Quantum Safe Now: What Federal Leaders Need to Know Before It’s Too Late

The episode summarizes an IBM Quantum Safe briefing and NIST migration guidance, warning federal and military IT leaders that the quantum threat is immediate due to “harvest now, decrypt later” and that migration will take 5–15 years. It cites IBM expectations of 200 logical qubits by 2029 and 2000 logical qubits by 2033–2035, when Shor’s algorithm could break RSA/ECC and undermine signatures, identity, and encrypted communications across DoD, IC, critical infrastructure, OT/SCADA, and the defense industrial base. Highlighting published federal timelines (inventory now, start high-priority migrations by 2027, avoid new non-PQC procurements, full transition by 2035), IBM’s validated PQC algorithms and Quantum Safe Suite, and stresses crypto discovery as the top blocker amid legacy and embedded systems, funding, ownership, vendor readiness, and prioritization.

• 00:00 Why Quantum Safe Now?
• 02:05 National Security Stakes
• 02:50 Deadlines and Mandates
• 03:21 IBM PQC Demos
• 04:30 The Crypto Discovery Challenge
• 05:36 Migration Concerns and Priorities
• 06:46 How ATP Gov Helps
• 07:28 Bottom Line Takeaways and Next Steps

This episode is brought to you by ATP Gov. Visit us online at www.atpgov.com or follow us on LinkedIn.

[00:00:00] Welcome to the Bottom Line Upfront, the podcast that cuts through the noise to deliver distilled insights from today’s most important technical webinars, presentations and demonstrations designed for federal and military IT leaders. Each episode breaks down complex technologies into mission ready takeaways, so you get the key points.

Fast. Whether it’s cybersecurity, cloud, architecture, or emerging defense technologies, we highlight what matters most and how trusted integrators like a TP gov can help implement and operationalize these solutions across your agency or command. No fluff. No filler, just the bottom line upfront. Get ready because today’s episode is a big one.

So in this episode, I’m summarizing the full IBM Quantum Safe briefing, the NIST migration guidance and the hard realities that agencies, program offices and integrators must face today. The quantum threat is no longer theoretical because what IBM and Federal Cyber Leaders talked about in this [00:01:00] session should put everyone on alert.

Let’s address the bigger picture why quantum safe matters. Now, quantum computing will break modern encryption, not, maybe not, eventually it will. IBM expects systems with 200 logical qubits by 2029 and 2000 logical qubits by the 2033 to 2035 time range. Federal systems need to start migrating now, not in 2029, and most importantly, this transition will take 10 years.

Now, let’s put that in perspective. At 2000 logical qubits, Shor’s algorithm becomes capable of breaking R-S-A-E-C-C and most public key cryptography used across federal it. And in addition to that, adversaries are already conducting harvest now, decrypt later attacks. So what does this mean for you as a federal listener?

Even if quantum computers capable of breaking crypto don’t exist today? Any classified sensitive or long life data intercepted today will be [00:02:00] readable later. This sentiment was reinforced throughout the session, and several hard truths continue to come up. First, we must acknowledge that quantum risk is a national security risk.

If an adversary can derive private keys, they can forge signatures, they can spoof identities, they can rewrite digital history, and they can decrypt, stored encrypted comms. And this is catastrophic for intelligence Community networks, DOD, command and control, weapon system maintenance data, satellite and space comms, SCADA and OT systems, critical infrastructure.

And let’s not forget about defense industrial bases. Secondly, operational technology or OT and older systems are particularly vulnerable in this case. That includes mainframes, legacy platforms, embedded systems, many that just can’t simply be patched and ready for PQC. Thirdly, federal deadlines are already published, N-S-T-A-C-O-M-B, and N-S-A-C-N-S-A 2.0.

Timelines are clear. You have [00:03:00] to inventory now. High priority migrations. Need to start by 2027. No new non PQC capable procurements. After specified dates and a full transition by 2035, and most agencies in 2026 haven’t even started, and agencies only need five to 15 years to fully migrate. Now, this conference wasn’t just limited to talk tracks.

IBM also walked us through some demonstrations. The first being examples of validated PQC algorithms, those being crystals, kyber, M-L-K-E-M for key encapsulation crystals, de lithium, M-L-D-S-A for signatures and hash based signatures like S-L-H-D-S-A and Sphinx. And they also hinted at Falcon, which is coming soon.

Next in the demonstration was Quantum Safe hardware support with an obvious nod to the work they’ve done upgrading Linux one and the I-B-M-Z-O-S platforms. They now ship with Quantum Safe Secure Boot Pqc enabled crypto cards, CCA and EP elevens acceleration for [00:04:00] Kyber and de lithium, as well as TLS 1.3 optimizations, which include HA and ES 2 56 upgrades along with FIPs one 40 dash three compliance.

