Government Quantum Risk
Federal, state, and local government agencies hold citizen data with lifelong confidentiality requirements. OMB M-23-02 requires cryptographic system inventory and migration planning. Quantum readiness is a mandate, not an option.
Key Takeaways
- OMB Memorandum M-23-02 requires federal agencies to inventory cryptographic systems and prioritize migration to PQC
- NSA CNSA 2.0 mandates quantum-resistant algorithms for National Security Systems by 2027 (software) and 2030 (hardware)
- CISA has published quantum readiness guidance for critical infrastructure sectors including government
- State and local governments face similar exposure with less federal support and tighter budgets
- Government IT contractors must align with agency PQC requirements or lose contract eligibility
Federal Quantum Migration Mandates
The federal government has been the most proactive sector in addressing quantum computing threats. Multiple directives establish specific requirements for federal agencies and their contractors:
National Security Memorandum NSM-10 (May 2022)
Signed by President Biden, NSM-10 "Promoting United States Leadership in Quantum Computing While Mitigating Risks to Vulnerable Cryptographic Systems" directed federal agencies to begin the transition to quantum-resistant cryptography. It established the timeline for NIST to finalize PQC standards and required agencies to identify systems vulnerable to quantum attacks.
OMB Memorandum M-23-02 (November 2022)
OMB M-23-02 requires federal agencies to: (1) inventory all cryptographic systems, including protocols, algorithm use, and key management practices; (2) prioritize cryptographic systems for migration based on risk; (3) develop transition plans with milestones and resource requirements; (4) report progress to CISA and OMB annually. This is the most specific federal mandate for quantum migration planning and applies to every civilian federal agency.
NSA CNSA 2.0 (September 2022)
The Commercial National Security Algorithm Suite 2.0 establishes the mandatory migration timeline for National Security Systems. Software and firmware must prefer PQC by 2025 and require it by 2027. Network hardware must support PQC by 2030. Full classical deprecation by 2035. CNSA 2.0 is the most aggressive PQC timeline in the world and directly affects all DoD, intelligence community, and national security agency systems.
CISA Quantum Readiness Guidance
The Cybersecurity and Infrastructure Security Agency has published quantum readiness guidance for critical infrastructure sectors, including government. CISA recommends that all organizations: identify quantum-vulnerable cryptographic dependencies, develop a PQC migration roadmap, implement crypto agility, and coordinate with vendors and partners on migration timelines. CISA's role as the federal civilian cybersecurity coordinator means its guidance will influence FedRAMP, FISMA, and other federal compliance frameworks.
OMB M-23-02 Compliance Starts with Inventory
PTG's quantum readiness assessment delivers the cryptographic system inventory that OMB M-23-02 requires, plus the risk prioritization and migration roadmap that agencies must produce. Free initial consultation.
Government Data Vulnerable to Quantum Threats
Government agencies at all levels hold data with sensitivity and shelf life requirements that make quantum migration urgent:
Citizen Personal Data
Social Security numbers, tax records, benefits data, and vital statistics (birth, death, marriage records) are held by government agencies with lifelong confidentiality requirements. A quantum-enabled breach of citizen personal data would dwarf any previous government data breach in scope and impact. State tax agencies, vital records offices, and social services departments all handle this data with quantum-vulnerable encryption.
Law Enforcement and Criminal Justice
Criminal justice information (CJI) subject to CJIS Security Policy, court records, sealed indictments, witness protection data, and ongoing investigation materials have extreme confidentiality requirements. The FBI's CJIS Security Policy requires encryption for CJI in transit, using algorithms that are quantum-vulnerable. Migrating law enforcement systems to PQC is essential for maintaining the integrity of the criminal justice system.
Infrastructure and Utility Control Systems
Government-operated utility systems (water treatment, power distribution, transportation networks) use SCADA and ICS protocols with cryptographic authentication. While many ICS systems have limited or no encryption (a separate problem), those that do use quantum-vulnerable algorithms. The convergence of IT and OT networks in smart city initiatives increases the quantum attack surface for municipal infrastructure.
