Quantum & Government Contracts

Your Organizational Readiness

Work with a government unit? Are you crypto ready? It’s no longer a nice to have.
In May 2025, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) urged federal agencies to require post-quantum cryptography in new contracts, aligning with the White House’s mandate to mitigate quantum risks by 2035. This directive accelerated the adoption of quantum-resistant algorithms, such as lattice-based and hash-based methods, across government systems, with ripple effects in the private sector.

“Garfield Jones, associate chief of strategic technology at CISA, said those lead agencies [NSA, CISA, NIST and National Office of Cybersecurity] hosted a call recently with more than 600 federal IT officials to discuss the adoption of post-quantum cryptography…The awareness part, we’re really pushing it, Jones said during a May 13 event in Washington hosted by AFCEA Bethesda. “As those vendors start to adopt it, we’re starting to talk to the agencies about putting this into your acquisition documentation.” - Federal News Network

Image source: Brian Lenahan/Midjourney

Canadian Government Requirements for Vendors (April–June 2025)

1. Adoption of PQC in Procurement Policies (June 23, 2025)
   The Canadian Centre for Cyber Security (CCCS), in collaboration with Shared Services Canada (SSC) and the Treasury Board Secretariat (TBS), released the Roadmap for the Migration to Post-QuantumCryptography for the Government of Canada (ITSM.40.001) on June 23, 2025. This roadmap mandates that vendors supplying IT systems to federal departments must:

   • Incorporate Standardized PQC Algorithms: Vendors must ensure their products support PQCalgorithms compliant with CCCS recommendations, specifically those aligned with NIST standards(e.g., ML-KEM, ML-DSA, SLH-DSA, and HQC). Products should be certified through the CryptographicModule Validation Program (CMVP), co-managed by CSE and NIST.

   • Ensure Cryptographic Agility: Vendors must design systems to allow seamless updates tocryptographic algorithms, enabling flexibility as standards evolve. This includes supporting hybridcryptography (combining classical and quantum-safe algorithms) during the transition.

   • Provide PQC Roadmaps: Vendors are required to share detailed plans and timelines for integratingPQC into their products, aiding departments in budgeting and planning for the transition.

   • Support Backward Compatibility: Products must maintain interoperability with non-transitionedsystems, potentially using PQC-protected encapsulation layers or secure tunneling for legacy systemsthat cannot be upgraded.

2. Migration Milestones for Federal Systems (June 23, 2025)
   The Canadian roadmap sets strict deadlines for PQC adoption, impacting vendor requirements: By April 2026: Vendors must support federal departments in submitting initial PQC migration plans, requiring products to be PQC-ready or upgradable. By 2031: High-priority systems must complete PQC migration, meaning vendors must deliver fully compliant solutions for critical infrastructure. By 2035: All federal non-classified IT systems must be PQC-compliant, requiring vendors to ensure all products meet quantum-safe standards by this deadline. Vendors must assist in identifying systems using vulnerable public-key cryptography (e.g., RSA, ECC, Diffie-Hellman) and propose PQC solutions or replacements.

3. Engagement with Vendors for Quantum-Safe Solutions
   The roadmap emphasizes early vendor engagement to confirm PQC compatibility. Vendors are expected to: Provide products certified under CMVP to reduce cybersecurity risks and avoid vendor lock-in; Offer tools and support for cryptographic inventories, helping departments assess and prioritize systemsfor PQC transition; Align with international standards (e.g., NIST, ISO, IETF) to ensure interoperability with global systems.

4. Support for Legacy Systems
   For systems that cannot be upgraded to PQC, vendors must provide interim solutions like network isolationor PQC-protected tunneling to mitigate quantum risks until full replacement is feasible.

U.S. Government Requirements for Vendors (April–June 2025)

Mandate for PQC in Federal Acquisitions (May 15, 2025)

The U.S. Cybersecurity and Infrastructure Security Agency (CISA), in coordination with NIST, the NSA, and the Office of the National Cyber Director, issued directives in May 2025 requiring federal agencies to incorporate PQC standards into procurement processes.

Vendors must:

1. Support NIST-Standardized PQC Algorithms: Products must implement NIST’s finalized PQC algorithms, including ML-KEM (FIPS 203), ML-DSA (FIPS 204), SLH-DSA (FIPS 205), and HQC (standardized March 11, 2025).

2. Comply with CNSA 2.0 Standards: For National Security Systems (NSS), vendors must support ML-KEM-1024 (Level 5) for key encapsulation and ML-DSA-87 for signatures, with single-tree LMS/XMSS for firmware signing. CNSA 2.0 tolerates hybrid key exchange for interoperability but prioritizes pure PQC solutions.

3. Certify Cryptographic Modules: Products must be validated through the Cryptographic Module Validation Program (CMVP) or meet Federal Information Processing Standards (FIPS) for PQC algorithms.

4. Address “Harvest Now, Decrypt Later” Threats: Vendors must provide solutions to protect data collected today from future quantum decryption, emphasizing urgency in PQC adoption.

