Federal Chief Information Security Officer (CISO) Mike Duffy warned on Tuesday that government IT modernization efforts that fail to account for post-quantum cryptography (PQC) risk creating long-term technical debt.
Speaking during Palo Alto Networks’ Quantum-Safe Summit, Duffy emphasized that PQC readiness is “central to responsible IT modernization,” and a key priority for the Trump administration.
“Modernization without considering PQC readiness or cryptographic agility is really creating technical debt in the future, something that we don’t want to see ever,” Duffy said. “We know that government systems are meant to operate for years, sometimes decades, due to their mission, and the last thing that we would want to do is build or modernize without a consideration for that distant future.”
“When we’re thinking about PQC readiness and cryptographic agility, we need to be thinking about that future state,” he stressed.
Quantum computing threatens to break many widely used encryption methods, raising long-term risks for sensitive government data.
As a result, the White House has set 2035 as the target year for completing the transition to PQC across federal agencies.
The National Institute of Standards and Technology (NIST) has already unveiled its first set of three encryption algorithms designed to withstand cyberattacks from a quantum computer, which agencies can implement immediately.
A key driver of urgency, Duffy said, is the “harvest now, decrypt later” threat. This is the idea that adversaries can collect encrypted data today and decrypt it later as quantum capabilities mature.
That threat, he argued, should resonate with senior leaders because it affects long-term mission assurance. In that context, Duffy urged federal agencies to move from planning to action.
“Get past the brainstorming phase, get past the thinking about where to start, and just get started,” he advised.
Duffy said federal agencies have already been directed to take early steps, including designating PQC leads, coordinating efforts across components, and beginning to inventory cryptography across their environments.
“There’s more work to be done. Inventorying takes time, but these are the kinds of conversations that I think are so important,” he said. “Ensure that agencies know: move now, get beyond brainstorming, have a deliberate and phased plan so that you’re making progress over time.”