Key Takeaways
- The DoD’s new Post‑Quantum Cryptography (PQC) Strategy, released in June, mandates that all department systems support PQC by the end of 2030 and employ it by the end of 2031.
- The strategy explicitly calls for updating the Cybersecurity Maturity Model Certification (CMMC) framework to include quantum‑resistant requirements for contractors handling DOD information.
- Updates to CMMC will be introduced through the forthcoming Revision 3, which adds organization‑defined values that allow the DoD to specify PQC without waiting for a full NIST standards overhaul.
- Experts warn that the defense industrial base is currently unprepared; many contractors are still focusing on the transition to CMMC Revision 3 and have only begun early discussions about PQC.
- Implementing PQC will likely require a multi‑year effort, as both the technology and industry readiness are still maturing, and any near‑term mandates would be limited to selected contract clauses rather than a blanket rule.
Overview of the DoD Post‑Quantum Cryptography Strategy
The Department of Defense released a 25‑page Post‑Quantum Cryptography (PQC) Strategy in June that outlines how the department intends to protect its own information systems from future quantum‑based attacks while simultaneously urging the defense industrial base (DIB) to follow suit. The strategy emphasizes a department‑wide migration to quantum‑resistant algorithms, setting a deadline that every DOD system must support PQC by the end of 2030 and actually employ it before the end of 2031. In addition to securing internal networks, the plan calls for updating the Cybersecurity Maturity Model Certification (CMMC) framework so that contractors must also adopt PQC‑compliant controls when handling DOD data.
Integration of PQC into CMMC and Revision 3
To achieve the PQC migration, the DoD plans to amend CMMC with requirements based on quantum‑resistant algorithms. The upcoming CMMC Revision 3 will introduce “organizationally defined values” that enable the department to plug in specific PQC parameters without waiting for NIST to rewrite the entire cybersecurity framework. As Jacob Horne, chief cybersecurity evangelist for Summit 7, explained, these values work like cyber‑requirement “Mad Libs”: NIST states that encryption must be used, but the DoD can fill in the exact algorithm details. This mechanism allows the DoD to tailor PQC expectations for individual contracts while still leveraging the existing CMMC structure.
Implementation Challenges for the Defense Industrial Base
Despite the clear policy direction, experts agree that most DIB contractors are not yet ready to meet PQC demands. Michael Gruden, a cybersecurity lawyer at Crowell & Moring, noted that many companies are only beginning to hold internal discussions about quantum‑resistant cryptography, largely because their immediate focus is on achieving compliance with CMMC Revision 3. Early adopters who have experimented with NIST’s post‑quantum algorithms have reported difficulties integrating the new controls without breaking legacy systems or interrupting operations, underscoring the technical complexity of a wholesale migration.
Expert Perspectives on the Timing and Feasibility
Thomas Graham, CISO at Redspin, emphasized that CMMC was never designed to be static; as threats evolve, so must its requirements. He welcomed the DoD’s move to embed PQC into CMMC as a logical extension of the program’s adaptive nature. Conversely, Gruden cautioned that a sudden, department‑wide PQC mandate would be unrealistic, estimating that a full rollout would likely unfold over several years and that it would be “very surprising” if industry were forced to adopt quantum‑resistant technology within the next six months. Horne added that the rulemaking process inherent to CMMC—requiring public comment and finalization—means any new PQC clauses will take months or even years to become enforceable.
Broader Context: Quantum Threats and Government Concerns
The DoD’s urgency stems from the growing recognition that sufficiently powerful quantum computers could break today’s public‑key encryption, exposing classified and controlled unclassified information. While quantum cryptography promises theoretically unbreakable communications, the immediate concern is defensive: adversaries armed with quantum algorithms could harvest encrypted data now and decrypt it later once quantum capabilities mature. By initiating a PQC migration now, the Pentagon aims to mitigate this “harvest‑now, decrypt‑later” risk and ensure that future quantum advances do not undermine the confidentiality of DIB‑hosted data.
CMMC Background and Rulemaking Process
CMMC originated as a tiered cybersecurity framework modeled after NIST standards, designed to verify that contractors possess adequate security controls before they can store or process sensitive DOD information. The program began formal enforcement in 2025 after years of negotiation and push‑back from the industrial base. Because CMMC is administered through federal rulemaking, the DoD cannot unilaterally impose new requirements; it must first publish proposed changes, solicit public comment, and then finalize the rule—a process that historically spans months or years, as seen with the original CMMC rollout.
Potential Near‑Term Actions via Contract Clauses
In the interim, the DoD may embed PQC expectations directly into individual contracts using the “organizationally defined values” permitted by CMMC Revision 3. By referencing NIST’s cryptographic baselines and specifying particular post‑quantum algorithms as contract‑specific values, the department can achieve a degree of PQC compliance without waiting for a full framework update. Horne likened this approach to filling in the blanks of a Mad Libs story: the baseline requirement (encryption) stays constant, while the DoD supplies the precise algorithm details tailored to each agreement.
Impact of Revision 3 on Compliance Effort
CMMC Revision 3 does more than add PQC placeholders; it reorganizes and consolidates numerous security controls required for Level 2 assessments, introducing dozens of new organizational defined parameters and objectives. Graham warned that this increased granularity reduces ambiguity but also raises the burden on contractors, who must now make and document more deliberate security decisions. For many small‑ and mid‑sized defense suppliers, the added complexity could strain limited compliance resources, especially as they simultaneously grapple with the fundamentals of CMMC.
Industry Readiness and Current State of PQC Solutions
Current market offerings for post‑quantum cryptography remain nascent; while several algorithms have been selected by NIST for standardization, mature, off‑the‑shelf implementations are still scarce. Gruden observed that many defense contractors lack the expertise or infrastructure to deploy these algorithms without risking system stability, and that vendors are still refining their products. Consequently, the industrial base’s readiness gap is not merely a matter of willingness but also of technological maturity—both the cryptographic primitives and the surrounding toolchains need further development before widespread commercial validation.
Looking Ahead: Timeline and Recommendations
Given the uncertainties, a pragmatic path forward involves a staggered, multi‑year implementation. Contractors should begin by inventorying their cryptographic assets, assessing which systems rely on vulnerable public‑key schemes, and piloting PQC candidates in non‑production environments. Engaging with third‑party assessors familiar with both CMMC and emerging quantum‑resistant standards can help identify gaps early. While the DoD’s 2030/2031 targets provide a long‑term horizon, proactive steps taken now will position the defense industrial base to meet forthcoming PQC requirements without disruptive, last‑minute overhauls.