Additionally, and most importantly, they showcase the IBM Quantum Safe Suite, which includes Explorer, which is designed to discover crypto and source code guardian, a full enterprise crypto posture management platform mediator, which provides network level hybrid PQC key establishment and the unified key orchestrator for cross cloud key lifecycle manage.

The tools I just mentioned helped agencies answer the most critical questions, but the biggest challenge and the hardest part of quantum readiness is crypto discovery and tools are often only as good as the questions they can satisfy. And in this case, those are where is the crypto use? Is it quantum safe?

What breaks if we replace it, and what do we migrate first? It’s also important to mention that crypto discovery is the number one blocker to migration. Why? Because most applications contained hidden crypto buried deep in their code or their [00:05:00] libraries or their dependencies, and many dev teams don’t even know what their systems use.

And on the other side, OT systems often hard code algorithms and can’t be updated without hardware refresh. In this case, IBM shared some real world examples, one of them being 17,000 plus homegrown apps in one major bank with millions of lines of code, which also included D-O-D-P-K-I infrastructures with multi-tier vendor stacks.

And just like the example, most agencies don’t know what they have. We can’t stress enough that this is why you can’t start migration until you know what needs to be migrated. Later in the presentation, participants were asked, what are your biggest concerns about PQC migration? And the answers were clustered into five simple themes.

The first being cost and funding. PQC migration touches. Every system agencies currently have limited to no budget lines for PQC migration, and then we have awareness and ownership. And unfortunately, there’s a common refrain in the DOD. Quantum isn’t [00:06:00] my problem, and no one knows who owns it. Moreover, vendor ecosystem readiness is another pain point here.

Not all products support PQC. Not all vendors plan to and not all standards are finalized. Add to that legacy, OT and resource constrained systems, that means that migration may require full hardware replacements. And finally prioritization even with an inventory, what do we migrate first? What data has the highest long-term value to adversaries?

Hybrid modes are your bridge strategy. You can use PQC with classical algorithms until standards are completely finalized. And as a reminder, PQC is not just it. It’s enterprise wide policy, legal, mission owners and cybersecurity leadership must all be in alignment and as mentioned on previous episodes.

And it’s worth reiterating how a TP gov helps federal agencies move from awareness to action. We work with vendors like IBM to conduct crypto discovery across your source code, your networks, applications, cloud workloads. [00:07:00] OT and ICS environments and mission systems. PQC migration is unavoidable. It’s also solvable, but only if you start.

Now we can build mission-aligned PQC roadmaps using NIST N-S-A-O-M-B and CNSA 2.0 frameworks. We can also help you evaluate and procure PQC Ready technologies, things like LinuxONE, I-B-M-Z-O-S, HSMs encryption modules, network devices, and other products that are truly pqc ready. So what’s the bottom line?

Up front? Quantum is not tomorrow’s problem. It’s today’s security problem because of harvest now and decrypt later. Right now, PQC migration projections are in the range of five to 15 years, and most agencies have it started, and you can’t compress this timeline later. You must begin with crypto discovery.

If you can’t map your crypto, you can’t migrate your crypto. At a TP, we’re already leading hybrid PQC deployment pilots in various government agencies, and our goal is to secure today’s mission while [00:08:00] preparing for full migration. Let us help you navigate vendor landscapes and evaluate which products are truly PQC ready?

Because in the end, PQC isn’t separate. It intersects every modernization program you’re involved. So I’ll wrap up this episode by saying Quantum is coming. Migration takes time and the adversary isn’t waiting. But here’s the good news. You don’t need to boil the ocean. You just need to take the first step that’s discovery and build from there.

So if your agency needs help mapping your crypto landscape, selecting pqc ready technologies or building a migration plan aligned with federal mandates, our quantum schmee are standing by. And as always, stay safe, stay informed, and stay ready because the quantum era is already here. Be sure to reach out to atp gov today@www.atpgov.com, or email info@atpgov.com, or check us out on social media on LinkedIn.

Thanks for listening, and be sure to subscribe to the bottom line upfront wherever you get your podcasts. And stay tuned [00:09:00] for more distilled insights from the front lines of tech and national security. So until next time, stay secure. Stay mission ready.

The Bottom Line Up Front, is ATP Gov’s podcast that cuts through the noise to deliver distilled insights from today’s most important technical webinars, presentations and demonstrations designed for federal and military IT leaders. Each episode breaks down complex technologies into mission ready takeaways, so you get the key points.

Fast.

Whether it’s cybersecurity, cloud, architecture, or emerging defense technologies, we highlight what matters most and how trusted integrators like ATP Gov can help implement and operationalize these solutions across your agency or command.

No fluff. No filler, just the bottom line up front.