CISA moves forward with post-quantum ‘musts’ in cyber

For years, government agencies have advised vendors to integrate cybersecurity in any IT solutions used by the federal government. Since 2019, incorporating agile and DevSecOps practices has gradually become the standard for federal software acquisition, driven by the need for secure-by-design development and continuous security integration. Today, the emergence of new cyber threats enabled by quantum computing will make that integration even more critical.

As new post-quantum cryptography (PQC) standards emerge, vendors and system integrators will need to be prepared to meet new federal requirements and navigate approved product lists to ensure compliance and maintain eligibility for government procurement.

If they haven’t done so already, vendors need to develop a roadmap for getting products to PQC readiness, or they stand to be excluded from important and lucrative contracts.

New category and product lists

Two lists developed by the Cybersecurity and Infrastructure Security Agency will shape new federal requirements around PQC-enabled solutions. This December, CISA will issue an initial PQC category list. This list, developed in cooperation with the Advanced Technology Academic Research Center, will outline the criteria for PQC-enabled products and establish standards across different technology verticals, including data management, networking and enterprise endpoint security. Following the release of that list, CISA will issue a separate list of specific PQC-enabled and interoperable products approved for procurement. Though details on the submission process and timeline to the product list are still being developed, it will soon be essential for vendors to align their products with the criteria and products on these lists to demonstrate compliance for emerging federal mandates and to remain eligible for future procurement opportunities.

Stay in the know — Washington Technology’s Insider Membership gives you unmatched access to breaking news, in-depth analysis, and insights that federal contractors can’t afford to miss. Join today for 50% off.

These actions follow from a June 2025 Executive Order, requiring greater, and immediate, emphasis on PQC, in anticipation of “Q-Day” — the point when quantum computers are expected to be able to break most current cryptographic algorithms.

The concern over quantum threats is a bipartisan issue. U.S. Sen. Mark Warner (D-Virginia) has been quoted as saying that quantum technology is “our generation’s Sputnik moment,” and that “it’s not a race we can afford to lose.” White House Office of Science and Technology Policy Director Michael Kratsios has called the U.S. efforts in quantum technology “a national security imperative.” Kratsios recently promoted the administration’s $42 billion Tech Prosperity Deal with the United Kingdom to cooperatively develop fast-growing technologies, including quantum, AI and nuclear.

After CISA releases the product category list in December, they will create a list of actual PQC-enabled products. By some early reports, the list will focus on products for use by federal civilian agencies, rather than products used by intelligence agencies and the National Security System.

Only products in general availability, not demo or beta versions, will be eligible for inclusion on the list. The products must also be ready for integration by multiple vendors and must be interoperable with other products already in use by the federal government.

Growing importance

The new CISA lists follow a June 2025 Executive Order, but momentum around quantum has been growing among agency officials and lawmakers alike since the passage of the National Quantum Initiative (NQI) Act in 2018.

Under the coordinated strategy established by the NQI, several federal agencies have been working to establish quantum-based research centers and development programs with the National Science and Technology Council (NSTC) to advance U.S. leadership and accelerate adoption of quantum technologies. In 2022, the Department of Energy established five National Quantum Information Science Research Centers (NQISRCs) to promote research around quantum computing and networking, while the Army designated its Combat Capabilities Development Command (DEVCOM) Research Laboratory as a Quantum Information Science Research Center for the Department of Defense in 2023.

The imminent threat posed by rogue actors with access to quantum computers is making PQC adoption more urgent. New government contracts will likely require PQC to be a part of procured products, while older contracts will need to be updated to ensure legacy products are upgraded.

Vendors that are slow to adopt PQC may not only lose their competitive edge; they may be completely excluded from federal contracts. Those that are proactive will have a competitive advantage.

This demand for PQC readiness is especially significant for vendors serving critical infrastructure sectors like finance, healthcare, and telecommunications due to the severe consequences of quantum-enabled attacks. 

Abiding by CISA's PQC vendor requirements

What must vendors do now to make sure they can meet the upcoming PQC requirements? Most urgently, they should:

Have a quantum-readiness roadmap. Vendors need to be clear about their plans for migrating to PQC. This will be fundamental to any ongoing work done by vendors for agencies as wide-reaching as CISA, the National Institute of Standards and Technology (NIST) and the National Security Agency (NSA), among others.

Focus on agile development. Vendors must be prepared to use crypto agility to rapidly switch out algorithms across their inventory. The sooner this work begins, the easier it will be to transition to PQC standards instead of having to “boil the ocean” and create that flexibility all at once.

Collaborate on “Secure by Design” integration. Conversations around cybersecurity have long stressed that security measures must be “baked-in,” not bolted on, to products sold to the federal government. This mantra has gone from advice to a guideline, codified as a practice now referred to as “Secure by Design.” Vendors must work with agencies to ensure that cryptographic platforms and products integrate PQC from the start.

Enable product interoperability. PQC-enabled products must be interoperable with other federal government systems if they are to be included on CISA's upcoming PQC product lists. No agency is going to want to create solutions that don’t have interoperability with products its already procured.

Help ensure general availability. Remember that to be included in product lists created by CISA products cannot be in a demo or testing phase. They must be generally available and ready for deployment across multiple customers to qualify.

Last word for vendors

This imperative for PQC compliant products is not a drill. CISA is required by executive order to release lists of product categories that support PQC. Vendors without PQC-enabled products are likely to be excluded from doing further business with the government. It’s important to act now to take advantage of the opportunities being crafted across federal agencies.

Morgan Hecht is a market intelligence analyst for immixGroup, part of Arrow Electronics’ public sector business. immixGroup delivers mission-driven results through innovative technology solutions for public sector IT. Visit immixGroup.com for more information. Reach out to us at immixGroup for more details surrounding PQC and how it may affect your IT products going forward.