If you are a security or technology leader in state or local government, you might be looking at the influx of quantum security readiness guidelines with trepidation. There are old algorithms to deprecate, new algorithms to implement, aggressive deadlines, and no absolute certainty on when a quantum computer powerful enough to break today’s encryption will be viable. Unfortunately, we cannot wait for that certainty. The process of upgrading systems to be quantum secure will take years. Additionally, the dual threats of “harvest now, decrypt later” and compromised digital signatures mean that government entities at all levels — that often handle sensitive customer (citizen and beyond!) data or restricted information — will be attractive targets. Luckily, you don’t need to justify your agency’s quantum security investment just by pointing to the threats as government mandates across the globe work their way to state and local levels. To start getting your arms around what to do next, ask yourself and your team these three questions:

  1. “What Regulations Do We Need To Prepare For?” Almost every country has issued guidance around migration to quantum safe algorithms and technology. The guidance usually specifies algorithms and timelines. In the US, NIST and CISA have released guidelines calling for classical algorithms like RSA and ECC to be deprecated by 2030 and disallowed by 2035. State and local governments and agencies must follow along. Other countries have their own mandates, and the provinces and regions under those jurisdictions will need to follow and match those guidelines. Security leaders at the state and local level will want to closely track quantum security migration plans for federal agencies with which they share information or resources. Expect that shared technology and communications channels with federal agencies will largely be quantum secure by that country’s deprecation deadline. To interoperate, the supporting systems at the state and local level will also need to support quantum security.
  2. “What Do I Have?” The first step in the quantum security migration process is cryptographic discovery and inventory, in which you determine the algorithms and protocols used by the applications, systems, third parties, and devices in your environment. This may seem like an overwhelming task. It’s OK to start small with a subset of your environment and then work your way out. According to Forrester’s Security Survey, 2025, 73% of security decision-makers have already begun the discovery process. When we first started talking about cryptographic discovery, this seemed like a very manual exercise, with questionnaires and spreadsheets. Today, several companies offer cryptographic discovery tools to help automate the process. Such tools are available from larger vendors like IBM and specialists like Keyfactor and SandboxAQ.
  3. “What About My Third Parties?” Whether it’s open-source software, third-party software providers, enterprise IT vendors, device manufacturers, or agency partners that you share data with, your agency relies on a broad ecosystem of third parties whose quantum security readiness is beyond your control. Start asking third parties about their quantum security migration plans, track their responses, and get regular updates. Third parties’ timelines and plans will create additional dependencies for your migration. In some cases, vendor timelines may mean adjusting your refresh plans. For vendors that have no plans to make a legacy product quantum safe, you’ll need to look into other mitigation options. Keep in mind that your third parties have dependencies of their own: fourth or fifth parties that must provide a quantum-secure component back through the supply chain.

As you go through the cryptographic discovery process, start asking how to prioritize different systems for migration, what are your implementation options, and why you should invest in cryptographic agility. I’ll be answering those questions and more at Forrester’s Security & Risk Summit in November. My keynote, “The Quantum Security Mystery,” will address the evolving quantum risk landscape and offer a path forward to assessing your risk and developing a plan for action. I hope to see you there.

In the meantime, if you’re a Forrester client and want to know more, please reach out and set up an inquiry or guidance session. If you’re a Forrester Decisions client, you can also work with your CSM to set up an education session on quantum security for your team.