The Pentagon's Post Quantum Cryptography (PQC) Mandate

The Department of Defense has fired a starting gun on one of the most significant cybersecurity transitions in decades. A newly released memorandum from the DoD Chief Information Officer’s office lays out an aggressive timeline and strict requirements for migrating all defense systems to post-quantum cryptography (PQC)—and the urgency is palpable.

Why This Matters Now

Quantum computers capable of breaking today’s encryption aren’t just theoretical anymore—they’re coming. The memo acknowledges that advancements in Quantum Information Science now require “expedited migration to quantum-resistant cryptography” to protect military information systems, communications, and personnel. The stakes couldn’t be higher: maintaining “warfighter lethality and information dominance.”

The Scope Is Staggering

The Pentagon isn’t just updating a few systems. The mandate requires identifying and inventorying cryptography used in *everything*:

- National security systems
- Business systems
- Weapons systems
- Cloud computing capabilities
- Mobile devices
- Physical access control systems
- Internet of Things devices
- Unmanned systems
- Operational technology

This applies regardless of classification level, location, or purpose. Every corner of the defense enterprise is in scope.

A New Chain of Command for Crypto

The memo establishes a centralized PQC Directorate under Dr. Britta Hale, and every DoD component must now designate PQC migration leads within 20 days. These leads will be responsible for cryptographic inventory, coordination, acquisition requirements, and risk management. Annual updates are required by September 30 each year.

Perhaps most notably, *any* PQC-related activity—testing, piloting, prototyping, or acquisition—must now be submitted to the PQC Directorate for approval *before* proceeding. Systems that fail security review will be immediately removed from use.

What’s Banned, Effective Immediately

The memo draws some hard lines. The following technologies **cannot** be used for providing confidentiality, authenticity, or integrity in DoD networks:

• Quantum Key Distribution (QKD)** and related quantum communication technologies

• Quantum networking** for security purposes

• Non-FIPS random number generation**

• Commercial pre-shared key (PSK) solutions** marketed as quantum-resistant
  

This is a significant policy statement. Despite commercial interest in QKD, the Pentagon is explicitly steering away from these approaches for security applications.

The 2030 Deadline

Several legacy cryptographic approaches face a hard sunset:

Pre-shared keys not provisioned through NSA’s Key Management Infrastructure must be replaced with NIST-approved PQC algorithms by December 31, 2030

Symmetric key distribution protocols must be phased out by the same date (with a one-year extension for solutions registered with NSA’s Commercial Solutions for Classified program)

The Bottom Line

This isn’t a planning document—it’s a mobilization order. The DoD is treating the quantum threat as an active operational concern, not a future problem. The centralized approval process, immediate bans on certain technologies, and aggressive timelines signal that the Pentagon expects components to move now.

For defense contractors, this memo should prompt immediate questions: What cryptography is embedded in your products? Can you demonstrate a PQC migration path? Are you using any of the prohibited approaches?

For the broader cybersecurity community, this is a clear signal of where government standards are heading. The NIST PQC algorithms aren’t optional extras—they’re becoming the mandatory baseline.

The quantum era isn’t coming. The Pentagon is acting like it’s already here.

*The full memorandum is available at the DoD CIO’s [PQC resource page](https://cybersecurityks.osd.mil/DoDcs/pqc).*