When and how should government contractors prepare for post-quantum cryptography requirements? 2026

What Is When and how should government contractors prepare for post-quantum cryptography requirements? and Who Does It Affect?

What is When and how should government contractors prepare for post-quantum cryptography requirements??

GSANIST

According to GSA and NIST, PQC preparation means inventorying cryptographic assets, adopting crypto-agility, testing candidate algorithms, and updating acquisition documents. Per NIST’s fourth-round status and DHS memo, planning must start by December 31, 2026 with implementation milestones through December 31, 2028 to remain eligible for federal awards.

Sources: [1] Status Report on the Fourth Round of the NIST Post-Quantum Cryptography Standardization Process, [2] Session VII – NIST 6th PQC Standardization Conference NIST Cybersecurity Whitepaper 39

Background and context: federal PQC timelines and standards

$789B

FY2026 federal IT spending (OMB)

Source: Status Report on the Fourth Round of the NIST Post-Quantum Cryptography Standardization Process

How do contractors comply with When and how should government contractors prepare for post-quantum cryptography requirements??

GSANISTFAR

According to GSA and NIST guidance, contractors must: 1) conduct a full crypto inventory by June 30, 2026; 2) deliver a migration plan by December 31, 2026; 3) implement hybrid PQC/TLS in test environments by June 30, 2027; final crypto-agility by December 31, 2028. Budget $50K–$250K for medium systems.

Sources: [1] Status Report on the Fourth Round of the NIST Post-Quantum Cryptography Standardization Process, [4] Migration to Post-Quantum Cryptography | NCCoE

Requirements and implementation: what to change in systems, contracts, and proposals

Important Note

Start your crypto inventory now. Prioritize assets exposing PKI/TLS, VPNs, code-signing, and firmware; these commonly account for 70–90% of migration effort. Early inventories reduce testing costs and subcontract flow-down friction.

1
Step 1: Assess (By June 30, 2026)
Per FAR 52.204-21 and NIST guidance, inventory all cryptographic uses, keys, and endpoints. Identify COTS dependencies and embedded devices; record key sizes and algorithms.
2
Step 2: Plan (By December 31, 2026)
According to GSA guidelines, contractors must produce a PQC migration plan with timelines, budgets ($50K–$250K for medium systems), and acceptance tests mapped to NIST test vectors.
3
Step 3: Test (By June 30, 2027)
Per NCCoE migration playbooks, implement hybrid PQC/TLS in test environments, run interoperability tests, and update SSPs and POA&Ms.
4
Step 4: Implement (By December 31, 2028)
Under OMB M-25-21, agencies will require crypto-agile systems in production; deploy PQC-capable solutions, update documentation, and obtain FedRAMP or CMMC attestations where required.

What happens if contractors don't comply?

DoDGSAOMB

DoD and civilian agencies may exclude non-compliant offers from evaluations, with potential contract price adjustments or debarment processes per OMB and FAR authorities. According to DHS and GSA guidance, firms that fail to demonstrate migration plans by agency deadlines (December 31, 2026 planning, December 31, 2028 implementation) risk losing eligibility for new awards and may face increased oversight.

Sources: [3] Memorandum on Preparing for Post-Quantum Cryptography | Homeland Security, [1] Status Report on the Fourth Round of the NIST Post-Quantum Cryptography Standardization Process

Best practices for proposals, engineering, and supplier management

"Agencies and industry must act now: migrate, test, and build crypto-agility into acquisitions to mitigate the long-term risk posed by quantum-capable adversaries."
NIST PQC Migration Project Team,NIST PQC Migration Guidance
Status Report on the Fourth Round of the NIST Post-Quantum Cryptography Standardization Process

The Challenge

Needed PQC-capable TLS and firmware signing migration to meet a DoD RFP requirement within 9 months; lacked inventory and a test harness.

Outcome

Won a $4.2M DoD contract, priced 18% below competing offers and met DoD acceptance criteria during OT, improving past performance rating.

Source: Status Report on the Fourth Round of the NIST Post-Quantum Cryptography Standardization Process

Deadline: Start a full crypto inventory by June 30, 2026 and deliver a migration plan by December 31, 2026 per GSA and NIST guidance (FAR deliverable).
Budget: Allocate $50,000–$250,000 per medium system for PQC testing and vendor upgrades; plan $115,000 for labs/3rd-party testing as shown in case study.
Action: Register PQC deliverables in SAM.gov and update subcontract flow-downs 90 days before solicitation close to ensure compliance with acquisition clauses.
Risk: Non-compliance can result in ineligibility for new awards, contract price adjustments, or debarment processes per OMB and FAR authorities (effective deadlines: Dec 31, 2028).

Sources & Citations

1. Status Report on the Fourth Round of the NIST Post-Quantum Cryptography Standardization Process [Link ↗](government site)

2. Session VII – NIST 6th PQC Standardization Conference NIST Cybersecurity Whitepaper 39 [Link ↗](government site)

3. Memorandum on Preparing for Post-Quantum Cryptography | Homeland Security [Link ↗](government site)

What Is When and how should government contractors prepare for post-quantum cryptography requirements? and Who Does It Affect?

What is When and how should government contractors prepare for post-quantum cryptography requirements??

