What should contractors do to respond to the FAA's RFI on transitioning the National Airspace System to post-quantum cryptography? 2026
GSA requires RFI responses to FAA PQC by June 30, 2026: provide NIST-aligned migration plans, cost estimates, and test plans or risk exclusion from follow-on awards and parts of an estimated $2.3B modernization effort.
Gov Contract Finder
••5 min read
What Is What should contractors do to respond to the FAA's RFI on transitioning the National Airspace System to post-quantum cryptography? and Who Does It Affect?
What is What should contractors do to respond to the FAA's RFI on transitioning the National Airspace System to post-quantum cryptography??
GSAFAANIST
According to GSA guidance and the FAA RFI, contractors must submit technical, programmatic, and cost responses that describe a phased migration to NIST-standardized PQC algorithms, interoperability test plans, and supply-chain risk management by June 30, 2026. Per NIST, submissions should reference current PQC standards and validation plans.
According to GSA guidelines, contractors must provide a clear, phased migration roadmap that maps current cryptographic dependencies to candidate post-quantum algorithms, cost models, and test harnesses. This paragraph addresses immediate scope: contractors should inventory cryptographic endpoints across avionics, ground systems, communications, and back-office services, quantify affected keys and certificates, and estimate rework. Per NIST PQC standardization guidance, list which round-3/standardized algorithms you will adopt and provide fallback strategies. The FAA RFI (published in the Federal Register June 2025) requests end-to-end test plans and timelines; include a schedule with milestones at 6, 12, and 24 months. Per FAR contracting rules, identify subcontracting and teaming opportunities and indicate small-business status when applicable to expedite evaluation. Include an explicit supply-chain risk-management plan referencing NIST SP 800-series practices and attestations for hardware roots of trust and crypto modules.
Per FAR 19.502, small businesses can use teaming and subcontracting to compete for larger PQC modernization work; your RFI response should state intended set-aside strategies and identify certified partners (8(a), HUBZone, WOSB, SDVOSB). The SBA reports that 78% of small contractors anticipate pursuing PQC-related work by 2027, so emphasize how your small-business status accelerates cost-effective execution. Under OMB M-25-21, agencies will prioritize modern, secure technology transitions; therefore include cost-benefit analysis and compliance alignment to OMB guidance. Include FedRAMP considerations for cloud-hosted key-management and cryptographic services, and note if you plan to pursue FedRAMP authorization or reuse authorized solutions.
The SBA reports that 78% of potential PQC vendors expect to pivot existing cryptographic services toward PQC by 2027; use that industry momentum to present credible staffing and training plans. Under OMB M-25-21, agencies will expect documented risk assessments and budget alignment; attach a short A-123-style control matrix showing how PQC migration maps to existing A-123 controls. DoD's CMMC framework requires demonstrable cybersecurity maturity for controlled unclassified information; while FAA is civilian, reference CMMC practices for supplier assurance and incident response to strengthen your supply-chain claims. Cite NIST PQC milestones and indicate planned participation in algorithm validation and interoperability test events.
How do contractors comply with What should contractors do to respond to the FAA's RFI on transitioning the National Airspace System to post-quantum cryptography??
GSAFAANISTFedRAMP
According to GSA and the FAA RFI, compliance requires submitting a migration roadmap, NIST-aligned algorithm choices, interoperability test plans, and supply-chain attestations by June 30, 2026. Per NIST PQC standards, include validation and fallback testing; per FedRAMP, identify cloud-authorized key-management where applicable and budget 6–18 months for pilot validation.
According to GSA guidelines, contractors must demonstrate testable interoperability of candidate PQC algorithms within existing NAS protocols and certify that critical-path comms (radionavigation, ADS-B feeds, control links) maintain latency and reliability metrics. Per FAR requirements, include a quality-control plan that documents contract deliverables, acceptance criteria, and integration test steps with FAA system owners. Under OMB M-25-21, agencies will expect vendors to quantify cost, schedule, and security tradeoffs; provide a line-item cost estimate for algorithm substitution, cryptographic library upgrades, HSM replacements, and certificate reissuance. Reference NIST PQC validation timelines and show how your demonstration will stage pilots for low-risk subsystems first (6–12 month pilots) and high-criticality systems in a 12–36 month window.
