M 26 15 The Federal Shift From Planning To Execution In Post Quantum Cryptography
- Brian Couzens
- Jun 27
- 3 min read

For years, agencies have talked about preparing for the quantum threat. Most of that talk stayed in the realm of strategy, awareness and long term planning. That changed the moment OMB released M 26 15.
This memo is not a discussion document. It is the operational order that forces every civilian agency to begin the transition to post quantum cryptography now. It defines the work, sets the deadlines and assigns responsibility across leadership teams. The quantum threat is no longer a future scenario. It is a current risk that must be addressed on a fixed timeline.
The Real Meaning of M 26 15
Executive Orders set direction. OMB memoranda set requirements. M 26 15 is the first binding instruction that tells agencies exactly what must happen and when. It moves the federal government from planning to execution.
The memo requires two things from every agency
A complete PQC migration plan delivered within 120 days
A prioritized migration of high impact systems, HVAs and sensitive workloads completed by the end of 2030
This is the most aggressive cryptographic modernization schedule the federal government has ever issued.
The Deadlines That Now Control Federal Cryptography
Three dates define the entire transition
120 days Agencies must submit a full PQC migration plan to OMB and ONCD. This includes governance, inventory methods, risk prioritization, vendor coordination and funding requirements.
January 2 2030 TLS 1.3 becomes mandatory. This is the foundation for hybrid key exchange and PQC ready network security.
December 31 2030 PQC key establishment must be in place for high impact systems, HVAs and any system with long lived or highly sensitive data.
What Agencies Must Actually Deploy
M 26 15 aligns the federal government to the NIST PQC standards
ML KEM for key establishment
ML DSA for digital signatures
SLH DSA for hash based assurance
These are the algorithms agencies must plan around. They are not optional and they are not placeholders.
The memo also recognizes that PQC cannot be deployed everywhere at once. Hybrid cryptography becomes the bridge. Classical and PQC key shares are combined in the TLS 1.3 handshake to maintain security during the transition.
Zero Trust and Identity Depend Directly on PQC
PQC is not a standalone upgrade. It is a dependency for every pillar of Zero Trust. Agencies must update
Device identity and TPM attestation
Network termination points
API and workload level trust
Data protection for long lived sensitive information
GSA is also accelerating FICAM modernization. Identity is about to undergo a significant shift.
Automation Is No Longer Optional
The memo is clear. Manual cryptographic discovery is not feasible. Agencies must use automated tools for
SBOM and SCA based cryptographic analysis
SAST and DAST crypto detection
Network protocol scanning
Continuous CBOM generation
The Cryptographic Bill of Materials is now a required operational artifact.
What This Means for Leadership
CIOs, CISOs, CFOs, Program Owners and System Owners are all named in the memo. This is not a security team task. It is a leadership responsibility.
Agencies must stand up governance, identify priority systems, coordinate with FedRAMP providers, budget for PQC migration and build cryptographic agility into every new system.
What This Means for Vendors
If you sell into the federal space, your product must support PQC algorithms, hybrid cryptography, TLS 1.3, cryptographic agility and CBOM generation. Vendors that cannot meet these requirements will be removed from procurement cycles.
How SITG Consulting Supports This Transition
SITG Consulting has developed a detailed execution deck that translates M 26 15 into engineering patterns, governance models, migration phases, inventory workflows and vendor readiness criteria. It is designed for agencies and vendors that need to move quickly and with precision.
The Transition Has Started
M 26 15 is the most significant cryptographic directive in modern federal cybersecurity. It compresses years of planning into months of action. Agencies that begin now will meet the deadlines. Those that wait will fall behind.
The quantum era is here. The migration is underway.

Comments