The federal government’s rush to modernize aging information technology systems has collided with an emerging security threat that could render billions of dollars in upgrades obsolete before they’re even completed. Federal Chief Information Security Officer Mike Duffy issued a stark warning this week that agencies pursuing IT modernization without incorporating post-quantum cryptography (PQC) are essentially building new technical debt into their systems—a costly mistake that could leave sensitive government data vulnerable to future quantum computing attacks.

Speaking at an industry event on Tuesday, Duffy emphasized that the integration of quantum-resistant encryption must be a fundamental consideration in all modernization projects, not an afterthought to be addressed later. According to MeriTalk, the federal CISO’s comments reflect growing concern within the government’s cybersecurity leadership that agencies are missing a critical window to future-proof their infrastructure against quantum threats. The warning comes as federal agencies face mounting pressure to replace legacy systems while simultaneously preparing for a post-quantum world where today’s encryption standards will become obsolete.

The urgency of Duffy’s message stems from a sobering reality: adversaries are already harvesting encrypted data today with the intention of decrypting it once quantum computers become sufficiently powerful—a strategy known as “harvest now, decrypt later.” This threat model fundamentally changes the calculus for IT modernization, as systems deployed today without quantum-resistant protections may be compromised retroactively within the next decade. For government agencies handling classified information, sensitive personal data, and critical infrastructure controls, the implications are profound.

The Technical Debt Time Bomb

The concept of technical debt—the accumulated cost of choosing expedient solutions over more sustainable approaches—has long plagued government IT operations. Duffy’s warning suggests that agencies are now creating a new category of technical debt by implementing modern systems that will require expensive retrofitting to incorporate quantum-resistant cryptography. This pattern mirrors historical mistakes where agencies prioritized speed over security, only to face costly remediation efforts years later when vulnerabilities were discovered or standards changed.

The National Institute of Standards and Technology (NIST) has already published its first set of post-quantum cryptographic standards, providing agencies with approved algorithms to begin the transition. However, according to NIST, the implementation of these standards requires careful planning and testing, as they involve fundamentally different mathematical approaches than current encryption methods. The three finalized standards—FIPS 203, FIPS 204, and FIPS 205—represent years of rigorous analysis and competition among cryptographers worldwide to develop algorithms that can withstand attacks from both classical and quantum computers.

Budget Pressures and Competing Priorities

Federal agencies face a complex budgeting environment where IT modernization funds are already stretched thin across competing priorities. The challenge lies in convincing budget authorities to allocate additional resources for quantum-resistant upgrades when the quantum threat remains theoretical for most decision-makers. Yet cybersecurity experts argue that waiting until quantum computers pose an immediate threat would be catastrophic, as the transition to post-quantum cryptography is expected to take years, if not decades, to complete across all government systems.

The Office of Management and Budget has issued guidance requiring agencies to develop PQC transition plans, but implementation has been uneven across the federal government. Some agencies have made significant progress in inventorying their cryptographic systems and planning migration strategies, while others are still in the early stages of understanding their exposure. This disparity in readiness levels could create vulnerabilities across government networks, as adversaries typically exploit the weakest links in interconnected systems.

Industry Collaboration and Standards Development

The private sector faces similar challenges in transitioning to post-quantum cryptography, and many technology vendors are working to incorporate quantum-resistant algorithms into their products. However, government agencies cannot simply wait for vendors to update their offerings; they must actively engage in the transition process by specifying PQC requirements in procurement contracts and working with vendors to ensure compatibility and interoperability. According to CISA, this collaborative approach is essential for building a quantum-resistant ecosystem that spans both public and private sectors.

The complexity of the PQC transition extends beyond simply swapping out encryption algorithms. Many systems rely on cryptographic protocols embedded deep within their architecture, making wholesale replacement impractical or impossible without complete system redesigns. This reality underscores Duffy’s point about technical debt: agencies that modernize without considering PQC architecture may find themselves locked into systems that cannot easily accommodate quantum-resistant upgrades, forcing expensive workarounds or premature system replacements.

