Post-Quantum Cryptography is no Longer a Future Problem - The Federal Market is Already Moving
Harvey Morrison: Co-Founder/CEO, Marion Square
Most discussions around post-quantum cryptography (PQC) still frame it as a long-term concern something to monitor, plan for, and revisit in a few years.
That framing is now outdated.
A recent update from Google’s security team reinforces what has been building across both industry and government: the timeline for quantum risk is compressing, and the implications are immediate. Their threat model highlights two realities that matter for anyone operating in the federal market:
The credible window for quantum-enabled decryption is moving into the late 2020s
Adversaries are already operating under “store now, decrypt later” assumptions
This is not theoretical. It changes how risk is evaluated today.
And more importantly it aligns directly with how the U.S. Government is already responding.
The Federal Government Has Moved Past “When” to “How”
While much of the commercial market is still debating timing, federal agencies are operating under defined mandates.
Policies such as NSM-10 and OMB M-23-02 require agencies to:
Inventory cryptographic assets across their environments
Identify exposure to vulnerable algorithms
Develop formal migration strategies toward quantum-resistant standards
This is not optional guidance. It is compliance-driven activity tied to reporting, accountability, and ultimately funding alignment.
The implication is straightforward:
PQC is already influencing federal budgets, programs, and procurement decisions.
Recent federal guidance, including the rollout of CNSA 2.0 and supporting agency direction, makes clear that where quantum-resistant options are available, they are expected to be prioritized in new systems and acquisitions.
In practice, this is beginning to establish a “quantum-resistant by default” expectation for forward-looking federal systems.
What Agencies Are Actually Doing Right Now
There is a tendency in the market to jump directly to quantum-resistant algorithms. That is not where federal agencies are starting. The immediate focus is far more foundational.
Across civilian and defense environments, agencies are working through three core activities:
1. Cryptographic Discovery
Understanding where encryption is used across applications, networks, endpoints, and embedded systems.
2. Risk Prioritization
Identifying which systems protect long-lived or sensitive data that would be exposed under a “store now, decrypt later” scenario.
3. Migration Planning
Developing phased approaches that allow for transition without disrupting mission-critical systems.
This reflects a basic constraint that is often overlooked: Agencies cannot migrate what they cannot see.
As a result, the first wave of investment is not in PQC algorithms it is in visibility, inventory, and planning.
Where the Market Is Misaligned
Many technology companies are approaching this market with a product first perspective positioning quantum resistant encryption as the primary value proposition. That does not align with how the federal government is buying.
Agencies are not procuring “PQC solutions” in isolation. They are investing in broader efforts that include:
Enterprise-wide cryptographic visibility
Crypto-agility frameworks
Integration with existing cybersecurity and identity architectures
Long-term modernization of legacy environments
This is a programmatic problem, not a point solution. Vendors that position only at the algorithm layer risk missing where actual demand is being funded today.
PQC Is Converging With Broader Federal Cyber Priorities
Another important dynamic is that PQC is not being treated as a standalone initiative.
It is increasingly tied to:
Zero Trust implementation efforts
Identity and access modernization
“Secure by Design” requirements across federal systems
This convergence matters because it changes how opportunities are framed. PQC is not a separate budget line it is being embedded within existing modernization and cybersecurity programs.
For technology companies, that means: Success in this market depends on aligning PQC capabilities to broader mission and compliance outcomes not positioning it as an isolated upgrade.
The Strategic Window Right Now
The federal market is still in the early stages of execution.
That creates a specific, time-bound opportunity.
Requirements are still being shaped
Architectures are not fully locked
Agencies are determining which vendors and partners they will rely on
This is the phase where the market can be influenced. Once programs mature, entry becomes significantly more difficult.
Marion Square Perspective
Based on ongoing work across federal agencies, partners, and technology vendors, the PQC market is unfolding in three distinct phases:
Near-Term (Now – ~18 months)
Investment is concentrated in discovery, inventory, and initial planning.
Mid-Term (~18–36 months)
Agencies expand into crypto-agility implementation and hybrid environments that support both classical and quantum-resistant approaches.
Long-Term (3+ years)
Full migration efforts accelerate, including replacement of legacy cryptographic systems and ongoing lifecycle management.
The key takeaway is that the market is not waiting for quantum to arrive. It is already building the foundation required to respond.
Bottom Line
Google’s updated threat model reinforces the urgency of the quantum risk. The U.S. Government’s response demonstrates that this urgency is already translating into action.
For technology companies, the implication is clear:
This is not a future positioning exercise. It is a current market opportunity but only for those who align with how the government is actually executing the transition.
That means focusing on:
Visibility and inventory, not just encryption
Program alignment, not standalone capabilities
Practical migration, not theoretical readiness
The companies that understand this distinction will not just participate in the post-quantum transition. They will be positioned to lead within it.