Elections and Voting Systems
Electronic voting systems, voter registration databases, election results transmission, and campaign finance data rely on cryptographic integrity controls. While voting machines themselves are typically air-gapped, the systems that transmit and aggregate results use network encryption. The integrity of democratic processes depends on cryptographic trust that quantum computers will undermine. State election officials must plan for PQC migration of election infrastructure.
Intelligence and Classified Information
Federal intelligence agencies hold the most sensitive data in the government. NSA CNSA 2.0 directly addresses migration requirements for National Security Systems handling classified information. The intelligence community's quantum migration is managed separately from civilian agencies, but the supply chain (contractors, cloud providers, technology vendors) must align with both CNSA 2.0 and civilian requirements.
State and Local Government Quantum Challenges
While federal mandates (OMB M-23-02, CNSA 2.0) drive quantum migration at the federal level, state and local governments face the same threats with fewer resources and less guidance:
Budget Constraints
State and local IT budgets are significantly smaller than federal budgets. Quantum migration competes with other priorities (ransomware defense, cloud modernization, citizen service digitization). PTG helps government organizations build business cases that quantify quantum risk in terms decision-makers understand: regulatory exposure, breach cost projections, and competitive positioning for federal funding.
Legacy System Prevalence
State and local governments often run legacy systems that are decades old (COBOL-based mainframes, aging databases, custom applications). These systems may use cryptographic implementations that cannot be easily updated. The quantum readiness assessment identifies which legacy systems can be migrated in place, which require middleware crypto gateways, and which must be replaced on a managed timeline.
Vendor Dependency
Government agencies rely heavily on commercial software and cloud services. The pace of quantum migration depends on when vendors (Microsoft, Oracle, Salesforce, AWS, Azure) provide PQC-capable versions of their products. PTG tracks vendor PQC roadmaps and helps government clients plan migration timelines that align with vendor availability.
StateRAMP and Compliance
StateRAMP mirrors FedRAMP's structure for state and local government cloud services. As FedRAMP incorporates PQC requirements (driven by federal mandates), StateRAMP will follow. State agencies that require StateRAMP authorization for their cloud providers should include PQC migration expectations in procurement requirements now.
Government Quantum Readiness Checklist
- Completed cryptographic system inventory per OMB M-23-02 requirements
- Risk prioritization completed: which systems protect the most sensitive citizen data
- Migration roadmap developed with milestones aligned to CNSA 2.0 timeline (if applicable)
- FISMA and FedRAMP compliance documentation updated to address quantum migration planning
- CJIS Security Policy compliance evaluated for quantum-vulnerable encryption
- ICS/SCADA systems inventoried for cryptographic dependencies
- Election infrastructure assessed for quantum-vulnerable authentication and encryption
- Vendor PQC roadmaps collected for critical commercial software and cloud services
- Crypto agility requirements included in IT modernization planning
- Budget request prepared for quantum migration with risk quantification justification
- Staff training planned for quantum-aware security practices
- Annual reporting process established for OMB/CISA quantum migration progress (federal agencies)
Government IT Contractors: Your Agencies Are Planning PQC
As federal, state, and local agencies implement quantum migration, their IT contractors must keep pace. PTG's assessment positions your organization to meet agency PQC requirements before they appear in RFPs.
Frequently Asked Questions
Does OMB M-23-02 apply to state and local governments?
OMB M-23-02 directly applies only to federal civilian agencies. However, state and local governments that receive federal funding, participate in federal information sharing programs, or handle federal data (Medicaid, SNAP, Title IV-E, CJIS) face indirect pressure to align with federal quantum migration requirements. Additionally, StateRAMP and state-level cybersecurity frameworks will follow FedRAMP's trajectory. PTG recommends that state and local agencies voluntarily adopt the OMB M-23-02 framework (cryptographic inventory, risk prioritization, migration roadmap) as a best practice.
How does quantum migration affect FedRAMP authorization?
FedRAMP requires FIPS 140-validated cryptographic modules. As NIST's CMVP process adds PQC algorithm validations and deprecates quantum-vulnerable algorithms, FedRAMP-authorized cloud services must transition to PQC to maintain authorization. Continuous monitoring requirements under FedRAMP mean cloud providers must demonstrate ongoing cryptographic posture management. Government agencies should include PQC migration expectations in their FedRAMP authorization requirements and continuous monitoring plans.
