The Pentagon is directing all components to quickly transition to post-quantum cryptography (PQC), citing advances in quantum information science and the need to protect military systems and communications.
The mandate was outlined in a memo issued Nov. 18 by Katie Arrington, who is performing the duties of chief information officer (CIO).
According to the memo, which was released this week, senior leaders at the Defense Department (DOD) – rebranded as the War Department by the Trump administration – as well as the combatant commanders are tasked with identifying all cryptography in use across their systems and naming officials to lead transition efforts.
Additionally, each PQC migration lead will oversee new acquisition requirements; distribute guidance; manage quantum-attack risk plans; and track tests, evaluations, and readiness measures. The leads must also maintain an inventory of every form of cryptography across their organizations, including national security systems, business platforms, weapons programs, cloud services, mobile devices, physical access tools, Internet of Things technologies, unmanned assets, and operational technology.
Designated PQC leads must also collect contact information from subordinate organizations within 20 days and update those lists annually.
The memo also instructs components to phase out pre-shared key approaches and symmetric key protocols used for quantum resistance by the end of 2030. DOD components must also provide artifacts for any testing, development, evaluation, or acquisition involving PQC-related technologies so that officials can review potential security issues or unmitigated risks.
The document outlines coordination responsibilities with the DOD CIO’s PQC Directorate, as well as the National Security Agency, the department’s public key infrastructure programs, and the Defense Information Systems Agency.
The directive also prohibits components from testing, procuring, or using quantum confidentiality or keying technologies – such as quantum key distribution or quantum-based random number generation – for security functions unless an exception is granted. While such technologies may offer other benefits, the memo states they cannot be used for confidentiality, authentication, key distribution, or randomness generation on department networks.
In addition to the phase-out deadlines for pre-shared keys and symmetric key-based protocols, the memo bars immediate testing or procurement of commercial quantum-resistant solutions in those categories. Systems that used symmetric key distribution before 2010 are exempt, though the memo encourages exploring upgrades to asymmetric PQC algorithms.