Preparing for OMB PQC Reporting: Webinar Recap | SafeLogic

Post-quantum cryptography (PQC) has been “the next big thing” for years. But if you’re in Federal space, it’s no longer living comfortably in the future tense.

That was the central theme of a recent Carahsoft hosted webinar led by Harvey Morrison (CEO, Marion Square), with Jacquay Henderson (CEO, SquarePeg Technologies) and Evgeny Gervis (CEO, SafeLogic). The discussion wasn’t about which post-quantum algorithms to pick or what vendor to buy. It was about something more practical—and more urgent:

OMB’s PQC reporting deadlines are forcing agencies to build the capability to understand, govern, and evolve their cryptography over time.

In other words, reporting isn’t the goal. It’s the catalyst.

Why PQC is Suddenly Real

A key point up front: agencies aren’t mobilizing because a cryptographically relevant quantum computer has arrived. They’re mobilizing because OMB reporting requirements are now demanding measurable, defensible answers about cryptography usage and quantum risk.

That pressure exposes a reality many organizations have lived with for a long time:

• Cryptography is everywhere
• Ownership is often unclear
• Visibility is fragmented
• Legacy systems weren’t designed for cryptographic change

PQC reporting brings those issues into the open, fast.

And that’s why the panel emphasized that PQC isn’t just a technical upgrade—it’s a program.

The Three-Step Progression: Requirements → Posture → Agility

Strip away the acronyms and it comes down to a practical progression:

1. Understand the federal requirements
2. Understand your current cryptographic posture
3. Build crypto agility so you can sustain reporting and change safely

The warning was clear: agencies get into trouble when they jump straight from “read the memo” to “start migrating” (or “buy a tool”), without understanding how cryptography is implemented and managed across the enterprise.

That sequence matters because PQC is not a one-time cutover. It’s a long transition that will unfold in phases, across heterogeneous systems, amid shifting standards and evolving threats.

The Guidance is Layered for a Reason

One of the most useful sections of the webinar was the overview of how PQC direction is structured across government, because confusion here leads to poor planning and wasted effort.

The panel described a layered model:

• OMB M-23-02: governance and reporting expectations
• NSM-10: policy direction and prioritization
• NSA CNSA 2.0: technical expectations (especially for national security systems), including hybrid approaches and timelines
• NIST: standards foundation (approved algorithms as standards mature)

Evgeny added a critical point: the “we can’t act because standards aren’t final” excuse has largely expired. The standards foundation is now real and continuing to evolve—so agencies need a plan that can evolve with it.

What OMB is Asking You to Do

The webinar returned repeatedly to a misunderstanding that causes unnecessary panic:

OMB is not demanding an immediate PQC cutover.

OMB is demanding agencies be able to show—credibly and repeatedly—that they understand their cryptographic reality and have a risk-based plan.

In practice, that means:

• Maintaining an up-to-date cryptographic inventory (not just systems, but crypto usage and algorithms)
• Identifying quantum-vulnerable crypto and prioritizing risk
• Producing a realistic, risk-based migration plan (constraints and dependencies included)
• Backing claims with defensible evidence
• Updating that reporting over time as systems change

The hardest part isn’t producing a report once.

The hardest part is sustaining the ability to report as your environment changes.

“Defensible Reporting” is a Data Trust Problem

Jacquay offered one of the most grounded perspectives: once you complete the inventory, it becomes data—and reporting becomes a data trust problem.

If an agency can’t show:

• That it collected the right data,
• How it collected the data,
• That it can repeat the method consistently,
• And that results are traceable and defensible,

...then the reporting won’t stand up to oversight. And oversight isn’t theoretical—agencies answer to OMB, inspectors general, and sometimes Congress.

This is why “defensible evidence” isn’t a buzzword. It’s a requirement.

And it’s why agencies need an operational reporting pipeline, not a one-time spreadsheet scramble.

The Real Endgame: Crypto-Agility

The term “crypto-agility” can sound abstract, but the panel made it concrete: it’s the ability to govern and change cryptography deliberately, safely, and repeatedly without rewriting everything or breaking trust.

Harvey framed it as a practical operational question:

• Is crypto hard-coded or abstracted?
• Can hybrid approaches be used during transition?
• Is ownership and governance clear?
• Can crypto be changed without application rewrites?

Evgeny described crypto-agility not as a single feature but as a set of capabilities:

• Continuous visibility into cryptography usage
• The ability to define crypto policy based on threat model
• Enforcement of policy through approved implementations
• Detection when systems drift from expected policy

His analogy landed: today, many orgs treat cryptography like leaky pipes behind drywall—you can fix them, but every repair means tearing open walls. Crypto-agility is building the “access panel” so changes become routine, not a demolition project.

Where Agencies Underestimate Complexity

A standout Q&A asked where agencies underestimate PQC complexity the most: the cryptography itself or the broader architecture and operations?

Jacquay’s answer: architecture complexity is the real monster.

Federal environments aren’t uniform. They’re sprawling mixtures of:

• Cloud and on-prem
• Modern and decades-old systems
• Third-party platforms
• Undocumented “shadow IT” that can break unexpectedly

Change cryptography in one place and you may break a fragile dependency somewhere else—sometimes in systems only a handful of people even understand.

Evgeny added two additional pain points:

1. Discovery tools can generate a lot of findings—but turning that data into risk-based priorities requires an organizational threat model and context.
2. Most organizations have serious cryptographic posture management technical debt because cryptography hasn’t historically been treated as a governable asset.

How Do you Know You’re Becoming Crypto-Agile?

One of the best questions asked: what’s an early indicator that an agency is becoming crypto-agile (vs simply completing a one-time migration)?

Two answers stood out:

• You can identify and point to the highest-risk systems and their vulnerable cryptography. That implies visibility and prioritization.
• Your response to a cryptographic CVE is fast and precise. If it takes weeks to figure out where you’re exposed, you’re not agile. If you can quickly locate and remediate, you’re moving in the right direction.

Harvey summarized it nicely: crypto-agility shows up as reduced “time-to-know” and “time-to-fix.”

PQC and Zero Trust: Not Separate Initiatives

Another practical Q&A: Where does PQC fit into Zero Trust?

The panel’s view: Zero Trust depends on cryptographic foundations (identity, PKI, secure communications). PQC migration isn’t a separate track—it’s tightly connected.

There was also a strategic budgeting implication: agencies with strong Zero Trust momentum may be able to align PQC workstreams with that investment and architecture roadmap.

The Takeaway: Treat PQC as an Iterative Program, not a Finish Line

In closing, the speakers reinforced a mindset shift:

• OMB reporting is the near-term driver, not the end goal
• PQC is a program challenge, not just a technical task
• The winning sequence is requirements → posture → agility
• Do this iteratively—you won’t flip a switch from vulnerable to resistant overnight

Evgeny’s final advice was especially pragmatic: approach PQC like an agile project. Start where it matters most, start where dependencies are manageable, and improve continuously—so you’re more quantum-resistant tomorrow than you are today.

What Agencies and Vendors Should Do Next

If you’re staring down PQC reporting requirements, the webinar’s implicit action plan looks like this:

• Clarify scope: which systems fall under which guidance
• Build (or refine) your crypto inventory pipeline: repeatable, traceable, defensible
• Translate discovery into priorities: tie cryptography findings to threat model and mission impact
• Invest in crypto agility: governance + visibility + enforcement, not just one-time remediation
• Plan for hybrid operations: interoperability will define the transition

Because the reality is simple:

The organizations that treat PQC as a living capability will stop scrambling every reporting cycle—and start managing cryptographic change like a normal part of operations.

And that’s the point.