White House PQC Cost Estimate: $7.1B to Migrate Federal Civilian System
Table of Contents
31 Jul 2024 – A new July 2024 report to Congress from the Office of Management and Budget – prepared with the Office of the National Cyber Director and in collaboration with Cybersecurity and Infrastructure Security Agency and National Institute of Standards and Technology – puts a rough, government-wide price tag of ~$7.1B (2024 dollars) on migrating prioritized federal civilian information systems to post‑quantum cryptography (PQC) over 2025–2035.
The number matters less as a “precise budget” than as a policy signal: the U.S. Government is explicitly treating PQC migration as a large-scale modernization program (inventory → prioritization → interoperability testing → replacement of non‑upgradeable systems). The report repeatedly emphasizes uncertainty and calls the estimate “rough order of magnitude”, not an engineering bill of materials.
For industry, this is an early but clear procurement trajectory: federal buyers will increasingly require crypto agility, PQC‑capable products, and evidence that vendors can support a staged transition without breaking interoperability. This will affect software suppliers, cloud platforms, hardware/firmware vendors, and the testing/validation ecosystem (notably the CMVP pipeline).
What the report is and why it was released now
The document is titled Report on Post‑Quantum Cryptography and was delivered to the Senate Committee on Homeland Security and Governmental Affairs and the House Committee on Oversight and Accountability under the Quantum Computing Cybersecurity Preparedness Act (Public Law 117‑260; 6 U.S.C. § 1526).
Its mandate is threefold: (a) describe the federal strategy to mitigate the future quantum threat to public‑key cryptography, (b) estimate funding needed for agencies to secure systems against that threat, and (c) describe NIST‑led coordination and timelines to develop PQC standards.
Scope is explicit: the report does not cover national security systems (which are excluded by statute), and it notes that separate estimates are being developed for those environments.
Methodology, assumptions, and what “$7.1B” actually means
The report’s cost figure comes from an annual agency reporting loop created by earlier OMB guidance (M-23-02): agencies submit prioritized cryptographic inventories and then submit funding assessments for migrating inventoried systems; ONCD aggregates these into a government‑wide projection.
Key assumptions and boundaries (as stated):
- Time window: migration of “prioritized information systems” is costed for 2025–2035.
- Dollar basis: the estimate is expressed in 2024 dollars (i.e., constant-dollar framing, not a nominal outlay schedule).
- Prioritized scope: the costing is not “every system everywhere.” It focuses on the subset that agencies prioritize firs – typically high‑impact systems, high‑value assets, long‑lived sensitive data, and core trust infrastructure such as PKI.
A key qualitative driver is replacement of systems that cannot support PQC, including cases where algorithms are effectively “stuck” in hardware/firmware or where legacy compute/memory/bandwidth constraints block PQC adoption. The report highlights this replacement cost as a significant portion of the total.
The estimate is described as “a rough order of magnitude rather than precise calculations.”
If the $7.1B were spread evenly across the 10‑year window (illustrative only), it would average about $0.71B/year.
Cost breakdown table mirroring report categories
The report provides one quantified total ($7.1B) and qualitative cost drivers; it does not provide a per‑agency dollar table or a numeric split by category. The table below mirrors the categories the report explicitly discusses.
| Cost element (as described in the report) | Included in $7.1B estimate? | How the report characterizes the driver | Numeric breakdown provided? |
|---|---|---|---|
| Enterprise cryptographic inventory (manual + automated; iterative/ongoing) | Yes (implied) | Foundational baseline; sustained investment; manual inventories required because automated tooling won’t see everything | No |
| PQC migration engineering (planning, testing, interoperability management) | Yes (implied) | Not a “flip a switch”; interoperability failures can create operational impacts; needs staged prioritization | No |
| Replace/modernize systems that cannot support PQC | Yes (explicit) | “Significant portion” of total; covers hardwired crypto and resource‑constrained legacy tech | No |
| Standards implementation assurance (CMVP testing/validation capacity) | Yes (explicit) | CMVP backlog beyond capacity; modernization effort and added capacity are part of migration costs | No |
| Total government‑wide estimate for prioritized federal civilian systems (2025–2035; 2024$) | Yes | ONCD projection based on agency cost estimates | Yes: $7.1B |
Major uncertainties and limitations called out in the report
The report is unusually direct about uncertainty: inventories are still maturing; costing approaches are evolving; and agencies must revise estimates annually as they learn more.
Two limitations have immediate practical consequences:
First, the estimate is driven by the quality of cryptographic discovery. The report notes that automated tools may lack visibility across networks and may not detect embedded cryptography, making inventories iterative and incomplete early on.
Second, the transition is constrained by ecosystem dependencies – commercial products, protocol interoperability, and validation throughput (e.g., CMVP). In other words: federal timelines and costs will partly be set by vendor readiness and certification capacity, not only by agency intent.
Timeline and federal milestones that flow from the report
The report’s own timeline page primarily tracks NIST’s PQC standardization history through 2024, which is relevant because agency migration gates on standard availability and validated implementations.
