DoD Launches Long-Term Cryptographic Modernization Program to Counter Emerging Quantum Threats

DoD Embarks on Comprehensive Cryptographic Modernization Program

The Department of Defense has unveiled a sweeping, multi-year Cryptographic Modernization Program, under the leadership of the NSA’s Information Assurance Directorate. Its mission: to overhaul aging encryption systems across all command, control, communications, intelligence, surveillance, reconnaissance and weapons platforms, ensuring resilient and interoperable protection for national security systems. This modernization effort follows three sequential phases—replacement, modular modernization, and transformation to meet Global Information Grid (GIG)/NetCentrics standards—with an estimated 73% of the nearly 1.3 million devices slated to be upgraded over the next decade to 15 years.

Timeline & Strategic Objectives

Replacement and Modernization Phases

The first phase focuses on replacement of at-risk legacy cryptographic devices. The second phase seeks to embed modular, programmable solutions to enable easier updates and scalability. The final transformation phase aligns all upgraded systems with the DoD’s GIG/NetCentrics architecture for seamless, secure integration

Quantum-Resilient Cryptography by 2035

Acknowledging the impending threat of quantum computing, the DoD and NSA are accelerating migration to quantum-resistant algorithms. The NSA’s Commercial National Security Algorithm Suite (CNSA) 2.0, updated with quantum-resistant guidance in 2024, serves as an interim baseline. The department aims to migrate all high-priority systems to such algorithms by 2035.

David McKeown, deputy DoD CIO for cybersecurity, acknowledges the massive scale of this effort: hundreds of thousands of endpoints require algorithm updates, testing, re-encryption of data, and deployment across services—making it an “extremely long timeline”.

Enhancing Key Management and Operational Efficiency

From Physical Delivery to Online Provisioning

A significant modernization milestone is the transition to KMI-aware encryptors, which leverage the NSA’s Key Management Infrastructure (KMI). For instance, U.S. Southern Command (SOUTHCOM) deployed KMI-enabled HAIPE devices, allowing secure key delivery directly via the NSA-hosted web storefront. This innovation eliminates the logistical burden of physical key distribution, reduces cost and personnel risk, especially in remote deployments.

Institutional Framework and Oversight

To ensure these modernization efforts remain synchronized, the DoD’s Joint Staff issues an annual cryptographic modernization plan to the CIO, establishes deficiency tracking, interoperability assessments, and coordinates with the NSA via the MC4EB CSP forum. The NSA oversees policy, scheduling, decertification, product obsolescence timelines, and foreign military sales to ensure seamless adoption.

Context & Analysis

The scale and complexity of the DoD’s cryptographic modernization are staggering. Upgrading around a million devices, many deeply embedded in legacy systems, requires meticulous coordination across military services, defense agencies, and industry. The phased architecture—from modular firmware updates to encrypted re-keying—reflects lessons learned from cloud modernization and zero trust initiatives, now extending to foundational encryption infrastructure.

Moreover, the timeline to retire outdated RSA-2048 and SHA-256 certificates by December 31, 2027, underscores urgency in transitioning to stronger standards across both NIPRNET and SIPRNET networks. As quantum computing draws nearer, DoD’s layered approach—algorithm replacement, modular systems, expedited key delivery, and oversight structures—positions it to stay ahead of adversaries.

FAQs