The National Security Imperative

Beyond the financial implications, the failure to incorporate PQC into modernization efforts poses direct national security risks. Foreign adversaries with advanced quantum computing programs could potentially gain the ability to decrypt sensitive government communications, compromise classified information, and undermine the integrity of critical systems. Intelligence agencies have been particularly vocal about the harvest now, decrypt later threat, as adversaries may already possess archives of encrypted communications that could be vulnerable to future quantum attacks.

The Department of Defense has taken a particularly aggressive stance on PQC adoption, recognizing that military communications and weapons systems must be protected against future quantum threats. According to the Department of Defense, the Pentagon has established specific timelines for transitioning critical systems to quantum-resistant cryptography and is working with defense contractors to ensure that new acquisitions incorporate PQC from the design phase. This proactive approach stands in contrast to some civilian agencies that have been slower to prioritize quantum readiness.

Implementation Challenges and Migration Strategies

The practical challenges of implementing post-quantum cryptography are substantial and multifaceted. The new algorithms often require more computational resources than their classical counterparts, potentially affecting system performance and requiring hardware upgrades in some cases. Additionally, organizations must maintain hybrid cryptographic systems during the transition period, supporting both classical and quantum-resistant algorithms to ensure interoperability with systems that have not yet been upgraded. This dual-mode operation adds complexity and potential points of failure that must be carefully managed.

Cryptographic agility—the ability to quickly switch between different cryptographic algorithms—has emerged as a key principle for managing the PQC transition. Systems designed with cryptographic agility can more easily adapt to new standards and respond to emerging threats without requiring complete architectural overhauls. However, achieving true cryptographic agility requires forethought and planning during the design phase, reinforcing Duffy’s argument that PQC considerations must be integrated into modernization efforts from the outset rather than bolted on later.

Timeline Pressures and Regulatory Requirements

The federal government has established ambitious timelines for PQC adoption, with various agencies setting target dates for completing their transitions. National Security Memorandum 10, issued by the White House, directs agencies to transition to quantum-resistant cryptography for national security systems, establishing clear milestones and accountability measures. However, meeting these deadlines while simultaneously pursuing broader IT modernization initiatives requires careful coordination and adequate resources—both of which remain in short supply across much of the federal government.

The regulatory framework surrounding PQC continues to evolve as agencies gain experience with implementation challenges and as the quantum computing threat becomes better understood. Federal Information Processing Standards (FIPS) incorporating the new NIST algorithms are being integrated into federal requirements, and agencies must ensure that their procurement and development processes align with these evolving standards. This dynamic regulatory environment adds another layer of complexity to modernization planning, as agencies must build flexibility into their systems to accommodate future standard updates and refinements.

Long-Term Strategic Planning

Duffy’s warning about technical debt reflects a broader shift in thinking about government IT modernization—from viewing it as a series of discrete upgrade projects to understanding it as an ongoing strategic process that must account for emerging threats and evolving technologies. The PQC transition represents a test case for this more sophisticated approach to technology planning, requiring agencies to balance immediate operational needs with long-term security requirements and to make investment decisions based on threats that may not materialize for years.

The success or failure of the federal government’s PQC transition will likely influence how agencies approach future technology transitions and could serve as a model—or cautionary tale—for other large organizations facing similar challenges. As quantum computing continues to advance and the timeline for practical quantum attacks becomes clearer, the wisdom of heeding Duffy’s warning will become increasingly apparent. Agencies that incorporate quantum readiness into their modernization efforts today will be better positioned to protect sensitive information and maintain operational security in the quantum era, while those that prioritize short-term expediency over long-term planning may find themselves facing exactly the kind of technical debt that has plagued government IT for decades.

The path forward requires sustained leadership commitment, adequate funding, technical expertise, and close collaboration between government agencies, industry partners, and the research community. While the challenges are significant, the alternative—deploying modern systems that are vulnerable to future quantum attacks—is simply unacceptable given the sensitive nature of government operations and the national security implications of compromised cryptographic systems. The federal CISO’s warning serves as a timely reminder that true modernization must look beyond today’s threats to prepare for tomorrow’s challenges.