What the Pentagon’s new post-quantum cryptography directive means for defense contractors

What the Pentagon’s new post-quantum cryptography directive means for defense contractors

What the Pentagon’s new post-quantum cryptography directive means for defense contractors

https://defensescoop.com/2026/07/10/cmmc-pqc-requirements-defense-contractors-cybersecurity/

Publish Date: 2026-07-10 14:46:00

Source Domain: defensescoop.com

Author:

Using an unordered list, summarize the following article with between 4 and 8 key points.

The Defense Department’s new Post-Quantum Cryptography (PQC) Strategy calls for new Cybersecurity Maturity Model Certification (CMMC) requirements that leverage quantum-resistant algorithms.

And while experts say it’s likely to be some time before updates are finalized, they stress that the defense industrial base is likely unprepared.

The Pentagon’s new 25-page strategy published in June largely focuses on defending its own systems against quantum threats by initiating a PQC migration, but the document also urges the defense industrial base to move with the department. Among the multiple deadlines and milestones outlined in the plan, the DOD notes that it will update CMMC with requirements based on PQC.

“To ensure the security of [Department of War] information hosted on DIB systems, the DoW will ensure that the DIB migrates to PQC across the enterprise. The DoW will also collaborate with DIB partners to ensure interoperability during the migration to PQC,” the strategy states, using an alternative name for the Defense Department.

The document adds that along with new CMMC requirements and updated external certificate authorities, the Pentagon will also add quantum-resistance to access control, zero trust and software development platforms.

However, details as to how and when the Pentagon will begin enforcing PQC compliance are scarce, creating several uncertainties for the defense industrial base. Broadly, the strategy states that every DOD system must support PQC by the end of 2030, and employ PQC before the end of 2031.

Although quantum computing is relatively nascent, leaders across the U.S. government have raised concerns about how the technology could be exploited by adversaries in the future. Capabilities like quantum algorithms could easily bypass modern encryption, while quantum cryptography can create nearly impenetrable networks and databases.

And given the Pentagon’s work to ensure defense contractors have proper cybersecurity controls on their own networks, experts asserted that the move to introduce PQC into CMMC isn’t out of left field.

“The department’s strategy reinforces an important point: CMMC was never intended to remain static. As cybersecurity threats evolve, the requirements will evolve as well,” Thomas Graham, chief information security officer at Redspin, told DefenseScoop.

After years of controversy and back-and-forth with the defense industrial base, the Pentagon began enforcing CMMC compliance in 2025. The program established a tiered cybersecurity framework based on standards established by the National Institute of Standards and Technology and requires contractors to prove they have adequate security controls on their networks in order to store sensitive DOD information.

Because CMMC is managed through the federal rulemaking procedure, the Pentagon does not have authority to fully enforce new regulations without first publishing proposed changes for public comment and then finalizing the rule, according to Jacob Horne, chief cybersecurity evangelist for Summit 7. That process can take months or even years, as was the case with CMMC.

There is a possibility that the department could tailor some requirements to include PQC in contract clauses in the near term, Horne explained.

“Since those clauses point to cyber requirement baselines maintained by NIST, the DoD can only tweak the details by specifying organizationally defined values for those baselines,” he told DefenseScoop. “Think of these like cyber requirement Mad Libs. NIST says encryption must be used but leaves the specific details up to organizations finalizing the details.”

The U.S. government has set different values for NIST’s cryptographic standards in the past, meaning the Pentagon could require PQC for CMMC compliance in some contracts without NIST modifying the entire cybersecurity framework, he added.

The ability to use defined values will be made possible under the forthcoming CMMC update, known as Revision 3. After months of waiting, the Defense Department issued an amendment formally initiating the transition to Revision 3 on Wednesday, with expectations that it will begin enforcing new CMMC guidelines in the coming weeks.

Along with introducing the option to leverage quantum standards for defined values, Revision 3 also reorganizes and consolidates multiple security controls required for CMMC Level 2 assessments — potentially making compliance more difficult for the industrial base, Graham said.

“In fact, [Revision 3] introduces dozens of organizational defined parameters and more objectives, reducing ambiguity and requiring organizations to make, and document, more deliberate security decisions,” he noted.

Despite the possibility of introducing PQC requirements, it is unlikely that they will be immediately used across all of the Defense Department’s contracts. There has been a significant readiness gap within the industrial base to prepare for CMMC compliance writ large, and tacking quantum-resistant capabilities would be a huge lift for industry.

Michael Gruden, cybersecurity lawyer at Crowell & Moring, said many companies are only just beginning to have early discussions about potential PQC requirements within their environment — largely because they have been focused on preparing for the transition to Revision 3.

Furthermore, clients who have begun implementing NIST’s quantum cryptographic standards struggled to do so without breaking their infrastructure and interrupting operations, he added.

“The fact that we’re seeing this sort of charge to implement [PQC] within CMMC would come as a shock to the broader defense industrial base, and I do not think that the majority would be ready at this point,” Gruden said in an interview.

He estimated that PQC implementation would likely happen through a multi-year implementation cycle, adding that it would be “very surprising” if industry was suddenly required to leverage quantum-resistant technology in the next six months.

At the same time, PQC is still an emerging technology. Gruden noted that even though most defense contractors are not completely ready to implement cryptography, many of the solutions themselves aren’t fully realized, as well.

“Post-quantum cryptography is definitely the future, I just don’t know if the core technology and implementation is there yet in terms of widespread commercial adoption — or, at least, commercial adoption within the defense industrial base,” he said.

Written by Mikayla Easley
Mikayla Easley reports on the Pentagon’s acquisition and use of emerging technologies. Prior to joining DefenseScoop, she covered national security and the defense industry for National Defense Magazine. She received a BA in Russian language and literature from the University of Michigan and a MA in journalism from the University of Missouri. You can follow her on Twitter @MikaylaEasley