decade from now.

On the positive side, agencies that move early could reap benefits. By integrating PQC considerations into ongoing digital modernization or zero-trust efforts, they can address multiple goals at once. For example, as agencies replace old systems as part of IT modernization, they can ensure new systems are crypto-agile (capable of adopting new algorithms via software updates) or already support the upcoming standards. This proactive approach aligns with the federal Zero Trust strategy’s emphasis on strong encryption and network security. It’s also a chance for agencies to show leadership in cybersecurity by contributing to pilot programs and testing. Several agencies (like those with advanced R&D arms or large IT infrastructures) might volunteer to run pilot implementations of PQC (as encouraged by the memo), providing valuable feedback to NIST and others. In summary, for federal agencies, the memo’s implications are clear: urgent work now, to prevent chaos later. It’s a mandate, but also an opportunity to fortify systems against the next big threat before it’s at the door.

Federal Contractors and Industry: Pressure and Opportunity

If you are a vendor or contractor serving the federal government’s IT or security needs, this memo puts you on notice as well. Contractors often build, supply, or operate the very systems the memo is targeting. As agencies compile their cryptographic inventory, they will be knocking on vendors’ doors asking pointed questions: Which cryptographic algorithms does your product use? Are they quantum-vulnerable? Is there a roadmap for supporting PQC algorithms? In some cases, agencies might find that a mission-critical system relies on a third-party product that only supports legacy encryption. That vendor can expect pressure to update their software or hardware to meet the new requirements – or risk the agency seeking alternatives. In fact, M-23-02 explicitly encourages agencies (and CISA) to engage with software vendors to identify where PQC testing can happen and to push for solutions. We may see procurement language start to appear in contracts that requires “cryptographic agility” or commitments to adopt NIST-approved PQC algorithms once available.

For contractors in the cybersecurity consulting space, a significant business opportunity is emerging. Agencies will need help discovering all instances of vulnerable crypto and planning the technical migration. This could range from code analysis to find hard-coded algorithms, to deploying enterprise crypto management tools, to redesigning systems for new encryption schemes. Companies that specialize in cryptography, cybersecurity, or IT modernization can offer services to accelerate agencies’ readiness. In fact, the demand for crypto-agility solutions is likely to surge. Vendors offering automated scanning of certificates and code for legacy crypto, or modular cryptographic libraries that can swap in PQC algorithms, will find a receptive market.

Beyond federal contracts, this move could spur the tech industry at large to prioritize PQC. Major tech companies (cloud providers, software giants) typically aim to stay aligned with federal requirements, as it makes their products easier to sell to government. We might expect accelerated development of PQC features in commonly used platforms – for example, cloud services adding options for quantum-safe VPNs or key exchange, or enterprise software adding support for PQC-based TLS.

There’s precedent for this kind of cascade: when the U.S. government mandated stricter algorithms (like moving from SHA-1 to SHA-256, or enforcing TLS 1.2+), industry followed suit relatively quickly. Here, the timeline is longer and the challenge greater, but the principle stands. Standards compliance will be a driving factor. NIST’s forthcoming standards for PQC will likely be adopted by other standards bodies globally, and companies that implement them early can position themselves as security leaders. For security product vendors, having a well-tested quantum-resistant option could become a competitive differentiator in the next few years.

In short, contractors and industry partners should view M-23-02 as both a pressure and a prompt: pressure to ensure their current offerings won’t be the weakest link in an agency’s crypto inventory, and prompt to invest in quantum-proofing their technology. Those that get ahead – by participating in NIST’s process, testing their implementations of PQC now, and educating their workforce on PQC – will be in a strong position to support the government (and other customers) in this transition. Those that ignore the memo’s implications may find themselves scrambling later to retrofit quantum-resistance into their products under tight deadlines.

The Broader Cybersecurity Ecosystem: A New Security Frontier

The impact of migrating to post-quantum cryptography will reverberate far beyond the federal government. Cryptography is the backbone of global cybersecurity, and the algorithms the U.S. government chooses to protect its data often become the default for protecting everyone’s data. The concerted move toward PQC is likely to jumpstart similar initiatives in other sectors and countries. In fact, governments around the world are closely watching quantum developments – allies and adversaries alike. We can expect international standards organizations and allied governments to coordinate with NIST and the U.S. on global PQC standards (indeed, many global researchers contributed to the NIST competition). Just as importantly, if the U.S. federal government is mandating quantum-safe crypto, critical infrastructure providers and industries like banking and healthcare will take note and may proactively begin their own migrations. No one wants to be the last one using breakable encryption when quantum computing arrives.

