OMB draft memo sets agency and vendor quantum security standards

The Office of Management and Budget has drafted a memorandum that directs federal agencies to fully migrate to a post-quantum cryptographic standard, according to a person familiar with the matter and a draft of the document seen by Nextgov/FCW.

The memo will emphasize the future of post-quantum cryptography migration in the federal government, as well as set standards for which third-party technology vendors must adhere.

The document touches on multiple aspects of the government’s PQC migration efforts. It prioritizes strategies such as strengthening cybersecurity maintenance, planning agency governance and oversight in successful PQC implementation and inventorying high-risk digital assets as critical components of PQC migration. 

The memo also sets requirements for third-party technology vendors working with the government, asking them to ensure PQC standards are upheld and embedded during technology refresh and lifecycle updates, cloud migration and other software changes. 

As it does with federal agencies, the memo requests that vendors disclose their individual phased PQC transition timelines. It notes that leveraging automation is helpful in PQC migration steps, namely regarding asset inventory management and policy compliance. 

Ensuring digital networks are secured ahead of a potential fault-tolerant quantum computer has become of paramount importance to government officials over the years, including serving as a focal point in multiple executive actions from both the Biden and Trump administrations. 

Nextgov/FCW has been told that the memo is still in draft form and does not have a set release date, according to the person familiar, who was granted anonymity to discuss developments that had not been made public. OMB did not respond to a request for comment by the time of publication.

Under the Biden administration, the National Institute of Standards and Technology finalized a series of post-quantum cryptographic algorithms that are ready to replace current encryption methods to a quantum-resilient standard. 

During his first administration, Trump signed the National Quantum Initiative Act into law, which allocated over $1.2 billion to quantum information sciences and research. Certain research activities expired in 2023. The reauthorization act is currently awaiting further action in Congress.

As part of his second administration, Trump has continued prioritizing innovation in quantum information sciences and technology at the public and private sector levels, including asking the White House Office of Science and Technology Policy to work towards dominance in emerging tech sectors.