Uniqcli
Industry Trends

PQC-Ready Network Hardware: What Federal Buyers Must Ask in 2026

A June 2026 executive order and new OMB guidance turned post-quantum cryptography from a 2030 planning exercise into a procurement question you have to answer on your next refresh cycle. Here is how to read the deadlines and vet a vendor's "PQC-ready" claim.

Uniqcli Newsroom · · 6 min read

Industry Trends

The post-quantum compliance clock just got shorter, and it now runs through your purchase orders

For two years, post-quantum cryptography read like a slow-moving standards story: NIST finalized the first algorithms in 2024, agencies were told to inventory their crypto, and the hard deadlines sat comfortably in the 2030s. In the last 30 days that changed. A June 22, 2026 executive order and its implementing OMB memorandum replaced the 2022-era guidance with dated, phased migration mandates, and CISA has now drawn a bright line between product categories agencies may still buy classical-only and those they may not.

The standards baseline: what is actually finished, and what is not

On August 13, 2024, NIST finalized its first three post-quantum standards: FIPS 203 (ML-KEM, a module-lattice key-encapsulation mechanism derived from CRYSTALS-Kyber, for key exchange), FIPS 204 (ML-DSA, a module-lattice digital signature algorithm derived from CRYSTALS-Dilithium), and FIPS 205 (SLH-DSA, a stateless hash-based signature standard derived from SPHINCS+). Together these are the algorithms that will replace RSA, ECDH, ECDSA, and Diffie-Hellman across federal systems.

The honest status of the rest matters for procurement, because it is where vendor marketing gets ahead of the record. A fourth signature standard, FIPS 206 (FN-DSA, based on FALCON), is still listed by NIST as in development and is not a published standard, despite secondary sources that claim a 2024 finalization. Separately, on March 11, 2025, NIST selected HQC (Hamming Quasi-Cyclic) as a structurally different backup key-encapsulation mechanism to hedge against a future break in lattice math; it does not yet have a final FIPS number or publication date.

The practical takeaway: a vendor claiming full FIPS 206 or HQC compliance today is describing something that does not exist as a finished standard. What you can hold them to, right now, is FIPS 203, 204, and 205. NIST IR 8547, the transition guidance, sets the runway on the algorithms being retired, deprecating RSA, ECDSA, ECDH, and DH at the 112-bit strength level after 2030 and disallowing them entirely after 2035.

NSA CNSA 2.0

The four-lane National Security Systems timeline, decoded

NSA's Commercial National Security Algorithm Suite 2.0, first issued in September 2022, does not set one deadline. It sets category-specific ones, and networking equipment sits on a tighter track than most. Each line below reads as: support-and-prefer date, then exclusive-use date.

  • Software and firmware signing: support and prefer CNSA 2.0 by 2025; exclusively use by 2030.
  • Web browsers, servers, and cloud services: support and prefer by 2025; exclusively use by 2033.
  • Traditional networking equipment (VPNs, routers): support and prefer by 2026; exclusively use by 2030 — the earliest exclusive-use date of any category.
  • Operating systems: support and prefer by 2027; exclusively use by 2033.
  • The stated overall goal: all National Security Systems on exclusively quantum-resistant algorithms by 2033, with the hardest-to-migrate legacy equipment extending NSA's broader aim to 2035.

The 2026 mandate stack

EO 14412, OMB M-26-15, and what changed versus 2022

The new order converts 2022's planning mandate into a dated execution mandate. Here is the stack, in the order it lands on an agency's desk.

EO 14412 (June 22, 2026)

'Securing the Nation Against Advanced Cryptographic Attacks,' published June 25, 2026. Sets a December 31, 2030 deadline to migrate high-value-asset and high-impact systems to PQC for key establishment and encryption, and December 31, 2031 for post-quantum digital-signature and authentication migration on those same systems.

OMB M-26-15 (June 24, 2026)

Implements the order for civilian agencies and supersedes the 2022 M-23-02 as operative guidance. Requires each agency to submit a PQC Migration Plan to OMB and ONCD within 120 days, structured across five phases from 2026 discovery through 2035 full migration.

New directives to CISA and the FAR Council

The order tasks CISA, within 270 days, with public guidance on a minimum cryptographic bill of materials (CBOM), analogous to a software bill of materials, and directs the FAR Council to propose contractor PQC-compliance rules — the mechanism by which this reaches vendors and resellers.

Learn more

CISA's buying guide: two tiers, and networking gear is on the wrong one

Under an earlier order, EO 14306, CISA was directed to publish a list of commercial product categories that support PQC. It landed on January 23, 2026, roughly seven weeks past its target, and it is the most procurement-relevant document in the stack because it tells buyers where classical-only is already a risk. The list splits technology into two tiers.

'Widely Available' covers cloud services, web browsers and servers, and endpoint security — categories where PQC-capable commercial products already exist, and where the guidance is to acquire only PQC-capable products going forward. There is no excuse left for buying classical-only here. 'Transitioning' covers networking hardware and software (routers, firewalls, switches), storage-area networks, identity and access management systems (HSMs, certificate authorities, identity providers), containers, and email — categories where PQC support is still maturing across vendors.

