The Federal Government Just Put a Clock on Quantum Security
CISA Acting Director Madhu Gottumukkala did not soften the message. “The advent of quantum computing poses a real and urgent threat to the confidentiality, integrity, and accessibility of sensitive data,” he said on January 30, 2026, announcing new federal procurement mandates for post-quantum cryptography (PQC).
The guidance stems from President Trump’s Executive Order 14306, signed in June 2025. The directive is blunt: when a product category appears on CISA’s published list as having widely available PQC capabilities, federal agencies must procure only quantum-resistant products in that category. No exceptions. No phase-in.
What the Mandate Requires
CISA, working with the National Security Agency (NSA), published a list of hardware and software product categories where quantum-resistant alternatives already exist. Vendors selling to the federal government now face a binary choice — support PQC standards or lose access to the largest technology buyer on the planet.
The technical foundation rests on NIST’s finalized PQC standards from August 2024: FIPS 203 (ML-KEM) for general encryption, FIPS 204 (ML-DSA) for digital signatures, and FIPS 205 (SLH-DSA) as a backup signature scheme. NIST selected HQC as an additional key encapsulation mechanism in March 2025, with a draft standard expected in early 2026 and finalization by 2027.
Key deadlines: TLS 1.3 adoption required by January 2, 2030. Full deprecation of quantum-vulnerable algorithms by 2035. The Office of the National Cyber Director projects the total government-wide migration cost at approximately $7.1 billion.
Follow the Money
The timing tracks. Quantum computing companies raised $3.77 billion in equity funding during the first nine months of 2025 — nearly triple the $1.3 billion raised in all of 2024. Q1 2025 alone pulled in over $1.25 billion, a 128% year-over-year surge.
PsiQuantum hit a $7 billion valuation after a $1 billion Series E led by BlackRock, Temasek, and Baillie Gifford. Government commitments globally reached $10 billion by April 2025, anchored by Japan’s $7.4 billion pledge. The market is projected to hit $20.2 billion by 2030 at a 41.8% CAGR. As we previously reported, quantum computing could break Bitcoin and change the future of crypto — and this mandate signals Washington agrees the timeline is accelerating.
The Threat Is Not Theoretical
New algorithmic improvements revealed in 2025 reduced the hardware requirements for breaking encryption by approximately 95% — where previous estimates suggested 20 million physical qubits, researchers now believe fewer than one million qubits could crack current encryption in less than a week. The security community calls the active threat “harvest now, decrypt later”: nation-states stockpiling encrypted government, financial, and health data today, betting they can crack it once quantum hardware matures.
Laterstack Editorial Take
Laterstack exists to sharpen critical thinking by connecting tech, policy, and power to everyday life — across class, industry, and influence. This mandate tells you everything about the real threat timeline if you read it correctly. Washington does not issue procurement mandates for science fiction. The lawmakers who signed Executive Order 14306 and the defense contractors scrambling to comply know the harvest-now-decrypt-later window is not 2035 — it is the last decade of data already sitting in adversary hands. The question for every CISO, every appropriations committee member, and every CEO selling to the federal government: who benefits from the migration timeline being this slow?
What This Means for Everyday People
If your bank, hospital, or cloud provider sells to the federal government — and most major ones do — they are now on the clock to upgrade their encryption. Every system that touches federal data must go quantum-resistant. That includes the infrastructure protecting your health records, financial transactions, and personal data. The Bitcoin selloff driven by tariff fears already showed how fragile digital financial systems are to external shocks. Quantum decryption would be orders of magnitude worse.
The Bottom Line
Washington does not mandate standards for hypothetical threats. The money is moving. The standards are finalized. The mandate is live. Post-quantum cryptography just shifted from a research project to a compliance requirement.
What is post-quantum cryptography and why does it matter now?
Post-quantum cryptography (PQC) uses encryption algorithms designed to resist attacks from quantum computers. It matters now because nation-states are already harvesting encrypted data with plans to decrypt it once quantum hardware matures — a strategy called “harvest now, decrypt later.”
When must federal agencies switch to quantum-resistant encryption?
Under Executive Order 14306, federal agencies must immediately procure quantum-resistant products in categories where CISA has identified widely available PQC options. TLS 1.3 adoption is required by January 2, 2030, with full migration to quantum-resistant cryptography by 2035.
How much has quantum computing funding grown?
Quantum computing companies raised $3.77 billion in equity funding during the first nine months of 2025, nearly triple the $1.3 billion raised in all of 2024. The global quantum computing market is projected to reach $20.2 billion by 2030.