Agencies Question Security Protocols Amid Shift to Post-Quantum Cryptography

The federal push toward post‑quantum cryptography has turned into a litmus test for the nation’s broader security architecture. While NIST’s new standards aim to future‑proof data against quantum attacks, agencies are stumbling over a basic prerequisite: a comprehensive inventory of every cryptographic implementation. The lack of dedicated budget and clear ownership means many legacy algorithms persist unnoticed, creating a hidden attack surface that adversaries can exploit today through harvest‑now‑decrypt‑later tactics. This gap underscores a systemic issue—security initiatives are often treated as one‑off compliance projects rather than ongoing operational responsibilities.

Beyond the immediate inventory challenge, experts stress that crypto agility is the true strategic imperative. Historically, cryptographic breakthroughs—from the breaking of early ciphers in World War II to the RSA era—have forced abrupt migrations. A modular, Lego‑like approach to cryptography would allow agencies to replace vulnerable algorithms without overhauling entire systems, reducing downtime and cost. This agility not only prepares the government for the 2035 PQC deadline but also equips it to respond swiftly to any future cryptographic disruption, whether driven by quantum advances or novel mathematical attacks.

Practical guidance emerging from the panel includes appointing a single PQC lead with authority and budget, training system owners on the risks of outdated algorithms, and instituting continuous discovery—ideally daily—to keep inventories current. As the private sector, exemplified by Google’s 2029 target, accelerates its PQC rollout, federal agencies risk falling further behind unless they embed these operational practices. By shifting focus from a static compliance checklist to a dynamic, agile cryptographic framework, the government can safeguard critical infrastructure against both present and tomorrow’s threats.