{"id":242126,"date":"2026-07-10T14:46:00","date_gmt":"2026-07-10T18:46:00","guid":{"rendered":"https:\/\/testing.news-you-need.com\/index.php\/2026\/07\/10\/what-the-pentagons-new-post-quantum-cryptography-directive-means-for-defense-contractors\/"},"modified":"2026-07-10T16:10:08","modified_gmt":"2026-07-10T20:10:08","slug":"what-the-pentagons-new-post-quantum-cryptography-directive-means-for-defense-contractors","status":"publish","type":"post","link":"https:\/\/testing.news-you-need.com\/index.php\/2026\/07\/10\/what-the-pentagons-new-post-quantum-cryptography-directive-means-for-defense-contractors\/","title":{"rendered":"What the Pentagon\u2019s new post-quantum cryptography directive means for defense contractors"},"content":{"rendered":"<p><a href=\"https:\/\/defensescoop.com\/2026\/07\/10\/cmmc-pqc-requirements-defense-contractors-cybersecurity\/\">What the Pentagon\u2019s new post-quantum cryptography directive means for defense contractors<\/a><\/p>\n<p><a href=\"https:\/\/defensescoop.com\/2026\/07\/10\/cmmc-pqc-requirements-defense-contractors-cybersecurity\/\">https:\/\/defensescoop.com\/2026\/07\/10\/cmmc-pqc-requirements-defense-contractors-cybersecurity\/<\/a><\/p>\n<p>Publish Date: <a href=\"publish_date]\">2026-07-10 14:46:00<\/a><\/p>\n<p>Source Domain: <a href=\"defensescoop.com\">defensescoop.com<\/a><\/p>\n<p>Author: <a href=\"\"><\/a><\/p>\n<p> Using an unordered list, summarize the following article with between 4 and 8 key points. <\/p>\n<p>The Defense Department\u2019s new Post-Quantum Cryptography (PQC) Strategy calls for new Cybersecurity Maturity Model Certification (CMMC) requirements that leverage quantum-resistant algorithms.<\/p>\n<p>And while experts say it\u2019s likely to be some time before updates are finalized, they stress that the defense industrial base is likely unprepared.<\/p>\n<p>The Pentagon\u2019s new 25-page strategy published in June largely focuses on defending its own systems against quantum threats by initiating a PQC migration, but the document also urges the defense industrial base to move with the department. Among the multiple deadlines and milestones outlined in the plan, the DOD notes that it will update CMMC with requirements based on PQC.<\/p>\n<p>\u201cTo ensure the security of [Department of War] information hosted on DIB systems, the DoW will ensure that the DIB migrates to PQC across the enterprise. The DoW will also collaborate with DIB partners to ensure interoperability during the migration to PQC,\u201d the strategy states, using an alternative name for the Defense Department.<\/p>\n<p>The document adds that along with new CMMC requirements and updated external certificate authorities, the Pentagon will also add quantum-resistance to access control, zero trust and software development platforms.<\/p>\n<p>However, details as to how and when the Pentagon will begin enforcing PQC compliance are scarce, creating several uncertainties for the defense industrial base. Broadly, the strategy states that every DOD system must support PQC by the end of 2030, and employ PQC before the end of 2031.<\/p>\n<p>Although quantum computing is relatively nascent, leaders across the U.S. government have raised concerns about how the technology could be exploited by adversaries in the future. Capabilities like quantum algorithms could easily bypass modern encryption, while quantum cryptography can create nearly impenetrable networks and databases.<\/p>\n<p>And given the Pentagon\u2019s work to ensure defense contractors have proper cybersecurity controls on their own networks, experts asserted that the move to introduce PQC into CMMC isn\u2019t out of left field.<\/p>\n<p>\u201cThe department\u2019s strategy reinforces an important point: CMMC was never intended to remain static. As cybersecurity threats evolve, the requirements will evolve as well,\u201d Thomas Graham, chief information security officer at Redspin, told DefenseScoop.<\/p>\n<p>After years of controversy and back-and-forth with the defense industrial base, the Pentagon began enforcing CMMC compliance in 2025. The program established a tiered cybersecurity framework based on standards established by the National Institute of Standards and Technology and requires contractors to prove they have adequate security controls on their networks in order to store sensitive DOD information.<\/p>\n<p>Because CMMC is managed through the federal rulemaking procedure, the Pentagon does not have authority to fully enforce new regulations without first publishing proposed changes for public comment and then finalizing the rule, according to Jacob Horne, chief cybersecurity evangelist for Summit 7. That process can take months or even years, as was the case with CMMC.<\/p>\n<p>There is a possibility that the department could tailor some requirements to include PQC in contract clauses in the near term, Horne explained.<\/p>\n<p>\u201cSince those clauses point to cyber requirement baselines maintained by NIST, the DoD can only tweak the details by specifying organizationally defined values for those baselines,\u201d he told DefenseScoop. \u201cThink of these like cyber requirement Mad Libs. NIST says encryption must be used but leaves the specific details up to organizations finalizing the details.