The broader federal milestone chain (Act + M‑23‑02 + the report’s “next steps”) looks like this:
| Milestone | What happens | Source basis |
|---|---|---|
| NSM‑10 issued (May 2022) | Sets policy direction and a 2035 risk‑mitigation horizon for quantum‑resistant cryptography transition | |
| OMB M‑23‑02 issued (Nov 2022) | Agencies designate PQC leads, build prioritized crypto inventories, submit annual inventories and follow‑on funding assessments; encourages PQC testing | |
| Annual prioritized inventories begin (May 2023 → annually) | Agencies report crypto inventory of CRQC‑vulnerable systems (excluding national security systems), and update annually through 2035 | |
| July 2024 report to Congress | Publishes strategy + initial ROM funding estimate ($7.1B) + standardization coordination/constraints | |
| After NIST issues PQC standards | OMB must issue guidance requiring agencies to plan and execute migration consistent with prioritization; OMB ensures interoperability coordination | |
| Migration execution window (2025–2035) | Agencies migrate prioritized systems; annual inventories and cost updates refine scope/phasing |
Implications for industry, procurement, and quantum research
For vendors and integrators, the biggest immediate takeaway is that PQC is now formally treated as a federal modernization line item, not just a standards exercise. OMB’s broader budget guidance is already telling agencies to keep refining PQC transition cost estimates and ensure they are resourced to transition critical systems.
This reshapes near‑term demand in several concrete lanes:
Cloud providers and shared services will be pulled into the “common cryptographic systems” framing: OMB/ONCD explicitly plan to collect inventory and cost information in ways that reduce duplication across agencies by recognizing shared vendor platforms. This is a procurement signal: expect PQC clauses, roadmaps, and evidence of crypto agility to become standard artifacts.
Hardware, firmware, and embedded vendors sit at the center of the largest risk/cost driver the report names: systems that cannot accept new algorithms must be identified early and often replaced. If your product has hardwired crypto or tight resource margins, PQC readiness becomes a competitive differentiator.
Tooling startups (crypto discovery, “CBOM”-like visibility, protocol testing harnesses, certificate lifecycle automation) are also direct beneficiaries. The report makes inventory a baseline precondition, and the CISA/NSA/NIST guidance explicitly advises enterprises to conduct cryptographic discovery, engage vendors, and plan contract changes.
For quantum research, the report is quietly bullish: it explicitly frames quantum computing as strategically valuable (pharma/materials) while also accepting that steady advances may yield a cryptanalytically relevant quantum computer “in the coming decade,” motivating migration now. That combination generally strengthens the case for continued quantum R&D investment while reducing systemic cyber risk as quantum capability improves.
A helpful “real‑world” industry datapoint: Apple has already deployed PQC‑oriented protocol upgrades (e.g., iMessage PQ3) in anticipation of “harvest now, decrypt later” risks – evidence that leading product teams are treating PQC as a current engineering roadmap item, not a future scramble.
Recommended actions for private sector and researchers
Private sector: treat federal action as a forcing function. Build (or buy) cryptographic discovery; map “where crypto lives” across endpoints, libraries, firmware, network protocols; demand PQC roadmaps from suppliers; and design migrations around interoperability and rollback safety rather than “big bang” cutovers.
Researchers: prioritize the migration bottlenecks the report indirectly highlights – implementation security (side channels), performance under constrained environments, protocol transition patterns (hybrid modes, identity/cert lifecycles), and validation throughput. The report’s CMVP capacity warning is a concrete place where research, tooling, and test-lab scaling matter.
Why this is significant and mostly positive
My read: the $7.1B headline is less about sticker shock and more about institutional commitment. The federal government is finally putting PQC in the same category as other “hard” infrastructure transitions: multi‑year, vendor‑coupled, inventory‑driven, and budgeted. That is the posture you want if you are serious about defending long‑lived data against quantum-era adversaries – and it creates a clearer market for vendors who have been waiting for demand to crystallize.
The challenge is equally clear: the estimate is uncertain because inventories are uncertain; and the riskiest/most expensive work is often buried in legacy and embedded environments. But recognizing those constraints early – explicitly, in writing, to Congress – is exactly how you avoid the worst‑case outcome: a rushed, brittle, last‑minute migration triggered by a sudden quantum capability breakthrough.
Quantum Upside & Quantum Risk - Handled
My company - Applied Quantum - helps governments, enterprises, and investors prepare for both the upside and the risk of quantum technologies. We deliver concise board and investor briefings; demystify quantum computing, sensing, and communications; craft national and corporate strategies to capture advantage; and turn plans into delivery. We help you mitigate the quantum risk by executing crypto‑inventory, crypto‑agility implementation, PQC migration, and broader defenses against the quantum threat. We run vendor due diligence, proof‑of‑value pilots, standards and policy alignment, workforce training, and procurement support, then oversee implementation across your organization. Contact me if you want help.
