Executive Summary
The Office of Management and Budget (OMB) Memorandum M-26-15 recently gave federal agencies a playbook for post-quantum cryptography (PQC) migration. It calls for an automated, continuously updated cryptographic inventory and makes crypto-agility an architectural objective.
QuProtect R3 by QuSecure was specifically designed to help large organizations, including federal agencies, complete the transition to PQC and cryptographic agility. It’s three principal capabilities of Reconnaissance, Resilience, and Reporting map directly onto guidance in the memo. This guide walks the memo’s core objectives one by one and explains how QuProtect R3 can help agencies and contractors achieve them.
1. Migrate prioritized systems by December 31, 2030
Agencies must execute a prioritized migration “with the objective of mitigating as much quantum risk as feasible by December 31, 2030,” and must fold PQC readiness into existing governance rather than building something parallel.
QuProtect Solution: The 2030 objective is ultimately about getting PQC deployed across the systems that matter, without breaking them. QuProtect deploys National Institute of Standards and Technology (NIST) approved PQC across existing infrastructure without application rewrites or downtime, which is what makes a four-year timeline realistic rather than aspirational. Because it operates as an overlay with centralized control, agencies avoid the rip-and-replace projects that turn migration deadlines into missed deadlines.
2: Submit a PQC Migration Plan within 120 days
Every agency must submit a plan to OMB and the Office of the National Cyber Director (ONCD) within 120 days. The appendix lists exactly what it must contain, including a risk-based prioritization strategy, phase milestones, the TLS 1.3 timeline, the inventory methodology and tools, a crypto-agility plan, a third-party coordination plan, resource estimates, and defined governance roles.
QuProtect Solution: The plan must be written from real data rather than from guesswork. QuProtect’s automated discovery gives you a cryptographic inventory to base your prioritization and resourcing on, and a concrete answer to the required “methodologies and automated tools used for the cryptographic inventory” section. The required “plan for implementing a cryptographic agile architecture” is materially stronger when you can point to an orchestration layer already capable of policy-based algorithm changes.
3: Build risk-based prioritization, including long-lived data
Agencies must prioritize high impact systems, High Value Assets (HVAs), and any system with highly sensitive data or heightened exposure to attacks by a cryptographically relevant quantum computer (CRQC), specifically flagging Public Key Infrastructure (PKI) style asymmetric access-control systems and data “expected to remain mission-sensitive in 2030.”
QuProtect Solution: You cannot prioritize by risk until you can see where your vulnerable cryptography is and what it protects. QuProtect’s Reconnaissance automatically identifies cryptographic assets, surfaces vulnerable and quantum-vulnerable algorithms, and highlights the asymmetric-encryption and PKI dependencies the memo calls out. That inventory is the raw material for a risk ranking that stands up to scrutiny.
4: Identify and replace or decommission systems that cannot do PQC
Systems “incapable of supporting PQC or hybrid cryptography must be identified and given priority for replacement or decommissioning,” and PQC upgrades should ride along with planned cloud, software, and hardware refreshes.
QuProtect Solution: Identifying the dead ends is a discovery problem, and continuous discovery is exactly what Recon does. It surfaces where unsupportable or non-agile cryptography lives so you can flag those systems early. Just as important, because QuProtect protects data in motion across existing infrastructure without touching the applications, it can extend quantum-resilient protection to many systems that look like replacement candidates, reducing how much you actually have to rip out. Budgeting and executing the replacement or decommissioning of genuinely dead-end systems is an agency modernization program. QuProtect narrows that list and buys time on the rest.
5: Manage vendor and third-party or cloud cryptography
Agencies must make PQC integration a requirement for relevant products, engage Federal Risk and Authorization Management Program (FedRAMP) authorized cloud providers on shared-responsibility duties, and coordinate third-party migration.
QuProtect Solution: Much of an agency’s cryptography lives in products and cloud services it does not control, and the memo requires a “third-party coordination plan.” QuProtect’s discovery extends visibility across distributed and cloud environments, so you can see where third-party and cloud-terminated cryptography sits and hold coordinated conversations from evidence rather than vendor assurances.
