# Does the Pentagon's New PQC Directive Actually Bind Defense Contractors?

The Defense Department's new Post-Quantum Cryptography strategy sets a hard deadline — every DoD system must support quantum-resistant encryption by end of 2030, and fully employ it before end of 2031 — but cybersecurity attorneys and compliance experts warn that the defense industrial base is nowhere near ready, and the regulatory path to enforcement is longer than those dates suggest.

The Pentagon published its 25-page PQC strategy in June 2026. Beyond defending its own systems, the document explicitly commits to updating the Cybersecurity Maturity Model Certification (CMMC) framework with quantum-resistant algorithm requirements. It also commits to adding quantum-resistance to access control, zero trust architectures, and software development platforms. Simultaneously, the DoD issued an amendment formally initiating the transition to CMMC Revision 3, with enforcement of new guidelines expected in the coming weeks.

The gap between strategic intent and contractual enforcement is large. The federal rulemaking process — not the Pentagon — ultimately controls when PQC requirements become legally binding on contractors. That process has taken years before, and there is no indication it will move faster this time.

---

## What the 25-Page PQC Strategy Actually Says

The strategy's core commitment to the defense industrial base (DIB) is explicit: the department will ensure the DIB migrates to PQC across the enterprise, and will collaborate with DIB partners on interoperability during that migration. The document further specifies that new CMMC requirements based on PQC, updated external certificate authorities, and quantum-resistance embedded in zero trust and access control frameworks are all on the roadmap.

What the document does not specify is precisely how or when compliance will be enforced against contractors. The 2030 and 2031 deadlines are framed around DoD's own systems; the extension to the industrial base sits in a less defined space, dependent on CMMC rulemaking timelines that the Pentagon does not unilaterally control.

Thomas Graham, chief information security officer at Redspin, told DefenseScoop that the strategy reinforces an important point: CMMC was never intended to remain static. As cybersecurity threats evolve, the requirements will evolve as well. That framing is accurate — but it also describes a process measured in years, not quarters.

---

## CMMC Revision 3 Opens a Near-Term PQC On-Ramp

The most technically interesting near-term mechanism isn't a new PQC mandate — it's the "organizationally defined values" (ODVs) provision coming with CMMC Revision 3.

Jacob Horne, chief cybersecurity evangelist at Summit 7, explained the mechanism to DefenseScoop: because CMMC contract clauses point to NIST cybersecurity baselines, the DoD can specify defined values within those baselines without requiring NIST to overhaul its entire cryptographic framework. Horne described these as "cyber requirement Mad Libs" — NIST establishes that encryption must be used, and organizations define the specific parameters.

The U.S. government has exercised this kind of values-setting against NIST cryptographic standards before, which means the Pentagon has a path to requiring PQC in specific contracts without waiting for full CMMC rulemaking. This is a meaningful near-term lever, though it would apply selectively rather than universally.

Revision 3 also reorganizes and consolidates multiple security controls required for CMMC Level 2 assessments. Graham noted that this introduces dozens of organizational defined parameters and more objectives — reducing ambiguity but raising the compliance burden, requiring organizations to make and document more deliberate security decisions. The net effect for most contractors is a harder baseline to satisfy before any PQC overlay is even considered.

---

## The Readiness Gap Is Real and Documented by Practitioners

The compliance picture across the defense industrial base is stark. Michael Gruden, a cybersecurity attorney at Crowell & Moring, told DefenseScoop that many companies are only just beginning early internal discussions about potential PQC requirements — largely because their bandwidth has been consumed by preparing for the Revision 3 transition itself.

More troubling: clients who have begun implementing NIST's quantum cryptographic standards have struggled to do so without breaking existing infrastructure and interrupting operations. This is consistent with what the broader enterprise security community has observed with cryptographic agility migrations — library dependencies, hardware security modules, and legacy protocol stacks all create friction that makes PQC adoption non-trivial even for well-resourced organizations.

Gruden estimated that PQC implementation across the defense industrial base would realistically unfold through a multi-year implementation cycle, and characterized a scenario where industry is suddenly required to leverage quantum-resistant technology within six months as very surprising.

