When and how should government contractors prepare for post-quantum cryptography requirements? 2026
GSA requires contractors to begin PQC migration planning by Dec 31, 2026; implement crypto-agility by Dec 31, 2028 or risk ineligibility for new federal awards.
What Is When and how should government contractors prepare for post-quantum cryptography requirements? and Who Does It Affect?
What is When and how should government contractors prepare for post-quantum cryptography requirements??
Background and context: federal PQC timelines and standards
How do contractors comply with When and how should government contractors prepare for post-quantum cryptography requirements??
Requirements and implementation: what to change in systems, contracts, and proposals
Important Note
Start your crypto inventory now. Prioritize assets exposing PKI/TLS, VPNs, code-signing, and firmware; these commonly account for 70β90% of migration effort. Early inventories reduce testing costs and subcontract flow-down friction.
- 1
Step 1: Assess (By June 30, 2026)
Per FAR 52.204-21 and NIST guidance, inventory all cryptographic uses, keys, and endpoints. Identify COTS dependencies and embedded devices; record key sizes and algorithms.
- 2
Step 2: Plan (By December 31, 2026)
According to GSA guidelines, contractors must produce a PQC migration plan with timelines, budgets ($50Kβ$250K for medium systems), and acceptance tests mapped to NIST test vectors.
- 3
Step 3: Test (By June 30, 2027)
Per NCCoE migration playbooks, implement hybrid PQC/TLS in test environments, run interoperability tests, and update SSPs and POA&Ms.
- 4
Step 4: Implement (By December 31, 2028)
Under OMB M-25-21, agencies will require crypto-agile systems in production; deploy PQC-capable solutions, update documentation, and obtain FedRAMP or CMMC attestations where required.
What happens if contractors don't comply?
Best practices for proposals, engineering, and supplier management
"Agencies and industry must act now: migrate, test, and build crypto-agility into acquisitions to mitigate the long-term risk posed by quantum-capable adversaries."
The Challenge
Needed PQC-capable TLS and firmware signing migration to meet a DoD RFP requirement within 9 months; lacked inventory and a test harness.
Outcome
Won a $4.2M DoD contract, priced 18% below competing offers and met DoD acceptance criteria during OT, improving past performance rating.
- Deadline: Start a full crypto inventory by June 30, 2026 and deliver a migration plan by December 31, 2026 per GSA and NIST guidance (FAR deliverable).
- Budget: Allocate $50,000β$250,000 per medium system for PQC testing and vendor upgrades; plan $115,000 for labs/3rd-party testing as shown in case study.
- Action: Register PQC deliverables in SAM.gov and update subcontract flow-downs 90 days before solicitation close to ensure compliance with acquisition clauses.
- Risk: Non-compliance can result in ineligibility for new awards, contract price adjustments, or debarment processes per OMB and FAR authorities (effective deadlines: Dec 31, 2028).
Sources & Citations
Ready to Win Government Contracts?
Join thousands of businesses using Gov Contract Finder to discover and win federal opportunities.
Related Articles
What Does Oracle's $400M Governmentwide HR System Contract Mean for Federal IT Vendors in 2026?
Oracle's $400M Core HCM award shifts federal HR work from standalone software to integration, migration, and security services for vendors and subs.
Read more βWhat Should Contractors Do When an Agency Announces a Sole-Source Award in 2026?
Review the justification, confirm whether FAR 6.302-1 applies, watch the protest clock, and pivot quickly to teaming or the follow-on competition.
Read more βWhat Did GAO Find Wrong With Texas Detention Facility Contracts in 2026?
GAO found DHS and ICE failed to document, inspect, and track Texas detention contracts consistently, creating major risk as billions in new spending expands.
Read more β