Pentagon sets 2030, 2031 PQC deadlines for contractors
Quantum planning became contract hygiene, and the painful part is the inventory of every module, product and supplier claim.
TL;DR
Inside Cybersecurity reports the Defense Department released a post-quantum cryptography (PQC) strategy requiring all DoD systems to support PQC by Dec. 31, 2030, and use it by Dec. 31, 2031. Executive Order 14409 directs covered federal contractors to meet National Institute of Standards and Technology Federal Information Processing Standards by the 2030 date. For defense-industrial-base primes and subs, the work is inventory, validation and supplier evidence, with missed dependencies carrying contract-compliance, rejection and future-procurement risk. The civilian-agency contractor timeline remains unresolved.
Inside Cybersecurity reports that the Defense Department (DoD) has published a post-quantum cryptography (PQC) transition strategy with five lines of effort and, more importantly, dates. By Dec. 31, 2030, all DoD systems must support PQC or be phased out. By Dec. 31, 2031, all DoD systems must use PQC unless the strategy says otherwise. National Security Systems must support the National Security Agency's (NSA) Commercial National Security Algorithm Suite 2.0.
The change is the shift from advisory posture to executable procurement pressure. The strategy assigns governance, inventory, algorithm analysis, commercial integration and deployment work, with an appendix identifying who is responsible, accountable, consulted or informed. That matters because cryptographic migration rarely works as a single product swap. It starts with finding public-key cryptography inside software, appliances, embedded components, weapon platforms, cloud services and supplier-delivered modules, then proving replacements align with National Institute of Standards and Technology (NIST) and NSA-approved algorithms.
Executive Order 14409 extends that burden to covered federal contractors. According to Inside Cybersecurity, the order gives the Federal Acquisition Regulatory Council 180 days to propose Federal Acquisition Regulation (FAR) changes requiring covered contractors to comply by Dec. 31, 2030, with NIST Federal Information Processing Standards (FIPS) incorporating PQC-compliant algorithms. It also gives the FAR Council 270 days to propose contractor vulnerability disclosure clauses that cover cryptographic vulnerabilities, missing encryption and non-FIPS algorithms.
For primes, the awkward part is evidence. A program can buy a PQC-capable component and still fail if a subcontractor’s embedded crypto, validation paperwork or protocol implementation cannot clear acceptance. The 2030 support date gives contractors a planning milestone; the 2031 use date creates a system-delivery problem. The gap between the two is where test labs, configuration managers and supplier-management teams will spend the next several years.
The open question is how far EO 14409 carries the DoD schedule into civilian procurement. The reported EO language sets a 2030 FIPS compliance date for covered contractors, while the Defense strategy sets a separate 2031 full-use date for DoD systems. Until the FAR language appears, contractors serving both defense and civilian agencies should assume the stricter evidence package will win, because contracting officers can reject systems before policy lawyers finish harmonizing timelines.
Published ·Deep Fathom