The $7.1 billion floor: what the US federal PQC migration estimate leaves out
OMB and ONCD priced US civilian PQC migration at $7.1 billion, excluding defense and intelligence. The constraint that compounds is calendar, not budget.
$7.1 billion is the federal estimate for migrating US civilian systems to post-quantum cryptography. The figure comes from the OMB and ONCD report mandated by the Quantum Computing Cybersecurity Preparedness Act, published July 2024. Defense and intelligence are excluded; national security systems are scoped separately and their costs are not disclosed.
The conversation has moved past whether to migrate, and past when. What remains open is the sequencing, and who still has room on the calendar to sequence at all.
Why is the figure a floor, not a ceiling?
The estimate covers civilian agencies over the 2025 to 2035 window, per the same report. Classified systems sit outside it. So does every private-sector system, and the report flags inventory-driven uncertainty in its own number. Each exclusion pushes the true total in one direction: up.
Which clocks set the schedule?
Per Gartner research, current asymmetric cryptography is dated unsafe by 2029 and fully breakable by 2034. Per the Google security blog of March 2026, Google has set its internal migration target to 2029. The NIST IR 8547 transition plan deprecates RSA-2048 and ECC P-256 by 2030 and phases them out by 2035.
| Clock | Year | Source |
|---|---|---|
| Current asymmetric cryptography dated unsafe | 2029 | Gartner research |
| Google internal migration target | 2029 | Google security blog, March 2026 |
| RSA-2048 and ECC P-256 deprecated | 2030 | NIST IR 8547 |
| Current asymmetric cryptography fully breakable | 2034 | Gartner research |
| RSA-2048 and ECC P-256 phased out | 2035 | NIST IR 8547 |
The 2030 deprecation and the 2035 phase-out now sit downstream of the 2029 clocks, not upstream.
What does waiting actually cost?
Waiting reprices the project. The same migration, started later, runs inside a compressed window with fewer vendors available, and the difference shows up in three places.
An organization starting today has time to identify legacy systems where cryptographic functions are buried in firmware and cannot be patched in place. A late starter does not. The early mover chooses between three certificate authorities; the 2028 entrant takes whoever has capacity. Piloting, measuring, and retiring approaches that do not work is a calendar privilege; the compressed alternative ships once.
What is the structural work?
The standards are settled, so algorithm selection is not the project. The project is the cryptographic inventory, the dependency map, the embedded-firmware replacement, and the supply-chain coordination. None of those scale linearly with budget. They scale with calendar.
The federal estimate carries an explicit note about uncertainty driven by inventory. Most organizations do not yet know which of their systems use which cryptographic algorithms, where the keys live, or how dependencies cascade through their supply chain. That uncertainty does not improve with time; it compounds. A free PQC assessment is one way to start replacing that uncertainty with a list.
$7.1 billion is what one government has put in writing as a floor, for civilian systems alone. The private-sector total is not yet costed at that resolution. When it is, the math will not flatter the late movers.
- OMB and ONCD report under the Quantum Computing Cybersecurity Preparedness Act, July 2024 (verified May 20, 2026)
- Gartner research on asymmetric cryptography timelines (verified May 20, 2026)
- Google security blog, March 2026 (verified May 20, 2026)
- NIST IR 8547 transition plan (verified May 20, 2026)