Post-quantum cryptography (PQC) encryption is a method of securing data with algorithms that cannot be easily broken by quantum computers. While today’s encryption standards may appear secure, they are not built to defend against quantum threats. Nation state adversaries can intercept and store data now, with the intent to decrypt it later as quantum capabilities mature – creating long-term exposure from short-term protection. As quantum computing advances, this “harvest now, decrypt later” risk is becoming increasingly urgent.

This is why preparing for a post-quantum cryptography landscape is so critical. Just this month, the White House issued an Executive Order calling for the release of a list of products that support PQC no later than December 1 of this year. The order also sets a firm deadline of January 2, 2030, by which all federal civilian agencies must transition their systems to PQC algorithms. Federal agencies are already being encouraged to consider post-quantum cryptographic standards in the acquisitions process. All of this comes as the release of NIST’s PQC standards nears its first anniversary, with new standards expected to be released soon, and as there is growing awareness of the urgent need to prepare for a PQC reality.

A Framework to Gauge PQC Readiness & To Prepare: Discover. Assess. Manage.

Given all the activity in this space, many agencies are currently moving to PQC implementations. In our work with customers, we find that – as with any new technology – there are different levels of PQC maturation and readiness from agency to agency, and even from team to team within agencies.

Moreover, we also see that there is an incorrect perception that PQC readiness is a cyber challenge alone. It’s not. PQC readiness as an IT challenge that requires coordination across teams responsible for cybersecurity, enterprise infrastructure and data management, and more. With this in mind, we created a three-part framework to help customers holistically assess their PQC readiness and maturity.

  • Discover: To start, we leverage automated discovery to identify and manage PQC risks across the enterprise. This includes examining endpoints, networks and data and working collaboratively with the customer to understand both inherent and emerging risks.

  • Assess: In the next phase, we map the relationships between deployed cryptography within an organization and prioritize mitigations of identified risks. We then deliver an actionable risk assessment to the customer.

  • Manage: In the third phase, we help customers work across teams to actively migrate to PQC encryption and manage it at scale. This includes system updates, PQC detection and control, and using PQC algorithms to support secure data transit. We also support ongoing monitoring of PQC risk and the complex task of ensuring secure encryption across applications, networks, devices, and everywhere else encryption is used.

Partnering with Agencies to Prepare for Post-Quantum Threats

To date, we’ve applied the Discover, Assess, Manage framework in PQC preparation engagements with multiple civilian agencies that are ahead of the curve in preparing for PQC – but staying there requires continuous, all-hands on deck assessment and actioning.

Working with these customers and within our Tidal PQC Digital Accelerator, we are developing the best practices that will help to safeguard agencies against PQC threats in the near-term future and those that will emerge in the long-term as quantum computing advances. Early adoption of PQC encryption helps to ensure that organizations stay secure, compliant and ready for whatever challenges may lie ahead. It gives them a stronger defense against emerging cyber risks and prepares them for future PQC standards.

More agencies will soon begin their PQC journeys. The Department of Defense has begun its implementation plans already. For the DoD and for other agencies, there will be a need for a mission partner with robust PQC capabilities and services across the Discover, Assess, Manage framework, and we are proudly paving the way.

From inventorying legacy cryptography to deploying quantum-resistant algorithms at scale, PQC migration requires coordination, expertise, and sustained action. Getting started now ensures agencies stay ahead of the threat and on track to meet the 2030 deadline.