\u201d<\/p>\n<p>The U.S. government has set different values for NIST\u2019s cryptographic standards in the past, meaning the Pentagon could require PQC for CMMC compliance in some contracts without NIST modifying the entire cybersecurity framework, he added.<\/p>\n<p>The ability to use defined values will be made possible under the forthcoming CMMC update, known as Revision 3. After months of waiting, the Defense Department issued an amendment formally initiating the transition to Revision 3 on Wednesday, with expectations that it will begin enforcing new CMMC guidelines in the coming weeks.<\/p>\n<p>Along with introducing the option to leverage quantum standards for defined values, Revision 3 also reorganizes and consolidates multiple security controls required for CMMC Level 2 assessments \u2014 potentially making compliance more difficult for the industrial base, Graham said.<\/p>\n<p>\u201cIn fact, [Revision 3] introduces dozens of organizational defined parameters and more objectives, reducing ambiguity and requiring organizations to make, and document, more deliberate security decisions,\u201d he noted.<\/p>\n<p>Despite the possibility of introducing PQC requirements, it is unlikely that they will be immediately used across all of the Defense Department\u2019s contracts. There has been a significant readiness gap within the industrial base to prepare for CMMC compliance writ large, and tacking quantum-resistant capabilities would be a huge lift for industry.<\/p>\n<p>Michael Gruden, cybersecurity lawyer at Crowell &#038; Moring, said many companies are only just beginning to have early discussions about potential PQC requirements within their environment \u2014 largely because they have been focused on preparing for the transition to Revision 3.<\/p>\n<p>Furthermore, clients who have begun implementing NIST\u2019s quantum cryptographic standards struggled to do so without breaking their infrastructure and interrupting operations, he added.<\/p>\n<p>\u201cThe fact that we\u2019re seeing this sort of charge to implement [PQC] within CMMC would come as a shock to the broader defense industrial base, and I do not think that the majority would be ready at this point,\u201d Gruden said in an interview.<\/p>\n<p>He estimated that PQC implementation would likely happen through a multi-year implementation cycle, adding that it would be \u201cvery surprising\u201d if industry was suddenly required to leverage quantum-resistant technology in the next six months.<\/p>\n<p>At the same time, PQC is still an emerging technology. Gruden noted that even though most defense contractors are not completely ready to implement cryptography, many of the solutions themselves aren\u2019t fully realized, as well.<\/p>\n<p>\u201cPost-quantum cryptography is definitely the future, I just don\u2019t know if the core technology and implementation is there yet in terms of widespread commercial adoption \u2014 or, at least, commercial adoption within the defense industrial base,\u201d he said.<\/p>\n<p>\t\t\tWritten by Mikayla Easley<br \/>\n\t\t\tMikayla Easley reports on the Pentagon\u2019s acquisition and use of emerging technologies. Prior to joining DefenseScoop, she covered national security and the defense industry for National Defense Magazine. She received a BA in Russian language and literature from the University of Michigan and a MA in journalism from the University of Missouri. You can follow her on Twitter @MikaylaEasley\t\t<\/p>\n<p><\/p>\n","protected":false},"excerpt":{"rendered":"<p>What the Pentagon\u2019s new post-quantum cryptography directive means for defense contractors https:\/\/defensescoop.com\/2026\/07\/10\/cmmc-pqc-requirements-defense-contractors-cybersecurity\/ Publish Date: 2026-07-10&#8230;<\/p>\n","protected":false},"author":1,"featured_media":242127,"comment_status":"closed","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"https:\/\/defensescoop.com\/wp-content\/uploads\/sites\/8\/2026\/01\/GettyImages-2242867018-e1767723375594.jpg","fifu_image_alt":"","footnotes":""},"categories":[15],"tags":[24],"class_list":["post-242126","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cybersecurity","tag-cybersecurity"],"_links":{"self":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/242126"}],"collection":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/comments?post=242126"}],"version-history":[{"count":1,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/242126\/revisions"}],"predecessor-version":[{"id":242128,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/242126\/revisions\/242128"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/media\/242127"}],"wp:attachment":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/media?parent=242126"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/categories?post=242126"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/tags?post=242126"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}