SIIA pushes federal PQC migration strategy before 2035
Algorithm selection is no longer the hard part; the expensive work is finding where old federal systems quietly depend on it.
TL;DR
The Software & Information Industry Association released a June 9 report urging a federal post-quantum cryptography migration strategy and more cybersecurity infrastructure investment. Primes, contractors, state CISOs and C3PAOs should read the ask as a planning signal, not a procurement shortcut. NIST finalized PQC algorithms in August 2024, and federal systems face a 2035 transition goal, but SIIA’s real complaint is legacy architecture: systems built over decades cannot simply swap in new cryptography.
SIIA’s report is a trade-association push, so the usual discount applies: industry wants a strategy, investment and a clearer buying signal. But the underlying point is not marketing. NIST has already done the standards work SIIA praises, including finalizing post-quantum cryptography algorithms in August 2024. The remaining problem is uglier and more expensive: agencies and their contractors have to identify where public-key cryptography sits inside applications, products, services and operational dependencies, then change systems that were not built for easy cryptographic replacement.
That matters for federal contractors because the 2035 goal is not a cliff that appears in 2034. Multi-year programs, embedded systems, managed services, software supply chains and state or critical-infrastructure dependencies will all have to move on different timelines. SIIA points to “gather now, decrypt later” as the reason sensitive information with long-term value should move earlier. That is the legitimate urgency: encrypted data stolen today may still be useful when quantum-capable decryption becomes practical.
The report also names the part procurement slogans usually skip. Many public-sector systems were assembled over decades, with new layers stacked on old ones. SIIA says those systems are often not modular, so replacing encryption schemes may require broader redesign rather than a clean library update. That is where primes, subcontractors and assessors should spend attention now: cryptographic inventory, dependency mapping, vendor commitments and architecture changes that make later replacement survivable.
The Senate bill SIIA cites, introduced by Sens. Gary Peters and Marsha Blackburn and folded into the Senate version of the National Quantum Initiative Reauthorization Act at an April 14 markup, would push a federal PQC migration strategy. Inside Cybersecurity’s account does not identify funding mechanisms for agencies and contractors, or penalties for missed interim milestones. Those omissions matter because a 2035 target without money and enforceable checkpoints is a plan in the same way a network diagram is a firewall.
Published ·Deep Fathom