Skip to main content
immixGroup
Enterprise Computing Solutions
Arrow Electronics, Inc.
  1. immixGroup Home
  2. Resources: Government Sales Insider
  3. Article Search
  4. CISA moves forward with post-quantum 'musts' in cyber

CISA moves forward with post-quantum musts in cyber

November 06, 2025 | Morgan Hecht

Subscribe to Government Sales Insider

Contact us

By Morgan Hecht, Market Intelligence Analyst

For years, government agencies have advised vendors to integrate cybersecurity in all IT solutions used by the federal government. Since 2019, incorporating agile and DevSecOps practices has gradually become the standard for federal software acquisition, driven by the need for secure-by-design development and continuous security integration. The emergence of new cyber threats enabled by quantum computing will make that integration even more critical. As new post-quantum cryptography (PQC) standards emerge, vendors and system integrators will need to meet new federal cybersecurity requirements and navigate approved product lists to ensure compliance and maintain eligibility for government procurement.

If they haven’t done so already, IT vendors need to develop a roadmap to PQC readiness, or they stand to be excluded from important and lucrative contracts.

New category and product lists

Two lists developed by the Cybersecurity and Infrastructure Security Agency (CISA) will shape new federal requirements around PQC-enabled solutions. During December, CISA will issue an initial PQC category list. This list, developed in cooperation with The Advanced Technology Academic Research Center (ATARC), will outline the criteria for PQC-enabled products and establish standards across different technology verticals, including data management, networking and enterprise endpoint security. Following the release of that list, CISA will issue a separate list of specific PQC-enabled and interoperable products approved for procurement. Though details on the submission process and timeline to the product list are still being developed, it will soon be essential for vendors to align their products with the criteria and products on these lists to demonstrate compliance for emerging federal mandates and to remain eligible for future procurement opportunities.

These actions follow a June 2025 Executive Order that requires greater and immediate emphasis on PQC in anticipation of “Q-Day” — the point when quantum computers are expected to be able to break most current cryptographic algorithms.

The concern over quantum threats is a bipartisan issue. Virginia Senator Mark Warner has been quoted as saying that quantum technology is “our generation’s Sputnik moment,” and that, “it’s not a race we can afford to lose.” White House Office of Science and Technology Policy (OSTP) Director Michael Kratsios has called the U.S. efforts in quantum technology “a national security imperative.” Kratsios recently promoted the administration’s $42 billion Tech Prosperity Deal with the United Kingdom to cooperatively develop fast-growing technologies, including quantum, AI and nuclear.

After CISA releases the product category list during December, they will create a list of actual PQC-enabled products. By some early reports, that list will focus on products for use by federal civilian agencies, rather than products used by intelligence agencies and the national security system.

Only products in general availability, not demonstration or beta versions, will be eligible for inclusion on the list. The products must also be ready for integration by multiple IT vendors and must be interoperable with other products already in use by the federal government.

Growing importance

Momentum surrounding quantum technology has been growing among agency officials and lawmakers alike since the passage of the National Quantum Initiative (NQI) Act in 2018.

Under the coordinated strategy established by the NQI, several federal agencies have been working to establish quantum-based research centers and development programs with the National Science and Technology Council (NSTC) to advance U.S. leadership and accelerate adoption of quantum technologies. During 2022, the Department of Energy established five National Quantum Information Science Research Centers (NQISRCs) to promote research around quantum computing and networking, while the Army designated its Combat Capabilities Development Command (DEVCOM) Research Laboratory as a Quantum Information Science Research Center for the Department of War during 2023.

The imminent threat posed by rogue actors with access to quantum computers is making PQC adoption more urgent. New government contracts will likely require PQC to be a part of procured products, while older contracts will need to be updated to ensure legacy products are upgraded.

IT vendors that are slow to adopt PQC may not only lose their competitive edge; they may be completely excluded from federal contracts. Those that are proactive will have a competitive advantage.

This demand for PQC readiness is especially significant for vendors serving critical infrastructure sectors like finance, healthcare and telecommunications because of the severe consequences of quantum-enabled attacks.

Abiding by CISA's PQC vendor requirements

What must vendors do now to make sure they can meet the upcoming PQC requirements? Most urgently, they should:

  • Have a quantum-readiness roadmap. Be clear about plans for migrating to PQC. This will be fundamental to any ongoing work done for agencies as wide-reaching as CISA, the National Institute of Standards and Technology (NIST) and the National Security Agency (NSA), among others.
  • Focus on agile development. Be prepared to use crypto agility to rapidly switch algorithms across inventory. The sooner this work begins, the easier it will be to transition to PQC standards instead of creating that flexibility all at once.
  • Collaborate on “Secure by Design” integration. Conversations surrounding cybersecurity have long stressed that security measures must be “baked-in,” not bolted on, to products sold to the federal government. This mantra has gone from advice to a guideline, codified as a practice now referred to as “Secure by Design.”  IT vendors must work with agencies to ensure that cryptographic platforms and products integrate PQC from the start.
  • Enable product interoperability. PQC-enabled products must be interoperable with other federal government systems if they are to be included on CISA's upcoming PQC product lists. No agency is going to want to create solutions that don’t have interoperability with products that have already been procured.
  • Help ensure general availability. To be included in product lists created by CISA, vendor’s products cannot be in a demo or testing phase. They must be generally available and ready for deployment across multiple customers to qualify.

Last word for vendors

This imperative for PQC compliant products is not a drill. CISA is required by executive order to release lists of product categories that support PQC. Vendors without PQC-enabled products are likely to be excluded from doing further business with the government. It’s important to act now to take advantage of the opportunities being crafted across federal agencies.

This article is adapted from a commentary originally published in Washington Technology. For the complete original commentary, click here.

Reach out to us at immixGroup for more details surrounding PQC and how it may affect your IT products going forward. Visit immixgroup.com for more information.

About the author

Morgan Hecht (1)

Morgan Hecht

Market Intelligence Analyst
Morgan Hecht is a market intelligence analyst for immixGroup, part of Arrow Electronics’ public sector business. immixGroup delivers mission-driven results through innovative technology solutions for public sector IT.
More