The White House Just Released Its New National Cyber Strategy. It’s Not a Strategy.

The Trump administration’s seven-page cyber strategy gives post-quantum cryptography little more than a passing nod – and that should worry every CISO in America.

7 Mar 2026 – On Friday afternoon – the traditional Washington burial ground for news you’d rather not have scrutinized – the White House released “President Trump’s Cyber Strategy for America,” the administration’s long-delayed national cybersecurity strategy document. Originally expected in January, the strategy outlines six policy pillars that will ostensibly guide the nation’s cybersecurity posture going forward.

The document makes bold claims. It positions American cyber capabilities as unmatched, promises to “disrupt and disorient” adversaries, and dedicates significant rhetorical real estate to artificial intelligence, offensive cyber operations, and deregulation. For those of us focused on the quantum threat landscape, however, the strategy raises more questions than it answers – and the answers it does provide are not encouraging.

Four Pages to Secure the Nation

The first thing that strikes you about this strategy is its brevity. At seven pages – two of which are cover and back pages, one being the presidential letter – the actual substance makes up four sparse pages. For context, the Biden administration’s 2023 National Cybersecurity Strategy ran 39 pages. Trump’s own first-term strategy in 2018 was 40 pages. Both included detailed objectives and measurable outcomes under each pillar.

This is not a strategy. It is a vision statement – a collection of aspirational declarations with almost no implementation detail, no timelines, and no measurable benchmarks. The Office of the National Cyber Director (ONCD) has indicated that a more detailed implementation plan will follow, but the strategy itself reads more like an executive summary than a governing document.

The six pillars are:

1. Shape Adversary Behavior – offensive operations and deterrence
2. Promote Common Sense Regulation – streamline and reduce compliance burden
3. Modernize and Secure Federal Government Networks – zero trust, PQC, cloud, AI
4. Secure Critical Infrastructure – harden systems and supply chains
5. Sustain Superiority in Critical and Emerging Technologies – AI, quantum, crypto/blockchain
6. Build Talent and Capacity – workforce development

Each of these could, and should, be a substantial policy chapter. Instead, they get a few paragraphs each, heavy on rhetoric and light on specifics.

The Quantum and Post-Quantum Treatment: Two Sentences in a Sea of AI

For anyone tracking the post-quantum cryptography migration, arguably the most consequential cryptographic transition in modern history, this strategy is deeply disappointing.

Post-quantum cryptography appears exactly twice in the entire document.

The first mention comes in Pillar 3, where PQC is listed as one item in a comma-separated enumeration: the administration will accelerate modernization by “implementing cybersecurity best practices, post-quantum cryptography, zero-trust architecture, and cloud transition.” That’s it. No timelines. No migration mandates. No agency-specific requirements. No acknowledgment of the cryptographic inventory challenge. No mention of the NIST post-quantum standards (FIPS 203, 204, and 205) that were finalized in 2024 – a milestone the strategy appears entirely unaware of.

The second mention appears in Pillar 5: “We will promote the adoption of post-quantum cryptography and secure quantum computing.” A single sentence, buried in a pillar that is overwhelmingly focused on AI. Agentic AI alone receives more attention than the entire quantum/PQC topic.

To be explicit about what is missing:

• No mention of the harvest-now, decrypt-later (HNDL) threat – the foundational risk driver for PQC migration urgency. Adversaries are collecting encrypted data today for future quantum decryption, and this strategy says nothing about it.
• No reference to NIST’s finalized PQC standards (ML-KEM, ML-DSA, SLH-DSA), nor the forthcoming FN-DSA standard.
• No timelines or deadlines for federal PQC adoption.
• No mention of cryptographic inventory – you cannot migrate what you haven’t mapped.
• No discussion of crypto-agility – the architectural principle that allows rapid algorithm substitution.
• No acknowledgment of the CRQC timeline – how close we are to a cryptanalytically relevant quantum computer and what that means for data already in transit.
• No mention of PQC in the context of critical infrastructure (Pillar 4), despite the payments sector, energy grid, and telecommunications systems all facing massive cryptographic migration challenges.
• No reference to NSM-10, the Biden-era National Security Memorandum that established the framework for federal quantum readiness.

This is not a minor oversight. This is a strategy that claims to address emerging technology threats while largely ignoring the most time-critical cryptographic transition of our era.

