The Department of War (DoW) has just put the market on notice. Its November memorandum, “Preparing for Migration to Post-Quantum Cryptography,” makes two facts crystal clear: First, that quantum-capable cryptography is not a distant research footnote. And operating securely in a post-quantum world demands immediate, coordinated action across government and industry.

The DoW now requires component-level inventories of cryptography, named migration leads, submission of test and acquisition artifacts, and explicit approvals before testing or deploying post-quantum cryptography (PQC) technologies. It also prescribes hard technical limits, including a ban on using quantum key distribution for confidentiality and a required phase-out of insecure pre-shared key and symmetric key-establishment approaches by the end of the decade.  

That directive isn’t a polite suggestion. It’s a mandate, and it should serve as a wake-up call for every organization that still treats crypto migration as “future work.”

What the DoW directive means in plain English

The memo does three things that change the practical calculus for public- and private-sector cybersecurity teams.

1. Forces discovery and automation

Every cryptographic use, from certificates in business applications to embedded keys in operational technology, must be inventoried and owned by a named migration lead. Components must provide contact information within 20 days and keep lists updated annually.

2. Locks down acquisition and testing

Agencies must submit PQC-related test plans and results for review and receive approval before proceeding. Systems with unresolved security or interoperability concerns will be removed from PQC engagement.

3. Eliminates wishful thinking about “quantum silver bullets”

The DoW explicitly disallows quantum key distribution (QKD) and similar quantum communications as a substitute for tested, standard-based PQC for confidentiality and identity protection. It also sets concrete phase-out dates for pre-shared key and many symmetric distribution methods (Dec. 31, 2030, with narrow exceptions).

Why market complacency won’t cut it

We’ve heard the arguments: “Standards aren’t final.” “We’ll wait for the NIST winners.” “It’s expensive to touch every system.”

But the DoW memo exposes why those arguments are no longer tenable:

• Harvest-now, decrypt-later risk: Sensitive communications captured today can be decrypted later if cryptography isn’t replaced before quantum capability arrives. That makes immediate inventory and prioritization essential.
• Interoperability and rollback risk: Simply swapping algorithms without system-level testing invites outages and vulnerabilities. The DoW requires pre-deployment vetting for this reason.
• False substitutes are dangerous: The memo’s rejection of QKD as a confidentiality mechanism should be a cautionary tale: Vendors offering “quantum” marketing in lieu of vetted algorithmic migration give leaders a false sense of security.

To put it simply, the clock is ticking, and “wait and see” is now a recipe for technical debt and unacceptable risk.

DigiCert’s view—and what we’re doing about it

DigiCert believes the industry must stop treating PQC migration as a compliance checkbox and start treating it as a mission. Here’s our hard angle for other vendors, integrators, and customers:

1. No half-measures: We will not accept vendor roadmaps that rely on proprietary, unverifiable “quantum solutions” as a substitute for standards-based PQC. The DoW is right to require evidence, approvals, and mitigation before acquisition—and so are we.
2. Accountability first: Organizations must name migration leads, inventory their cryptography, and prioritize systems by risk and lifespan. If your partner can't help you map dependencies all the way down to embedded devices and legacy systems, they aren’t up to the job.
3. Crypto-agility is non-negotiable: PKI and device identity must be built for algorithm agility: the ability to issue, manage, and revoke certificates that can accommodate NIST-approved PQC algorithms as they mature. If your tooling still assumes fixed algorithms, it’s obsolete.
4. Prove it, don’t promise it: The DoW requires submission of test artifacts and documented mitigations. We help customers produce auditable evidence, and we’ll challenge partners who can’t demonstrate secure migration pathways.

How DigiCert helps: Immediate, measurable commitments

If organizations are going to meet the DoW’s timelines and technical bar, they need practical solutions that operate at scale. DigiCert is already delivering the following:

• Rapid cryptographic inventory and dependency mapping: DigiCert Trust Lifecycle Manager helps customers find every cryptographic use—including embedded certificates, IoT identities, code-signing keys, and service-to-service certificates—and prioritize them for migration.
• PQC-ready PKI and certificate management: DigiCert has evolved our production CA and lifecycle management to issue PQC certificates, enable rapid algorithm rotation via published profiles and ACME/enterprise APIs, and deliver HSM-backed key management, automated issuance/renewal/revocation (CT/OCSP/CRL), interoperability/cross-signing, and auditable test artifacts for procurement and compliance.
• Testing, artifact-packaging, and approval support: Through DigiCert’s PQC Labs, we provide customers and partners with a controlled environment to test post-quantum algorithms, certificate profiles, and interoperability scenarios before production deployment.
• Standards leadership and vendor interoperability: DigiCert has been working with NIST and industry partners to accelerate standard adoption and ensure interoperable implementations. Migration only succeeds when the ecosystem works together.

The leadership moment is here

The DoW memo is a declaration that the U.S. government is prioritizing the transition to post-quantum cryptography so it’s not a chaotic, vendor-driven scramble. That’s the right posture for national security, and it should be the posture of every organization that values the integrity and availability of its systems.

If you’re responsible for cryptography in your organization, treat this as an immediate operational priority. Inventory. Appoint migration leads. Demand testable migration plans. And if you need an experienced partner to make the transition practical and auditable at scale—talk to us.