6: Use automation for discovery, enforcement, and compliance
“Manual approaches to discovery and management of cryptography are often insufficient.” Automation is “critical for inventory management, policy enforcement, and compliance reporting,” feeding a dynamic, continuously updated CBOM and live dashboards.
QuProtect Solution: QuProtect was built precisely because manual cryptographic inventory and management cannot keep pace with federal-scale information technology. Recon delivers automated, continuous discovery; Resilience enforces cryptographic policy across distributed systems; and Reporting turns that live data into a current CBOM and compliance evidence on demand. Where the memo describes automated inventory feeding a central CBOM and dashboards, it is describing QuProtect’s core loop.
7: Make cryptographic agility an architectural principle
Crypto-agility is defined as the ability “to switch its cryptographic algorithms with minimal disruption,” essential not only for the quantum threat but for any future cryptographic weakness. The memo asks for configuration-driven cryptography, protocol negotiation, and agile key management.
QuProtect Solution: Orchestrated crypto-agility is QuProtect’s founding idea. Resilience provides a centralized control plane that lets agencies change cryptographic algorithms by policy, with no code changes, redeployment, or downtime, which is the operational definition of “minimal disruption.” This directly addresses the memo’s call for configuration-driven cryptography rather than algorithms hardcoded into application binaries.
8: Support TLS 1.3 by January 2, 2030
Agencies must support TLS 1.3 or a successor “as soon as practicable, but not later than January 2, 2030,” as the foundation for network-level PQC and hybrid key exchange.
QuProtect Solution: QuProtect Resilience provides TLS 1.3 protection for co-located TCP/IP network services, satisfying this key requirement as a prerequisite for PQC upgrade. The solution supports either hybrid or pure PQC key exchange algorithms to match the organization’s intended deployment configuration.
9: Integrate PQC into a zero-trust architecture
PQC is “a foundational dependency” for a mature zero-trust architecture (ZTA), because “never trust, always verify” fails if the verifying cryptography is vulnerable. The memo maps PQC across four pillars: devices, networks, applications, and data.
QuProtect Solution: QuProtect Resilience enables a quantum-safe, zero-trust security architecture at scale, directly satisfying this requirement. By supporting strong identity for workloads and applications, Resilience creates quantum-safe, mutually-authenticated connections to ensure data is protected from unauthorized access as it traverses untrusted networks. This capability maps directly onto the Network, Applications and Workloads, and Data pillars outlined in the memo.
10: Establish governance, roles, and budget accountability
Migration requires accountability across leadership, clearly defined roles (Chief Information Officer, Chief Information Security Officer, technical and migration leads, security architect, system owners), and Chief Financial Officer (CFO) involvement so migration costs appear in the budget request.
QuProtect Solution: QuProtect helps make governance enforceable: once cryptographic policy is set, Resilience lets those policies be applied and monitored centrally, and Reporting gives leadership the concrete data that make resourcing decisions defensible rather than speculative.
Summary
Everything in M-26-15 depends on one thing: a dynamic, automated cryptographic inventory. Agencies that begin the discovery phase by hand-counting cryptography across applications, certificates, APIs, VPNs, cloud, endpoints, operational technology, and PKI will spend the 2026 to 2027 discovery window still discovering, and arrive at the 2030 migration deadline without having reached the starting line.
QuProtect compresses that timeline at both ends. At the front, automated discovery gives agencies a real inventory in a fraction of the time manual methods take, so the discovery phase finishes on schedule and the migration plan is built on evidence. At the back, orchestrated crypto-agility means the migration itself, and every cryptographic transition after it, is a policy change rather than a redeployment, so the 2030, 2031, and 2035 milestones are milestones you pass rather than walls you hit.
Want a requirement-by-requirement look at where your agency or product stands against M-26-15? Talk to a QuSecure expert or schedule a demo.