Skip to main content
Analysis

DOD’s Post-Quantum Cryptography Strategy Puts the Defense Industrial Base on Notice

DOD’s post-quantum cryptography strategy signals future CMMC and acquisition impacts for defense contractors.

Brandon Hancock, J.D., CMMC-RPPublished April 16, 2026Updated July 2, 20266 min read

TL;DR: DOD’s April 2026 post-quantum cryptography strategy says the Department will work with the defense industrial base on quantum-resistant migration and will update CMMC to include post-quantum cryptography requirements. Contractors do not need to replace every cryptographic tool tomorrow, but they should begin inventorying where encryption, certificates, signing, and key management support contract performance.

The contractor takeaway

Post-quantum cryptography sounds like a future technology issue. DOD’s strategy makes it a contracting issue.

The Department of War Post Quantum Cryptography Strategy, released April 16, 2026, describes how the Department intends to prepare for cryptographically relevant quantum computers. A cryptographically relevant quantum computer is a quantum computer capable of breaking widely used public-key cryptographic algorithms. The near-term concern is not only a future breakthrough. It is also “harvest now, decrypt later” risk: adversaries may collect encrypted sensitive information today and decrypt it later if the cryptography becomes breakable.

For contractors, the important part is not the mathematics. The important part is that DOD ties the strategy to acquisition, commercial solutions, cloud services, software and firmware signing, zero trust, and the defense industrial base.

Most notably, the strategy says DOD will ensure the defense industrial base migrates to post-quantum cryptography across the enterprise, will collaborate with defense industrial base partners on interoperability, and will update the Cybersecurity Maturity Model Certification program to include requirements for post-quantum cryptography.

That does not create a new CMMC control today. It does signal where DOD expects contractor cybersecurity to go.

Why post-quantum cryptography belongs on the GovCon radar

Many contractors still think of encryption as a technical configuration choice handled by IT vendors. In government contracting, encryption often supports legal and contractual obligations.

Encryption can affect protection of Controlled Unclassified Information, secure remote access, cloud service configuration, software and firmware signing, multifactor authentication, certificate-based access, data in transit, data at rest, secure development environments, zero trust architecture, subcontractor access, supplier access, and evidence supporting NIST SP 800-171 and CMMC implementation.

If a contractor cannot identify where cryptography is used, it cannot credibly plan a migration. That is why DOD’s strategy emphasizes inventory, planning, modernization, and integration rather than simply telling organizations to “use better encryption.”

The strategy addresses both high-assurance systems and commercial solutions. The commercial-solutions track matters for contractors because many defense industrial base systems rely on commodity information technology: cloud services, endpoint tools, networking equipment, operating systems, identity platforms, browsers, collaboration tools, development environments, and security products.

That is a broad footprint. For many contractors, post-quantum readiness will not be a single tool purchase. It will be an asset-management, vendor-management, architecture, and contract-requirements exercise.

The CMMC signal is early but important

DOD’s statement that it will update CMMC to include post-quantum cryptography requirements is not the same as an immediately enforceable CMMC requirement. Contractors should be careful about that distinction.

Current CMMC implementation is still tied to existing regulatory and contractual frameworks. CMMC Level 1 is based on FAR 52.204-21. CMMC Level 2 is tied to NIST SP 800-171 Revision 2 under the current CMMC program structure. CMMC Level 3 adds selected enhanced requirements from NIST SP 800-172.

But DOD’s strategy indicates that future cybersecurity requirements will not stop at today’s CMMC model. For contractors, the responsible move is to prepare without overstating the current legal effect.

That means contractors should not claim “post-quantum compliance” unless a specific requirement and standard apply. They should not rewrite CMMC policies as if a new post-quantum control already exists. But they should begin identifying where cryptography supports CUI protection, authentication, software integrity, cloud access, and secure communications. They should also ask vendors whether their product roadmaps include post-quantum support and crypto-agility.

Crypto-agility is the practical bridge between today’s environment and future requirements. A crypto-agile environment can replace or update cryptographic algorithms, protocols, certificates, and related components without redesigning the entire system.

Software supply chain and signing may be the sleeper issue

The strategy specifically identifies software and firmware signing as areas that will be updated to post-quantum algorithms. That matters to contractors that develop, configure, integrate, or maintain software for DOD.

