When and how should government contractors prepare for post-quantum cryptography requirements? 2026
GSA requires contractors to begin PQC migration planning by Dec 31, 2026; implement crypto-agility by Dec 31, 2028 or risk ineligibility for new federal awards.
What Is When and how should government contractors prepare for post-quantum cryptography requirements? and Who Does It Affect?
What is When and how should government contractors prepare for post-quantum cryptography requirements??
Background and context: federal PQC timelines and standards
How do contractors comply with When and how should government contractors prepare for post-quantum cryptography requirements??
Requirements and implementation: what to change in systems, contracts, and proposals
Important Note
Start your crypto inventory now. Prioritize assets exposing PKI/TLS, VPNs, code-signing, and firmware; these commonly account for 70–90% of migration effort. Early inventories reduce testing costs and subcontract flow-down friction.
- 1
Step 1: Assess (By June 30, 2026)
Per FAR 52.204-21 and NIST guidance, inventory all cryptographic uses, keys, and endpoints. Identify COTS dependencies and embedded devices; record key sizes and algorithms.
- 2
Step 2: Plan (By December 31, 2026)
According to GSA guidelines, contractors must produce a PQC migration plan with timelines, budgets ($50K–$250K for medium systems), and acceptance tests mapped to NIST test vectors.
- 3
Step 3: Test (By June 30, 2027)
Per NCCoE migration playbooks, implement hybrid PQC/TLS in test environments, run interoperability tests, and update SSPs and POA&Ms.
- 4
Step 4: Implement (By December 31, 2028)
Under OMB M-25-21, agencies will require crypto-agile systems in production; deploy PQC-capable solutions, update documentation, and obtain FedRAMP or CMMC attestations where required.
What happens if contractors don't comply?
Best practices for proposals, engineering, and supplier management
"Agencies and industry must act now: migrate, test, and build crypto-agility into acquisitions to mitigate the long-term risk posed by quantum-capable adversaries."
The Challenge
Needed PQC-capable TLS and firmware signing migration to meet a DoD RFP requirement within 9 months; lacked inventory and a test harness.
Outcome
Won a $4.2M DoD contract, priced 18% below competing offers and met DoD acceptance criteria during OT, improving past performance rating.
- Deadline: Start a full crypto inventory by June 30, 2026 and deliver a migration plan by December 31, 2026 per GSA and NIST guidance (FAR deliverable).
- Budget: Allocate $50,000–$250,000 per medium system for PQC testing and vendor upgrades; plan $115,000 for labs/3rd-party testing as shown in case study.
- Action: Register PQC deliverables in SAM.gov and update subcontract flow-downs 90 days before solicitation close to ensure compliance with acquisition clauses.
- Risk: Non-compliance can result in ineligibility for new awards, contract price adjustments, or debarment processes per OMB and FAR authorities (effective deadlines: Dec 31, 2028).
Sources & Citations
Ready to Win Government Contracts?
Join thousands of businesses using Gov Contract Finder to discover and win federal opportunities.
Related Articles
When Will Federal Agencies Need Quantum-Resistant Encryption in 2026?
Federal agencies are already migrating under OMB M-23-02; contractors need crypto-agility now, not a single future flip date.
Read more →How Should Contractors Respond to GSA's Draft AI Data Safeguarding Clause in 2026?
GSA’s draft AI safeguarding clause requires contractors to lock down prompts, outputs, training data, and subcontractor flowdowns before award.
Read more →What Acquisition Reforms Could Return in the 2027 NDAA?
Congress could revive commercial-first buying, faster software procurement, and lower-friction reviews in the 2027 NDAA, changing how DoD awards contracts.
Read more →