Pentagon Issues New Post-Quantum Cryptography Directive for Defense Contractors

DefenseScoop· July 10, 2026

The Department of Defense has released a new Post-Quantum Cryptography (PQC) Strategy that aims to integrate quantum-resistant requirements into the Cybersecurity Maturity Model Certification (CMMC) program. This directive mandates that all department systems support PQC by 2030 and fully employ it by 2031, requiring the defense industrial base to migrate alongside the military to ensure interoperability. The shift represents a significant evolution in cybersecurity standards for contractors, who must now prepare for more stringent encryption protocols to protect sensitive information against future quantum-based threats.

The Pentagon’s 25-page strategy, published in June, outlines a comprehensive roadmap for defending department systems and the defense industrial base (DIB) against quantum computing capabilities that could bypass modern encryption. Under the plan, the DOD intends to update CMMC requirements to include quantum-resistant algorithms, while also adding PQC to access control, zero trust, and software development platforms. While the broad deadline for system support is set for the end of 2030, experts like Jacob Horne of Summit 7 suggest the department could enforce PQC compliance sooner by utilizing "organizationally defined values" within existing NIST cryptographic standards to specify PQC in contract clauses.

The transition coincides with the rollout of CMMC Revision 3, which the Defense Department formally initiated in late 2025. Thomas Graham, chief information security officer at Redspin, notes that Revision 3 reorganizes security controls for Level 2 assessments and introduces dozens of parameters that require contractors to make more deliberate, documented security decisions. This update provides the mechanism for the DOD to specify PQC requirements in contract clauses without waiting for a full federal rulemaking cycle, which typically takes months or years to finalize, though the department must still publish proposed changes for public comment for full enforcement.

Despite the strategic push, industry experts warn that the defense industrial base remains largely unprepared for the technical challenges of PQC migration. Michael Gruden, a cybersecurity lawyer at Crowell & Moring, highlighted that early attempts to implement NIST’s quantum standards have frequently interrupted operations and broken existing infrastructure. Many contractors are currently focused on the immediate transition to CMMC Revision 3, leaving little bandwidth for the complex overhaul required by quantum-resistant technology. Consequently, while the DOD is pushing for rapid adoption, experts expect PQC implementation to follow a multi-year cycle to avoid widespread disruption across the defense supply chain.

Read the full story at DefenseScoop

Summary generated by RabbitReport AI from public reporting. The full article and original reporting belong to DefenseScoop.