For defense contractors and the suppliers behind them, the most important sentence in a new Department of War strategy document is not in the timeline. It is in the ban list.
The Department of War, the federal agency most readers still know as the Pentagon, released its Post-Quantum Cryptography (PQC) Strategy in April 2026, formally aligning the entire military with Executive Order 14409, "Securing the Nation Against Advanced Cryptographic Attacks." The document sets two hard deadlines. By December 31, 2030, every high-impact National Security System (NSS) and adjacent non-NSS infrastructure must fully support quantum-resistant cryptographic primitives, meaning encryption built to resist code-breaking by future quantum computers. By December 31, 2031, the same applies across the entire Department. Systems that miss implementation gates will be retired rather than carried forward on waivers. (DoW press release, DoW PQC Strategy PDF)
What converts the deadline from a policy aspiration into a procurement event is what the strategy formally disqualifies. Five categories of workarounds that have been pitched, sold, and developed as "quantum-safe" alternatives are now ruled out as substitutes for true post-quantum cryptography.
The first disqualification is bigger legacy keys: scaling up classical algorithms by lengthening RSA keys or expanding elliptic-curve parameters. The strategy treats this as a non-solution, because a sufficiently powerful quantum computer breaks the underlying math regardless of key size. Longer keys simply demand more qubits to defeat.
The second is proxy-only overlay patches, the practice of bolting translation layers onto existing infrastructure while leaving the original cryptography in place. Adversaries read what crosses the wire regardless of any proxy in front.
The third is Quantum Key Distribution (QKD), the approach that uses quantum physics to exchange keys on the premise that measuring a quantum state disturbs it. QKD was long promoted to defense buyers as inherently secure. The Department disqualifies it on national-security grounds, citing practical vulnerabilities including trusted relay nodes and side channels, and the absence of a national-security validation track.
The fourth is quantum networking: routing signals through quantum-network hardware without changing the cryptographic primitives protecting the data. The strategy treats this as a transport-layer technology, not a cryptographic one.
The fifth is non-local quantum randomness generation, sourcing keys from distant quantum systems rather than running provably quantum-resistant algorithms.
The only algorithms that clear the bar for high-assurance classified environments are the NSA's Commercial National Security Algorithm Suite 2.0 (CNSA 2.0), a published set of post-quantum primitives covering confidentiality and authentication. (NSA CNSA 2.0 PDF)
The reason the deadline matters now, rather than in 2030, is the threat model baked into the document. The Department assumes peer adversaries are already running what cryptographers call "harvest now, decrypt later" operations: intercepting and stockpiling encrypted U.S. military traffic today with the intent of decrypting it later, once a Cryptographically Relevant Quantum Computer (CRQC), a machine powerful enough to break current public-key cryptography, exists. The strategy names tactical radios, satellite communications (SATCOM), and command-and-control (C2) networks as priority targets. The deadline is backdated to a crisis the Department considers already in progress, not a future one.
For defense suppliers, the math is concrete. A product whose roadmap was built on QKD, proxy overlays, or transport-level quantum networking now has roughly four and a half years to pivot to CNSA 2.0-conformant implementations, or face removal from procurement. The strategy's enforcement mechanism is not a fine or a mandate memo. It is system retirement. Anything that cannot run post-quantum primitives by the deadline is phased out. (DoW PQC Strategy PDF)
The strategy also signals that the wider federal migration is converging. The Cybersecurity and Infrastructure Security Agency's (CISA's) Automated Cryptography Discovery and Inventory (ACDI) tooling strategy gives civilian federal agencies the means to find and catalog where legacy cryptography is still in use, which is the prerequisite for any cryptographic swap-out. The DoW document indicates the same inventory-driven approach is now mandatory inside the defense industrial base. (CISA ACDI strategy)
The press release frames the deadline-plus-ban structure as a national-security mission rather than a procurement reshuffle. The implementation question worth watching through 2027 and 2028 is whether the December 2030 gate actually triggers system retirements at scale or softens into waivers under budget pressure. Equally worth tracking over the next twelve months is whether supplier roadmaps for QKD-based military kit visibly redirect toward CNSA 2.0 conformance testing.
The full strategy PDF is on the DoW CIO site. The press release is on war.gov. (DoW PQC Strategy PDF, DoW press release)