GSANIST

Background and context: federal PQC timelines and standards

$789B

FY2026 federal IT spending (OMB)

Source: Status Report on the Fourth Round of the NIST Post-Quantum Cryptography Standardization Process

How do contractors comply with When and how should government contractors prepare for post-quantum cryptography requirements??

GSANISTFAR

Sources: [1] Status Report on the Fourth Round of the NIST Post-Quantum Cryptography Standardization Process, [4] Migration to Post-Quantum Cryptography | NCCoE

Requirements and implementation: what to change in systems, contracts, and proposals

Important Note

1
Step 1: Assess (By June 30, 2026)
Per FAR 52.204-21 and NIST guidance, inventory all cryptographic uses, keys, and endpoints. Identify COTS dependencies and embedded devices; record key sizes and algorithms.
2
Step 2: Plan (By December 31, 2026)
According to GSA guidelines, contractors must produce a PQC migration plan with timelines, budgets ($50K–$250K for medium systems), and acceptance tests mapped to NIST test vectors.
3
Step 3: Test (By June 30, 2027)
Per NCCoE migration playbooks, implement hybrid PQC/TLS in test environments, run interoperability tests, and update SSPs and POA&Ms.
4
Step 4: Implement (By December 31, 2028)
Under OMB M-25-21, agencies will require crypto-agile systems in production; deploy PQC-capable solutions, update documentation, and obtain FedRAMP or CMMC attestations where required.

What happens if contractors don't comply?

DoDGSAOMB

Sources: [3] Memorandum on Preparing for Post-Quantum Cryptography | Homeland Security, [1] Status Report on the Fourth Round of the NIST Post-Quantum Cryptography Standardization Process

Best practices for proposals, engineering, and supplier management

"Agencies and industry must act now: migrate, test, and build crypto-agility into acquisitions to mitigate the long-term risk posed by quantum-capable adversaries."
NIST PQC Migration Project Team,NIST PQC Migration Guidance
Status Report on the Fourth Round of the NIST Post-Quantum Cryptography Standardization Process

The Challenge

Needed PQC-capable TLS and firmware signing migration to meet a DoD RFP requirement within 9 months; lacked inventory and a test harness.

Outcome

Won a $4.2M DoD contract, priced 18% below competing offers and met DoD acceptance criteria during OT, improving past performance rating.

Source: Status Report on the Fourth Round of the NIST Post-Quantum Cryptography Standardization Process

Deadline: Start a full crypto inventory by June 30, 2026 and deliver a migration plan by December 31, 2026 per GSA and NIST guidance (FAR deliverable).
Budget: Allocate $50,000–$250,000 per medium system for PQC testing and vendor upgrades; plan $115,000 for labs/3rd-party testing as shown in case study.
Action: Register PQC deliverables in SAM.gov and update subcontract flow-downs 90 days before solicitation close to ensure compliance with acquisition clauses.
Risk: Non-compliance can result in ineligibility for new awards, contract price adjustments, or debarment processes per OMB and FAR authorities (effective deadlines: Dec 31, 2028).

Sources & Citations

1. Status Report on the Fourth Round of the NIST Post-Quantum Cryptography Standardization Process [Link ↗](government site)

2. Session VII – NIST 6th PQC Standardization Conference NIST Cybersecurity Whitepaper 39 [Link ↗](government site)

3. Memorandum on Preparing for Post-Quantum Cryptography | Homeland Security [Link ↗](government site)

What Is When and how should government contractors prepare for post-quantum cryptography requirements? and Who Does It Affect?

What is When and how should government contractors prepare for post-quantum cryptography requirements??

Background and context: federal PQC timelines and standards

How do contractors comply with When and how should government contractors prepare for post-quantum cryptography requirements??

Requirements and implementation: what to change in systems, contracts, and proposals

Important Note

Step 1: Assess (By June 30, 2026)

Step 2: Plan (By December 31, 2026)

Step 3: Test (By June 30, 2027)

Step 4: Implement (By December 31, 2028)

What happens if contractors don't comply?

Best practices for proposals, engineering, and supplier management

The Challenge

Outcome

Sources & Citations

Tags

Ready to Win Government Contracts?

Related Articles

What must vendors do to comply with NIST’s updated security checklist guidance (Revision 5) for IT products? 2026

How will draft White House policies limiting contractors' control over AI use affect contract terms and IP negotiations? 2026

How will the shortage of CMMC third-party assessors affect my certification timeline and costs? 2026

What Is When and how should government contractors prepare for post-quantum cryptography requirements? and Who Does It Affect?

What is When and how should government contractors prepare for post-quantum cryptography requirements??

Background and context: federal PQC timelines and standards

How do contractors comply with When and how should government contractors prepare for post-quantum cryptography requirements??

Requirements and implementation: what to change in systems, contracts, and proposals

Important Note

Step 1: Assess (By June 30, 2026)

Step 2: Plan (By December 31, 2026)

Step 3: Test (By June 30, 2027)

Step 4: Implement (By December 31, 2028)

What happens if contractors don't comply?

Best practices for proposals, engineering, and supplier management

The Challenge

Outcome

Sources & Citations

Tags

Ready to Win Government Contracts?

Related Articles

What must vendors do to comply with NIST’s updated security checklist guidance (Revision 5) for IT products? 2026

How will draft White House policies limiting contractors' control over AI use affect contract terms and IP negotiations? 2026

How will the shortage of CMMC third-party assessors affect my certification timeline and costs? 2026