top of page

M 26 15 The Federal Shift From Planning To Execution In Post Quantum Cryptography

  • Writer: Brian Couzens
    Brian Couzens
  • Jun 27
  • 3 min read

For years, agencies have talked about preparing for the quantum threat. Most of that talk stayed in the realm of strategy, awareness and long term planning. That changed the moment OMB released M 26 15.

This memo is not a discussion document. It is the operational order that forces every civilian agency to begin the transition to post quantum cryptography now. It defines the work, sets the deadlines and assigns responsibility across leadership teams. The quantum threat is no longer a future scenario. It is a current risk that must be addressed on a fixed timeline.

The Real Meaning of M 26 15

Executive Orders set direction. OMB memoranda set requirements. M 26 15 is the first binding instruction that tells agencies exactly what must happen and when. It moves the federal government from planning to execution.

The memo requires two things from every agency

  1. A complete PQC migration plan delivered within 120 days

  2. A prioritized migration of high impact systems, HVAs and sensitive workloads completed by the end of 2030

This is the most aggressive cryptographic modernization schedule the federal government has ever issued.

The Deadlines That Now Control Federal Cryptography

Three dates define the entire transition

120 days   Agencies must submit a full PQC migration plan to OMB and ONCD. This includes governance, inventory methods, risk prioritization, vendor coordination and funding requirements.

January 2 2030   TLS 1.3 becomes mandatory. This is the foundation for hybrid key exchange and PQC ready network security.

December 31 2030   PQC key establishment must be in place for high impact systems, HVAs and any system with long lived or highly sensitive data.

What Agencies Must Actually Deploy

M 26 15 aligns the federal government to the NIST PQC standards

  • ML KEM for key establishment

  • ML DSA for digital signatures

  • SLH DSA for hash based assurance

These are the algorithms agencies must plan around. They are not optional and they are not placeholders.

The memo also recognizes that PQC cannot be deployed everywhere at once. Hybrid cryptography becomes the bridge. Classical and PQC key shares are combined in the TLS 1.3 handshake to maintain security during the transition.

Zero Trust and Identity Depend Directly on PQC

PQC is not a standalone upgrade. It is a dependency for every pillar of Zero Trust. Agencies must update

  • Device identity and TPM attestation

  • Network termination points

  • API and workload level trust

  • Data protection for long lived sensitive information

GSA is also accelerating FICAM modernization. Identity is about to undergo a significant shift.

Automation Is No Longer Optional

The memo is clear. Manual cryptographic discovery is not feasible. Agencies must use automated tools for

  • SBOM and SCA based cryptographic analysis

  • SAST and DAST crypto detection

  • Network protocol scanning

  • Continuous CBOM generation

The Cryptographic Bill of Materials is now a required operational artifact.

What This Means for Leadership

CIOs, CISOs, CFOs, Program Owners and System Owners are all named in the memo. This is not a security team task. It is a leadership responsibility.

Agencies must stand up governance, identify priority systems, coordinate with FedRAMP providers, budget for PQC migration and build cryptographic agility into every new system.

What This Means for Vendors

If you sell into the federal space, your product must support PQC algorithms, hybrid cryptography, TLS 1.3, cryptographic agility and CBOM generation. Vendors that cannot meet these requirements will be removed from procurement cycles.

How SITG Consulting Supports This Transition

SITG Consulting has developed a detailed execution deck that translates M 26 15 into engineering patterns, governance models, migration phases, inventory workflows and vendor readiness criteria. It is designed for agencies and vendors that need to move quickly and with precision.

The Transition Has Started

M 26 15 is the most significant cryptographic directive in modern federal cybersecurity. It compresses years of planning into months of action. Agencies that begin now will meet the deadlines. Those that wait will fall behind.

The quantum era is here. The migration is underway.

 
 
 

Recent Posts

See All
Post-Quantum Cryptography Discovery Sprint

The First Step Towards Post-Quantum Readiness Most organisations understand that quantum computing will eventually require a transition to post-quantum cryptography (PQC). Far fewer know where to begi

 
 
 

Comments


bottom of page