Federal Chief Information Security Officer Mike Duffy issued a stark admonition at Palo Alto Networks’ Quantum-Safe Summit on January 27, 2026: IT modernization projects ignoring post-quantum cryptography readiness are sowing seeds of enduring technical liabilities. “Modernization without considering PQC readiness or cryptographic agility is really creating technical debt in the future, something that we don’t want to see ever,” Duffy declared, as reported by MeriTalk.

Government systems, designed to endure for years or even decades to fulfill critical missions, demand forward-thinking security measures. Duffy emphasized that PQC preparation stands as “central to responsible IT modernization,” aligning with priorities under the Trump administration. The White House has mandated a 2035 deadline for federal agencies to complete their shift to PQC, countering quantum computers’ potential to shatter conventional encryption protocols.

The National Institute of Standards and Technology has released its initial trio of encryption algorithms—ML-KEM, ML-DSA, and SLH-DSA—primed for immediate deployment against quantum threats, detailed in Federal Information Processing Standards 203, 204, and 205, published August 13, 2024, per NIST.

Harvest Now, Decrypt Later Imperative

A pressing catalyst is the “harvest now, decrypt later” strategy, where foes amass today’s encrypted data for future quantum decryption. This peril, Duffy noted, imperils long-term mission integrity, compelling agencies to pivot from deliberation to execution: designate PQC leads, synchronize across units, and catalog cryptographic assets. “There’s more work to be done. Inventorying takes time, but these are the kinds of conversations that I think are so important,” Duffy urged.

Duffy’s tenure as acting federal CISO, assumed in 2024 following Chris DeRusha’s exit, builds on his CISA background where he advanced shared cybersecurity services safeguarding over four million assets, according to the CIO Council. His leadership of the Federal CISO Council underscores interagency collaboration on threats like quantum risks.

Prior remarks by Duffy at CyberTalks in October 2024 highlighted quantum readiness alongside zero trust and cloud hardening, stressing inventories for critical system migrations, as covered by CyberScoop. “It’s critically important for agencies to be thoughtful about their inventories, how they are planning for migration of their critical systems to PQC,” he stated.

NIST’s Standardization Milestone

NIST’s post-quantum effort, launched in 2016, culminated in these standards after evaluating global submissions. Additional algorithms like HQC for key encapsulation are slated for draft standards in early 2026, providing backups, with NIST projecting widespread adoption by 2035 while accommodating varied timelines, outlined in draft NIST IR 8547, per NIST CSRC.

Federal directives, including OMB Memorandum M-23-02, compel agencies to inventory quantum-vulnerable systems. CISA’s PQC Initiative assesses risks across 55 National Critical Functions, guiding transitions via automated discovery tools, as detailed on CISA. Executive Order 14306 further accelerates procurement of PQC-enabled products, with CISA listing categories by late 2025.

Challenges abound: inventory processes are protracted, legacy hardware resists upgrades, and costs could hit $7.1 billion through 2035, excluding classified networks, per OMB estimates cited in Federal News Network. Agencies like CBP initiated quantum-safe risk workshops in 2022, prioritizing border security data.

Agency Actions and Industry Pressures

GSA aids via contracts like Alliant 2 for quantum-safe integration, while NSA’s CNSA 2.0 mandates PQC for National Security Systems by 2030. Vendors must roadmap PQC compliance to secure federal deals, as CISA’s lists shape solicitations post-July 2025, noted in Washington Technology.

Air Force and others catalog critical assets, testing NIST algorithms amid zero trust synergies. Duffy’s call resonates on X, where MeriTalk reposted the warning, amplifying urgency among insiders. Crypto-agility—flexible primitives for swift updates—emerges as vital, with hybrids like ML-KEM + X25519 bridging eras.

OMB’s forthcoming guidance will detail sensitive system plans, echoing Federal CIO Clare Martorana’s push. Duffy reiterated at Billington Summit in 2025 priorities like enterprise defense and resilience, previewing CISO tabletop exercises, via FedScoop.

Path Forward for Mission Assurance

As quantum advances loom—potentially by 2030 per Cloud Security Alliance—agencies face phased deprecation: 112-bit security algorithms by 2030, full disallowance by 2035. Duffy’s vision: deliberate plans yielding tangible progress. “Ensure that agencies know: move now, get beyond brainstorming, have a deliberate and phased plan,” he advised.

Industry echoes: Palo Alto’s summit spotlighted immediate NIST algorithm use. CISA urges PQC in federal communications against harvest attacks. For insiders, Duffy’s debt caveat signals non-negotiable integration of PQC into modernization bids, lest tomorrow’s systems falter under quantum scrutiny.