What about CJIS compliance and quantum threats?
The CJIS Security Policy requires encryption for Criminal Justice Information (CJI) in transit and at rest, specifying FIPS 140-validated algorithms. As NIST deprecates quantum-vulnerable algorithms, CJIS compliance will require PQC. Law enforcement agencies sharing CJI through NLETS, NCIC, and state criminal justice networks must plan for PQC migration across these shared infrastructure systems. PTG's government quantum risk assessment includes CJIS-specific analysis for law enforcement agencies.
How do government agencies fund quantum migration?
Federal agencies can fund quantum migration through existing IT modernization budgets, the Technology Modernization Fund (TMF), and the Federal Civilian Executive Branch Cybersecurity Fund. For state and local governments, the State and Local Cybersecurity Grant Program (SLCGP, authorized by the Infrastructure Investment and Jobs Act) provides cybersecurity funding that can include quantum migration. PTG helps government organizations build budget justifications with risk quantification that meets OMB, state legislature, or city council approval requirements.
Are government IT contractors required to implement PQC?
Government IT contractors must meet the cryptographic requirements specified in their contracts. For federal contractors, FISMA and NIST SP 800-171 require FIPS-validated cryptography. As these frameworks incorporate PQC requirements, contractor obligations follow. CNSA 2.0 directly applies to contractors delivering to National Security Systems. For state and local government contractors, requirements vary by jurisdiction but increasingly mirror federal standards. Contractors who proactively adopt PQC position themselves competitively for contracts that will require it.
How does quantum risk affect smart city and IoT initiatives?
Smart city initiatives (intelligent transportation, smart grid, public safety networks, environmental monitoring) deploy IoT devices with embedded cryptography that is quantum-vulnerable. These devices often have limited processing power and cannot support PQC algorithm key sizes. Government agencies planning smart city deployments should require PQC-capable encryption in procurement specifications. For deployed IoT systems, compensating controls (PQC-encrypted gateways, network segmentation) mitigate risk until devices can be replaced.
What is the timeline for state-level quantum migration requirements?
No state has yet enacted quantum-specific cybersecurity legislation. However, states with strong cybersecurity postures (New York, California, Massachusetts, Texas) will likely follow federal guidance within 2-3 years of NIST finalizing PQC validation processes. State CISOs are already discussing quantum migration in the Multi-State Information Sharing and Analysis Center (MS-ISAC). Early movers will be positioned as models; late movers will face compressed timelines. PTG recommends beginning the cryptographic inventory and risk assessment now, regardless of when state mandates arrive.
How does PTG support government procurement requirements for quantum assessments?
PTG is structured to meet government procurement requirements. We provide GSA Schedule pricing compatibility, detailed Statements of Work (SOW) aligned to government contracting formats, Past Performance documentation, and deliverables that meet government documentation standards. CEO Craig Petronella holds CMMC-RP and CCA credentials, demonstrating validated government cybersecurity expertise. Our assessment methodology aligns with NIST frameworks and produces deliverables that satisfy OMB, CISA, and agency-specific reporting requirements.
Should election systems be prioritized for quantum migration?
Election infrastructure should be assessed for quantum risk but prioritized based on actual cryptographic exposure. Voting machines that are air-gapped during voting have limited quantum attack surface. However, voter registration databases, election results transmission systems, campaign finance platforms, and post-election audit systems all use network encryption that is quantum-vulnerable. The integrity of democratic processes depends on public trust in these systems. PTG recommends including election infrastructure in the broader government quantum readiness assessment.
What does a government quantum risk assessment cost?
Pricing depends on agency size, system complexity, and the number of compliance frameworks involved. Federal agencies with OMB M-23-02 reporting requirements need more comprehensive deliverables than state agencies beginning initial assessment. PTG's initial consultation is free, and we provide a detailed SOW after the scoping call. We structure engagements to deliver incrementally, so agencies see value from each phase before committing to the next. Multi-year migration programs can be structured to align with government fiscal year budget cycles.
Ready to Assess Your Government Quantum Risk?
Federal mandates are in place. State requirements are coming. Citizen data deserves quantum-safe protection now. PTG's free consultation scopes your environment and maps the migration to your compliance requirements.