The concern the defense strategy is responding to is legitimate. Quantum algorithms — most obviously Shor's algorithm applied against RSA and elliptic curve cryptography — represent a concrete future threat to data encrypted today. The "harvest now, decrypt later" attack model, where adversaries collect encrypted DoD contractor data now and decrypt it once cryptographically relevant quantum computers exist, is the animating concern behind the urgency in the strategy language. The timeline for when [fault-tolerant quantum computing](https://quantumintel.tech/glossary/fault-tolerant-quantum-computing) at that scale arrives remains genuinely uncertain, but the classification lifetimes of sensitive defense information make the 2030–2031 window defensible as a planning horizon.

---

## Industry Trajectory: Compliance Market, Not Hardware Market

For the quantum industry specifically, this directive is primarily a [post-quantum cryptography](https://quantumintel.tech/glossary/fault-tolerant-quantum-computing) compliance story, not a quantum hardware story. Companies positioned to benefit are those offering PQC migration tooling, cryptographic inventory and agility platforms, and compliance assessment services for the DIB. [SandboxAQ](https://quantumintel.tech/companies/sandboxaq) and [Arqit Quantum](https://quantumintel.tech/companies/arqit) are among the named players in the broader PQC migration market, though neither is specifically cited in the DoD strategy document.

For defense contractors themselves, the immediate action item is not PQC implementation — it's cryptographic inventory: understanding what algorithms are deployed across their environments, where quantum-vulnerable cryptography is embedded in supply chain and third-party systems, and what a realistic remediation timeline looks like. Organizations that complete that groundwork now will be better positioned regardless of whether enforcement comes through CMMC rulemaking, contract clause ODVs, or some combination.

The CMMC enforcement history — years of rulemaking, public comment periods, and contested compliance timelines — suggests that contractors who wait for binding requirements before beginning preparation will find themselves in the same position many found themselves in with the original CMMC: scrambling under a deadline they saw coming for years.

---

## Key Takeaways

- The Pentagon's 25-page PQC strategy, published June 2026, sets DoD system deadlines of end-2030 (support) and end-2031 (employ) for quantum-resistant encryption, with explicit intent to extend requirements to defense contractors via CMMC.
- Full CMMC rulemaking is required before PQC requirements become universally enforceable on contractors — a process that has previously taken years.
- CMMC Revision 3, formally initiated in July 2026, introduces "organizationally defined values" that give the Pentagon a selective near-term path to requiring PQC in specific contracts without full rulemaking.
- Revision 3 also consolidates and expands Level 2 assessment controls, raising the baseline compliance burden before any PQC overlay is added.
- Cybersecurity attorneys and compliance experts describe the defense industrial base as largely unprepared — companies are still focused on base CMMC compliance, and early PQC adopters have encountered infrastructure disruption.
- Multi-year implementation cycles are the realistic expectation; a six-month mandate would be, in the words of one attorney, very surprising.

---

## Frequently Asked Questions

**What is the Pentagon's PQC deadline for defense contractors?**
The DoD's June 2026 PQC strategy states that every DoD system must support post-quantum cryptography by end of 2030 and employ it before end of 2031. The extension of these deadlines to defense contractors via CMMC is intended but not yet finalized through rulemaking.

**Will CMMC Revision 3 require post-quantum cryptography?**
Not universally, not immediately. Revision 3 introduces organizationally defined values that could allow the Pentagon to require PQC in specific contracts without full rulemaking, but a broad PQC mandate across all CMMC-covered contractors would require a separate rulemaking process.

**How long will it take for PQC to become mandatory for defense contractors?**
Experts cited by DefenseScoop estimate a multi-year implementation cycle. The CMMC rulemaking process has historically taken months to years, and the defense industrial base's current readiness level makes rapid enforcement unlikely.

**What is "harvest now, decrypt later" and why does it drive PQC urgency?**
Adversaries can collect encrypted sensitive data today and store it until cryptographically relevant quantum computers exist to break current encryption. Given that classified and sensitive defense information can remain sensitive for decades, migration to quantum-resistant algorithms before those computers exist is the core strategic logic.

**Which companies benefit from the DoD's PQC push?**
PQC migration tooling, cryptographic agility platforms, and DIB compliance assessment services are the primary commercial opportunity — not quantum hardware. The implementation challenge is fundamentally a software, systems integration, and compliance problem, not a qubit problem.