Trump's 2026 Strategy to Mandate Zero Trust, PQC for DoD

The Department of Defense is already working towards a "Target Level" Zero Trust implementation by the end of fiscal year 2027. This existing strategy is built upon seven pillars: User, Device, Applications & Workloads, Data, Network, Automation & Orchestration, and Visibility & Analytics. In January 2022, the DoD established the Zero Trust Portfolio Management Office (ZT PfMO) to orchestrate this department-wide shift. The core of the strategy is a "never trust, always verify" mindset, requiring continuous validation of every user and device to grant access based on the principle of least privilege. The push for Post-Quantum Cryptography stems from the threat of "harvest now, decrypt later," where adversaries capture encrypted data today to break with future quantum computers. In response, the National Institute of Standards and Technology (NIST) began a standardization process in 2016, releasing the first final PQC standards—including ML-KEM and CRYSTALS-Dilithium—in August 2024. This transition has been years in the making, formalized by National Security Memorandum 10 (NSM-10) and the Quantum Computing Cybersecurity Preparedness Act, which was signed into law in December 2022. These directives already mandate that federal agencies begin preparing for the migration to quantum-resistant algorithms. A recent DoD CIO memorandum established a dedicated PQC Directorate and requires every DoD component to designate PQC migration leads. These leads are tasked with creating a complete inventory of all cryptographic systems in use, from weapons systems and cloud services to mobile devices and IoT. For identity-focused practitioners, the convergence is critical at the User pillar. The cryptographic foundations of multi-factor authentication, identity management, and access controls are vulnerable. Under a PQC mandate, these systems would require upgrades to NIST-approved algorithms to ensure authentication and authorization remain secure. Federal agencies are already being urged to include PQC compliance in new contracts, signaling a significant shift for the defense industrial base. Contractors will be required to demonstrate a clear migration path for their products and prove they are not using prohibited or non-compliant cryptographic methods. Implementation faces significant hurdles, including the complexity of replacing cryptography in legacy systems, budget constraints, and the challenge of ensuring interoperability across the entire defense enterprise during the transition.