For the cybersecurity community at large – from CISOs to network engineers to software developers – the OMB memo is a harbinger of the next big paradigm shift. We’ve spent the past decade improving cyber hygiene with measures like multi-factor authentication, zero trust architecture, and stronger cloud security. Now, quantum resilience joins that priority list. Forward-leaning organizations are already doing quantum risk assessments, identifying which of their assets have long-term sensitive data, and experimenting with PQC in labs. The memo effectively validates those efforts and provides a blueprint that any large enterprise can mimic: start with an inventory, figure out what’s at risk, estimate the costs, and plan for yearly progress reviews. In other words, the practices being imposed on agencies could be seen as best practices for any organization that values its data security for the long haul.

We should also anticipate a wave of innovation and community effort in the cybersecurity ecosystem. The transition to PQC is not something one entity can solve alone; it will require updates to protocols (think TLS, IPsec, secure email standards), interoperability testing, new versions of cryptographic libraries (OpenSSL, for instance, has been working on PQC support), and even training the workforce on new crypto concepts. Open-source projects will play a role in implementing PQC algorithms and making them accessible. Academia and industry will need to continue scrutinizing the proposed algorithms – even post-standardization – to ensure they truly hold up (the cryptographic community will be eager to peer-review and attempt to break the new schemes, as healthy QA). The memo’s call for a working group and information exchange hints at this collaborative spirit, and we’ll likely see public-private partnerships to pilot quantum-safe technologies in real networks.

Finally, we must consider the adversarial perspective: The fact that the U.S. government is moving out on PQC migration might also send a message to threat actors – the clock is running on the utility of quantum-vulnerable exploits. Nation-state adversaries who are investing in quantum computing or stealing encrypted data will understand that the window to make use of current encryption weaknesses is closing (or at least, that their targets are fortifying defenses in advance). This could potentially discourage certain “harvest now, decrypt later” efforts or conversely could accelerate them in the short term (if they want to gather as much encrypted material as possible before PQC is everywhere). Either way, the broader ecosystem of cyber defense and offense is now entering a new phase, where quantum computing is an explicit factor in strategy. Security professionals globally should keep a pulse on quantum advancements and PQC readiness, even if they are outside the federal realm. The lessons learned from the federal migration – the challenges in implementation, the interoperability hiccups, the performance impacts – will benefit everyone as we all head toward a quantum-critical future.

Conclusion

The release of OMB Memo M-23-02 is a landmark moment in cybersecurity policy. It marks one of the first concrete, government-wide steps to confront the reality that quantum computing will redefine our security landscape. For those of us in the cybersecurity field, it’s both a technical challenge and a strategic imperative. Technically, we are tasked with ushering in a new generation of cryptography – one that can withstand the computational juggernaut that quantum computers promise to be. Strategically, we’re being asked to think years ahead, to protect information not just against the threats of today but against threats that loom on the horizon.

Photo of Marin Ivezic Marin Ivezic Follow on X Send an email November 20, 2022
13 minutes read
Photo of Marin Ivezic

Marin Ivezic

I am the Founder of Applied Quantum (AppliedQuantum.com), a research-driven consulting firm empowering organizations to seize quantum opportunities and proactively defend against quantum threats. A former quantum entrepreneur, I’ve previously served as a Fortune Global 500 CISO, CTO, Big 4 partner, and leader at Accenture and IBM. Throughout my career, I’ve specialized in managing emerging tech risks, building and leading innovation labs focused on quantum security, AI security, and cyber-kinetic risks for global corporations, governments, and defense agencies. I regularly share insights on quantum technologies and emerging-tech cybersecurity at PostQuantum.com.
Share via
Facebook
X (Twitter)
LinkedIn
Mix
Pinterest
Bluesky
Tumblr
Skype
Buffer
Pocket
VKontakte
Parler
Xing
Reddit
Line
Flipboard
MySpace
Delicious
Amazon
Digg
Evernote
Blogger
LiveJournal
Baidu
MeWe
NewsVine
Yummly
Yahoo
WhatsApp
Viber
SMS
Telegram
Facebook Messenger
Like
Email
Print
Copy Link
Powered by Social Snap
Copy link
CopyCopied
Powered by Social Snap