Product Category List for PQC Compliance (Mid-July 2025 Deadline)

An executive order mandated that CISA publish a list of product categories requiring PQC support by mid-July 2025. Within 90 days of this publication (approximately October 2025), vendors bidding on federal contracts involving these categories must:

1. Demonstrate PQC compatibility in their products, including hardware, software, and firmware.

2. Ensure products support cryptographic agility to adapt to evolving PQC standards and protocols.

3. Provide documentation on how their products align with NIST’s PQC standards and CNSA 2.0 requirements.

Interoperability and Testing Requirements

Vendors must participate in interoperability testing to ensure PQC solutions work across federal systems. The National Cybersecurity Center of Excellence (NCCoE) collaborates with vendors to: Validate PQC implementations using NIST’s Automated Cryptographic Validation Test Systems (ACVTS); Ensure compatibility with existing protocols (e.g., TLS, IPsec) while transitioning to PQC; Support hybrid cryptography during the transition to maintain interoperability with legacy systems.

Challenges with Certification Gaps

As of June 2025, vendors face challenges because current NSA CNSA 1.0 standards do not support PQC, while CNSA 2.0 (PQC-compliant) is not yet fully adopted for government certifications. Vendors must prepare products for CNSA 2.0 compliance to be eligible for future federal contracts, even if current certifications lag, and balance immediate market needs (CNSA 1.0 compliance) with future PQC requirements, potentially requiring dual support for both standards.

Summary

Canada: The Canadian government emphasizes a structured, long-term transition (by 2035) with a focus on cryptographic agility, vendor engagement, and CMVP certification. Vendors must align with NIST standards but also support Canada’s National Quantum Strategy, which prioritizes interoperability and domestic innovation.

U.S.: The U.S. is pushing for faster adoption, with procurement mandates starting in 2025 and a focus on protecting against “harvest now, decrypt later” threats. Vendors face stricter requirements for NSS (CNSA 2.0) and must navigate certification delays while preparing for PQC compliance.

Commonalities: Both countries require vendors to adopt NIST-standardized algorithms (ML-KEM, ML-DSA, SLH-DSA, HQC), ensure cryptographic agility, and certify products through CMVP. Interoperability with legacy systems and international standards is critical.

Challenges for Vendors: Vendors must manage the transition from legacy cryptography (e.g., RSA, ECC) to PQC, address certification gaps, and balance costs of developing quantum-safe products while maintaining compatibility with existing systems.

Getting Help

So as a government vendor in North America, Europe or elsewhere who can help you get ready in terms of cryptography and secure communications? Here’s a brief sample of those in the ecosystem readying for the future.

• Microsoft and Apple’s PQC Integration in Operating Systems (Announced June 10, 2025)
  Microsoft and Apple announced support for post-quantum cryptography in upcoming releases of iOS 26 and Windows 11. These updates enable devices to use post-quantum key encapsulation and digital signature protocols, enhancing compatibility with quantum-safe servers. This move marked a significant step toward mainstreaming PQC in consumer and enterprise environments.

• Commvault’s Integration of NIST’s HQC Algorithm (June 9, 2025)
  Commvault expanded its post-quantum cryptography framework by integrating NIST’s HQC algorithm into its Commvault Cloud platform. This update supports hybrid encryption strategies, combining classical and quantum-safe algorithms to ensure long-term data protection and crypto-agility for enterprise customers.

• EU Commission’s PQC Transition Roadmap (June 23, 2025)
  On June 23, 2025, the European Commission and EU Member States unveiled a coordinated roadmap for transitioning Europe’s digital infrastructure to post-quantum cryptography. The plan outlined a timeline starting in 2026 for national strategies, cryptographic inventories, and awareness campaigns, aiming to synchronize efforts across member states to protect against quantum-enabled cyber threats.

• DRDO and IIT Delhi’s Quantum Entanglement-Based Communication (June 16, 2025)
  India’s Defence Research and Development Organisation (DRDO) and IIT Delhi demonstrated quantum entanglement-based free-space quantum-secure communication over a distance of more than 1 km. This breakthrough, reported on X, advanced quantum cybersecurity and laid the groundwork for quantum networks and a future quantum internet.

• Canada’s Quantropi Demonstrates First Transatlantic Quantum secure Communication (June 9, 2025) - Working with DIANA quantum accelerator sites in Copenhagen (BII) and Halifax (COVE), Quantropi and its partner Alea (producer of QRNG’s) have collaborated to achieve a first - communicating across the Atlantic Ocean with “quantum-secure encryption over existing infrastructure by utilizing our QiSpace™ platform alongside Alea’s quantum random number generator, demonstrating that transatlantic quantum-secure communications are not only possible but also deployable now.”

Brian Lenahan is founder and chair of the Quantum Strategy Institute, author of seven Amazon published books on quantum technologies and artificial intelligence and a Substack Top 100 Rising in Technology. Brian’s focus on the practical side of technology ensures you will get the guidance and inspiration you need to gain value from quantum now and into the future. Brian does not purport to be an expert in each field or subfield for which he provides science communication.

Brian’s books are available on Amazon. Quantum Strategy for Business course is available on the QURECA platform.

Copyright © 2025 Aquitaine Innovation Advisors

Comments

[Bob Dameron]

Great stuff Brian - va,uable info! Having worked on two projects (Bank of Canada & Ministry of Natural Resources) - I can attest to value it brings and the insights available, but be ready for a non-negotiable rigorous lengthy process to secure the contracts