The quantum computer has not kicked in the datacenter door yet, which is exactly how security problems become budget problems. Somewhere in the estate, an application is leaning on public key cryptography, a team assumes someone else owns the migration, and a future audit is warming up in the corner like a horror movie violinist. The breach here is not an exposed database. It is an execution gap with a calendar attached. CyberScoop’s Ellen Boehm frames federal post-quantum cryptography deadlines set for 2030 and 2031 as a multi-year transformation program that many organizations have not yet started. That matters because PQC is leaving the conference keynote fog machine and entering the place where security work either lives or dies: asset visibility, ownership, sequencing, and the eternal spreadsheet of doom. The useful question is no longer whether quantum risk is real someday. It is whether the organization can find and change the cryptography it already depends on. ## What broke: CyberScoop says later is no longer a plan Boehm writes in CyberScoop that post-quantum cryptography did not sneak up on the industry, since security teams, standards bodies, hyperscalers, and governments have been pointing at the same horizon for years. The horizon is a cryptographically relevant quantum computer that can eventually dismantle the public key algorithms underpinning today’s enterprise security, according to CyberScoop. That is not a movie monster arriving tomorrow with a hoodie and a grudge. It is a long-range systems risk that becomes very concrete when a federal calendar says 2030 and 2031. The operational problem is that cryptography is not one box in the rack with a nice label and a cooperative attitude. It is a dependency woven through applications and public key use across the enterprise, and that makes migration less like swapping a library and more like renovating plumbing while the building stays open. CyberScoop’s point is uncomfortable but helpful: a deadline several years away can still be close when the work spans discovery, prioritization, testing, and rollout. Security teams have survived worse, but usually not by starting with vibes. ## Blast radius: NIST says discovery comes before heroics NIST’s preliminary draft SP 1800-38B, published in December 2023, gives this problem a blessedly unglamorous starting point: cryptographic discovery. The document is titled Migration to Post-Quantum Cryptography Quantum Readiness, and Volume B focuses on the approach, architecture, and security characteristics of public key application discovery tools. Translation from standards-language to CISO-language: before you can replace risky cryptography, you need to know where public key applications are using it. That sounds obvious in the same way backup testing sounds obvious right before the restore fails. Discovery is the part where architecture diagrams meet reality, and reality is often maintained by three teams, two forgotten integrations, and a ticket queue that has seen things. NIST’s framing is useful because it turns PQC readiness into a measurable activity rather than a board-slide aspiration. If the first milestone is finding public key use, then the first failure mode is pretending inventory can wait. ## Root cause: CyberScoop’s deadline is really an execution test CyberScoop’s Boehm describes the federal PQC deadline pressure as a multi-year transformation program, which is the phrase executives use when they mean this will require money, people, and calendar discipline. That framing is important because the threat actor motivation here is simple character development: collect valuable encrypted material now, wait for better decryption capability later, and let time do the dirty work. The organization’s counterplot is less cinematic but more effective: identify what matters, decide what changes first, and avoid making every system owner discover quantum readiness at the same awful meeting. The CISO problem is prioritization. Not every system carries the same long-term sensitivity, and not every application will be equally painful to migrate. A sane plan starts with visibility, then turns into sequencing: which public key uses are exposed, which protect data with long shelf life, and which depend on external products or services that need their own timelines. This is where PQC stops being a cryptography seminar and becomes program management with sharper teeth. ## Containment: NIST gives CISOs the boring first win NIST SP 1800-38B does not promise magic. It points to public key application discovery tools and the architecture needed to understand where cryptography lives before migration begins. That is the boring first win, and in security, boring is often just another word for survivable. The alternative is trying to migrate under deadline pressure with partial inventory, which is how organizations accidentally invent new outage classes. The practical move is to treat PQC readiness like a transformation program now, not like a future patch note with dramatic music. Assign ownership for cryptographic discovery, define what systems are in scope, and create a migration sequence that can be tested before the 2030 and 2031 pressure turns theoretical risk into executive indigestion. Patch notes are dramatic when they land on Tuesday. Crypto migrations are dramatic when nobody knows what they are patching. ## What it actually means for you For readers outside the CISO chair, the CyberScoop and NIST takeaway is simple: ask whether your organization has started a cryptographic inventory, not whether it has a quantum strategy slide. If you buy software or cloud services, ask suppliers how they are planning for post-quantum migration and how customers will be notified when public key cryptography changes. If you run systems, document where public key cryptography is used and who owns the change path, because future-you deserves at least one mercy. The 2030 and 2031 federal deadlines are not a panic button. They are a planning signal. Organizations that start with discovery can turn quantum readiness into normal engineering work, which is the least glamorous and most reliable kind. Watch for clearer migration expectations, better discovery tooling, and vendors being forced to say something more useful than the traditional security lullaby, which we are all tired of hearing. ## Sources - What the post-quantum executive order really demands of CISOs

Sources