The Contradiction: “Promote Adoption” While Removing Mandates

The strategy’s thin PQC treatment becomes even more concerning when placed alongside the administration’s actual policy actions.

In June 2025, the Trump administration signed Executive Order 14306, which significantly pared back the Biden administration’s PQC acceleration requirements. The Biden framework directed agencies to begin adopting quantum-resistant encryption “as soon as practicable” and to start requiring vendors to support PQC when technologically feasible. Trump’s EO eliminated those requirements.

What remains is a directive for CISA to maintain a list of product categories where PQC-capable products are commercially available – but there is no procurement mandate attached. Agencies are not required to buy PQC-ready products. Vendors are not required to support PQC. The strategy says “promote adoption” while the underlying executive action has removed the mechanisms that would compel it.

For CISOs running real PQC migration programs – and anyone who has managed a cryptographic transition at enterprise scale knows these are multi-year, multi-thousand-task efforts – “promote adoption” without mandates, timelines, or procurement requirements is not actionable guidance. It is a placeholder.

The AI Overcorrection

The strategy devotes disproportionate attention to artificial intelligence. Pillar 5 reads as though AI is the singular emerging technology challenge of our time. The document calls for “AI-powered cybersecurity solutions,” “agentic AI” for network defense, securing the “AI technology stack” including data centers, and using AI to “detect, divert, and deceive threat actors.”

AI security is genuinely important. But the strategy’s framing is one-dimensional. There is no discussion of adversarial machine learning, model poisoning, or the risks of automated decision-making in security contexts. There is no acknowledgment that AI-powered security tools can be subverted, hallucinate, or introduce new attack surfaces. The treatment reads as promotional rather than analytical.

The imbalance is stark: AI receives roughly five to six times the word count of quantum/PQC. In terms of urgency and irreversibility, this prioritization is backwards. If you fail to deploy an AI-powered security tool in 2026, you can deploy it in 2027. If you fail to migrate to PQC before quantum-capable adversaries can break your cryptography, the data you failed to protect is compromised retroactively and permanently.

The Deregulation Paradox

Pillar 2 is the strategy’s shortest pillar and essentially argues that cybersecurity regulation has become an expensive compliance exercise. The administration wants to “streamline cyber regulations to reduce compliance burdens.”

There is a reasonable argument here – compliance checklists can become disconnected from actual security outcomes. But the strategy simultaneously calls for hardening critical infrastructure (Pillar 4) while weakening the regulatory mechanisms that create baseline security requirements for that same infrastructure.

This paradox is particularly relevant for PQC. The Biden approach, flawed as it was, at least attempted to use procurement power and federal mandates to drive PQC adoption. If you strip those mandates and replace them with voluntary adoption, you are betting that market forces alone will drive a complex, expensive, technically challenging cryptographic migration on the timeline the threat demands. History suggests that bet will not pay off.

The Workforce Contradiction

Pillar 6 calls the cyber workforce “a strategic asset” and promises investment in the pipeline. This language sits uncomfortably alongside a year in which CISA – the nation’s lead civilian cyber agency – has lost at least a third of its staff through budget cuts, reassignments, and buyouts. The agency’s acting director was reassigned just one week before this strategy was released. Multiple senior officials have departed. Former DHS Secretary Noem was fired earlier the same week.

Building a cyber workforce while defunding the agencies that employ it is not a strategy. It is a contradiction.

The Bottom Line

This strategy is not a roadmap. It is a mission statement. As a vision document, its emphasis on offensive operations and public-private partnership reflects a legitimate strategic perspective. As a guide for the most pressing cryptographic and quantum security challenges facing the nation, it is inadequate.

The post-quantum migration is not optional, it is not deferrable, and it is not something you can address with two sentences in a seven-page document. Every major intelligence agency in the world understands this. Every serious adversary is acting on it. The question is whether the United States government will match its rhetoric about maintaining technological superiority with the detailed, funded, mandated action that PQC migration actually requires.

Based on this strategy, the answer – for now – is no.

Related Content

Ready for Quantum: Practical Steps for Cybersecurity Teams

Grover’s Algorithm and Its Impact on Cybersecurity

Shor’s Algorithm: A Quantum Threat to Modern Cryptography

Quantum Computing Modalities: Gate-Based / Universal QC