Software signing is a trust mechanism. It helps establish that software, firmware, updates, scripts, or other code artifacts have not been altered without authorization. If the signing algorithm or certificate chain becomes vulnerable, the integrity of that trust mechanism can be affected.

For contractors, this raises several practical questions:

  • What code-signing certificates does the company use?
  • Which build pipelines depend on vulnerable cryptography?
  • Which vendors sign firmware or software updates used in contract performance?
  • Are software bills of materials connected to cryptographic dependencies?
  • Are development, test, and production environments using different signing methods?
  • Who owns certificate rotation and key management?

These questions are not limited to large defense primes. Smaller contractors may rely heavily on managed service providers, cloud platforms, software vendors, embedded devices, identity providers, and developer tooling. If those vendors cannot explain their post-quantum roadmaps, the contractor may inherit transition risk.

Cloud and networking are also in scope

DOD’s strategy discusses web browsers, cloud services, operating systems, networking equipment, and protocols. That matters because contractors increasingly use cloud-based systems to store, process, or transmit contract information.

A contractor may not operate its own encryption stack directly, but it still needs to understand who controls it. In a cloud environment, that may include the cloud service provider, a software-as-a-service vendor, an identity provider, a managed security provider, a certificate authority, and internal administrators.

Contractors should identify which systems rely on encryption controlled by third parties. They should also review whether contracts, service descriptions, or shared-responsibility documentation address cryptographic migration, certificate updates, logging, incident reporting, and customer notice.

For GovCon purposes, the question is not “Do we use encryption?” It is “Can we show how encryption supports the information we are required to protect, and can we adapt when the required cryptography changes?”

What this means for government contractors

The near-term action is inventory and governance. Contractors do not need to speculate about every future CMMC change. They do need to know where cryptography exists in systems that support government contract performance.

For executives, post-quantum planning belongs in risk management because it may affect future eligibility, recompete positioning, cost, and customer confidence.

For government contracting professionals, it belongs in solicitation review because future requirements may appear in statements of work, technical requirements, cloud requirements, software development clauses, security attachments, or agency-specific contract language before they appear as a fully mature enterprise program.

For compliance teams, it belongs in asset management, system security planning, vendor management, and evidence collection.

For procurement attorneys, it belongs in representation review. Contractors should be careful not to promise post-quantum readiness unless the company has evidence tied to a defined requirement.

A practical next step

Create a cryptography dependency inventory for systems that support government contract performance.

Start with these fields:

  • system or application name;
  • contract, program, or business function supported;
  • whether Federal Contract Information, Controlled Unclassified Information, export-controlled data, source-selection information, personally identifiable information, or other protected information is involved;
  • encryption used for data in transit;
  • encryption used for data at rest;
  • certificate authorities and certificate owners;
  • signing tools for software, firmware, scripts, or updates;
  • identity and access management dependencies;
  • cloud or software-as-a-service provider dependencies;
  • vendor post-quantum roadmap status;
  • internal owner for migration planning.

This does not need to be perfect on day one. But a contractor that knows where cryptography lives will be better prepared when DOD turns today’s strategy into tomorrow’s acquisition requirement.

Sources

  • Department of War Post Quantum Cryptography Strategy, Department of War Chief Information Officer, April 16, 2026, https://dodcio.defense.gov/Portals/0/Documents/Library/DoW-PQC-Strategy.pdf.
  • Cybersecurity Maturity Model Certification, Department of Defense Chief Information Officer, accessed July 2, 2026, https://dodcio.defense.gov/CMMC/.
  • NIST Releases First 3 Finalized Post-Quantum Encryption Standards, National Institute of Standards and Technology, August 13, 2024, https://www.nist.gov/news-events/news/2024/08/nist-releases-first-3-finalized-post-quantum-encryption-standards.
Share
BH

Brandon Hancock

J.D. · CMMC Registered Practitioner (RP)

Brandon is the founder and principal advisor of GovConCyber. His advisory approach is shaped by roughly six years as a U.S. Army human intelligence collector, where information accuracy, source protection, classification discipline, need-to-know access, and controlled reporting were daily requirements. He brings that information-discipline mindset to GovConCyber's work helping government contractors understand and comply with federal cybersecurity obligations.

Was this post helpful?