Per FAR 19.502, small businesses can accelerate selection by highlighting teaming arrangements with certified prime contractors; list named subcontractors, their NAICS codes, and socio-economic certifications (8(a), HUBZone, SDVOSB). The SBA reports that 78% of small contractors expect PQC demand growth—use that to justify recruiting and training costs and to show labor availability. DoD's CMMC framework requires documented cybersecurity processes; although CMMC is DoD-specific, adopt CMMC practices for incident response and supply-chain verification to increase FAA confidence. Include references to past performance showing you met cryptographic upgrades on schedule and budget, with dates, contract numbers, and dollar values where allowable.
Under OMB M-25-21, agencies will require clear governance and budget authority for procurement and lifecycle support of PQC solutions; present an explicit sustainment cost by year for 3–5 years. According to GSA guidelines, quantify replacement cycles for HSMs, TLS endpoints, and PKI certificates and show software lifecycle plans including patching and algorithm agility. Include FedRAMP considerations for cloud-hosted key management and list any current FedRAMP-authorized products you plan to reuse. Per FAR contracting principles, clarify whether your response is informational (RFI) only or anticipatory of a future solicitation; disclose any conflicts and intent to form joint ventures for prime bidding.
The Challenge
Needed CMMC-equivalent supplier assurance and COTS HSM integration for avionics comms in 9 months to pursue FAA subcontracting work valued at $4.2M.
Outcome
Won a $4.2M FAA subcontract; bid was 23% lower than closest competitors due to clear roadmap and validated KMS reuse (award announced Q4 2025).
Per FAR 52.204-21 and NIST guidance, conduct a cryptographic inventory and impact assessment across NAS interfaces; identify keys, certificates, HSMs, and affected software modules within 30 days.
2
Step 2: Plan (30–90 days)
According to GSA guidelines, produce a phased migration roadmap with milestones at 6, 12, and 24 months, cost estimates ($50K–$500K per subsystem), and test plans aligned to NIST PQC standards.
3
Step 3: Team (30–120 days)
Per FAR 19.502, form teaming arrangements with qualified primes and small-business partners (8(a), HUBZone, SDVOSB) and secure C3PAO/FedRAMP partners for independent validation.
4
Step 4: Pilot & Test (6–18 months)
Per NIST PQC test suites, run interoperability pilots for low-risk endpoints within 6 months and expand to high-criticality systems within 12–18 months; document test results and mitigation plans.
5
Step 5: Execute & Sustain (12–36 months)
According to OMB M-25-21, deploy algorithm substitution in waves, replace HSMs as needed, and budget sustainment for 3–5 years including certificate reissuance and monitoring.
What happens if contractors don't comply?
GSAFAAFAROMB
According to GSA and Federal Register notice procedures, failure to respond or provide credible PQC plans by June 30, 2026, risks being excluded from follow-on FAA procurements, loss of competitive preference, and inability to access portions of an estimated $2.3B modernization program; non-compliant vendors may be removed from source lists and face debarment risks for false claims under FAR.
Deadline: June 30, 2026 for detailed RFI technical and cost responses per FAA Federal Register notice.
Budget: Plan $50,000–$500,000 per subsystem for migration and testing, according to GSA and contractor benchmarks.
Action: Register in SAM.gov and confirm socio-economic status at least 90 days before solicitation submissions.
Risk: Non-response risks exclusion from follow-on awards and loss of share in an estimated $2.3B modernization opportunity per GovTribe listing.
""The FAA seeks practical, testable PQC migration roadmaps that preserve NAS safety and availability; vendors should include interoperability test plans and supply-chain attestations in RFI responses.""
Important Note
Per NIST PQC standardization, name specific algorithms you will implement, include fallback strategies, and commit to participation in interoperability events; vague commitments will be downgraded in evaluation.
Sources & Citations
1. Post Quantum Cryptography Support for FAA Information Technology and National Air Space Systems (GovTribe opportunity)[Link ↗](government opportunity_listing)