For transitioning categories, CISA's guidance goes a step further: manufacturers should implement and test PQC across all core and secondary functions, not just the primary encryption path but also auxiliary features like the firmware and software update mechanism, so a quantum-vulnerable back door does not survive inside an otherwise PQC-ready box. That single line is why 'PQC-ready' on a data sheet is not, by itself, a compliance answer for a router or firewall.

For your next RFP or refresh cycle

What 'PQC-ready' should mean when you buy network hardware now

Because networking gear is a transitioning category, the safest asset in 2026 is a written vendor roadmap commitment, not a current SKU. Uniqcli screens vendor claims against the finalized standards; these are the questions that turn a marketing phrase into something checkable.

  • Which exact NIST standard is implemented — FIPS 203 (ML-KEM) for key exchange, FIPS 204 (ML-DSA) or FIPS 205 (SLH-DSA) for signatures? Decline claims that lean on FIPS 206 or HQC, which are not finalized.
  • Is the key exchange hybrid (classical plus PQC combined, such as X25519MLKEM768) or PQC-only? Hybrid is the current recommended approach under OMB's technical guidance.
  • Are the firmware and software update mechanisms also protected by PQC signatures, not just the primary data-plane crypto? This is the back-door CISA specifically warns about.
  • Can the algorithm be swapped later without a hardware refresh — genuine cryptographic agility — so an HQC or FIPS 206 addition does not force a forklift upgrade?
  • Is the claim shipping today or on a roadmap, with a date? Cisco's public target of ML-KEM in Secure Firewall Threat Defense 10.5 and ASA 9.25 for late-2026 general availability is what a specific, datable commitment looks like.
  • Will the vendor provide a cryptographic bill of materials, in line with the CBOM guidance CISA is directed to publish within 270 days of EO 14412?

The accelerant nobody had priced in

The reason these deadlines feel less theoretical than they did a year ago is a resource-estimate scare from April 2026. A Google research announcement described a drastically improved quantum algorithm against elliptic-curve cryptography, paired with an estimate from the quantum-computing startup Oratomic — a Caltech spinout publicly launched March 31, 2026 — suggesting P-256 ECC could be broken with roughly 10,000 qubits on a neutral-atom architecture, versus prior estimates in the millions.

The signal to watch is not the qubit number itself but who reacted. Cloudflare, already among the most post-quantum-advanced operators — it reports that more than two-thirds of browser traffic to its network is protected with hybrid post-quantum key agreement as of mid-2026 — responded by moving its own internal target for full post-quantum security, including authentication, up to 2029. The most prepared player in the market pulled its date forward, not out. For a network-hardware refresh planned for 2026 or 2027, that is the reason to treat cryptographic agility as a requirement rather than a nicety.

What federal and SLED buyers are asking

Do we have to rip out and replace all our routers, firewalls, and VPN concentrators before 2030?

Not a rip-and-replace, but you do need a documented plan. NSA's CNSA 2.0 timeline calls for traditional networking equipment (VPNs, routers) to support and prefer CNSA 2.0 algorithms by 2026 and exclusively use them by 2030, and CISA currently classifies networking hardware as a 'Transitioning' category, meaning PQC-capable products are still maturing rather than universally available. The near-term move is to inventory what you have, get a written PQC roadmap and firmware-update commitment from each vendor, and build replacement into your normal refresh cycle. Under OMB M-26-15's phased timeline, agencies are not required to have prioritized systems fully migrated for key establishment until the 2028-2030 window anyway.

Is 'quantum-resistant' or 'PQC-ready' on a spec sheet enough to check the compliance box for a federal bid?

No — it is a marketing phrase that has to be unpacked before you can rely on it in an RFP response. Ask exactly which NIST standard is implemented (FIPS 203 ML-KEM for key exchange, FIPS 204 ML-DSA or FIPS 205 SLH-DSA for signatures), whether it is hybrid (classical plus PQC, the current recommended approach per OMB M-26-15's technical guidance) or PQC-only, whether the firmware and software update mechanisms are also protected rather than just the primary data-plane crypto, and whether the algorithm can be swapped later without a hardware refresh. A vendor that cannot answer those four questions in writing has not earned the label.

What is actually different about the June 2026 executive order compared to the 2022 OMB guidance?

The 2022 OMB Memo M-23-02 mainly told agencies to inventory their cryptography and name a migration lead — it set a process in motion but few hard deployment deadlines. EO 14412 (June 22, 2026) and its implementing OMB Memorandum M-26-15 (June 24, 2026) replace that civilian guidance with a five-phase migration timeline running from 2026 discovery through 2035 full migration, concrete 2030 (encryption) and 2031 (signature) deadlines for high-value-asset and high-impact systems, a 120-day deadline for agencies to submit a PQC Migration Plan to OMB and ONCD, and new directives for CISA (a cryptographic bill of materials standard) and the FAR Council (contractor compliance rules). In short, it converts 2022's planning mandate into a dated execution mandate with agency accountability built in.

Ready to scope your program?

Talk to a Uniqcli engineer, or send a bill of materials for a TAA-verified quote — no payment up front.