Implement ACDI to prepare for the Post-Quantum Era
Key Takeaways
- Quantum threats are approaching faster than many organizations expect
- Sensitive data with long retention periods is already at risk
- Agencies should begin crypto inventory and migration planning now
- ACDI provides a structured path to quantum readiness
Q-Day, the day when quantum computers are powerful enough to break standard encryption, is just around the corner. But for government agencies performing our nation’s most critical missions, the quantum threat has already arrived.
Adversaries and nation-states are already executing “harvest now, decrypt later” campaigns, intercepting encrypted communications and storing them until quantum capabilities can break today’s encryptions. This alarming trend makes the implementation of Automated Cryptographic Discovery and Inventory (ACDI) mandated standards and capabilities — and their role in successfully transitioning to post-quantum cryptography (PQC) — an even more immediate priority in securing classified data and mission-critical systems.
Make sure you’re prepared for the coming quantum-resilient cybersecurity era by following these six steps to meet ACDI requirements:
Step 1
Create a Comprehensive Cryptographic Inventory
The first step toward quantum readiness is gaining full visibility into your cryptographic landscape.
Creating an inventory, or Cryptographic Bill of Materials (CBOM), provides this by identifying all key cryptographic assets. Leveraging ACDI automates this discovery process, helping agencies maintain a living CBOM that identifies key assets, including:
- Algorithms
- Key management systems and certificates
- Cryptographic dependencies embedded in applications, infrastructure, and third-party and legacy systems
ACDI ensures that no matter how complex the architecture (be it spanning on-prem, cloud, or classified networks), this living inventory will align with asset management practices under frameworks such as those from National Institute of Standards and Technology (NIST) and with other relevant DoW and federal quantum security standards.
Step 2
Assess Risk and Prioritize High-Value Data
Not all data carries the same level of risk. Evaluate which data assets are most susceptible to quantum-related risk by weighing:
- Sensitivity
- Classification level
- Required duration of confidentiality
Traditionally, high priority assets will include:
- Classified national security information
- Defense-related intellectual property
- Controlled unclassified information (CUI)
- Personally identifiable information (PII)
- Critical infrastructure and operational data
“Organizations should assume encrypted data collected today may be decrypted in the future.”
ACDI helps agencies assess risk by correlating cryptographic assets with sensitive systems and prioritizing remediation based on mission risk and quantum exposure. This ensures that risk assessments align with guidance from Office of Management and Budget and incorporate mission impact analysis.
Step 3
Prioritize Cryptographic Agility
Rigid, hard-coded cryptographic implementations are a liability in a rapid and ever-evolving environment.
Instead, government agencies should design systems for “cryptographic agility” to enable seamless replacement or upgrading of algorithms without requiring full system overhauls. Government agencies can improve agility by:
- Designing systems with modular cryptographic components
- Centralizing key management
- Leveraging standardized APIs and interfaces
- Reducing reliance on hard-coded encryption implementations
ACDI can help identify hard-coded implementations, legacy dependencies, and algorithm usage patterns that may delay PQC migration. This is especially important in maintaining architectural flexibility as federal quantum security standards and PQC guidance continue to evolve.
Also of note: Cryptographic agility supports broader zero-trust modernization efforts, where adaptability and continuous validation are essential to effective quantum-era cybersecurity.
Step 4
Implement Hybrid Cryptography
For many government agencies, an immediate transition to post-quantum cryptography is unrealistic.
However, adopting hybrid cryptography provides a practical bridge for eventual government adoption of post-quantum encryption capabilities. By combining classical algorithms with quantum-resistant alternatives, the hybrid approach offers several benefits, including:
- Maintaining compatibility with existing systems
- Reducing migration risk
- Introducing quantum-resistant protections incrementally
- Allowing agencies to evaluate performance and interoperability
Hybrid implementations are especially relevant for securing communications protocols such as TLS and VPNs used across interagency and coalition environments, and ACDI-mandated solutions can help agencies track deployment and monitor migration progress over time.
“You cannot modernize cryptography
you have not inventoried.”
Step 5
Modernize Hardware and Software Infrastructure
PQC algorithms often introduce new performance and resource considerations, particularly in constrained or legacy environments.
Many quantum-resistant algorithms require:
- Increased computational power
- Additional memory resources
- Updated cryptographic libraries
- Modernized networking infrastructure
ACDI can help government agencies assess whether existing infrastructure can support these new requirements.
Modernization efforts may include:
- Updating operating systems and security appliances
- Refreshing legacy hardware
- Enhancing VPN and TLS capabilities
- Ensuring cloud providers support PQC-ready environments
A phased modernization strategy can help agencies reduce disruption while improving long-term resilience, while ACDI reporting helps identify systems that may require infrastructure upgrades before PQC adoption.
Step 6
Strengthen Vendor and Supply Chain Engagement
Government agencies do not operate in isolation. Contractors, vendors, and technology partners all play a critical role in the cryptographic ecosystem, and ensuring these partners are aligned with PQC transition goals is critical.
Organizations should begin engaging vendors now on PQC readiness by:
- Requesting PQC transition roadmaps
- Evaluating vendor cryptographic implementations
- Incorporating PQC readiness into procurement requirements
- Assessing supply chain dependencies and risk exposure
Without strong vendor coordination, agencies risk introducing vulnerabilities through third-party systems and supply chains that are not prepared for quantum-era cybersecurity requirements. ACDI capabilities can help extend visibility into third-party cryptographic dependencies and support vendor risk assessments.
Preparing for a Quantum-Resilient Future
The implementation of ACDI and shift to post-quantum cryptography is no longer a future consideration. It is a present-day priority tied directly to mission continuity and national security.
While the timeline for large-scale quantum disruption remains uncertain, adversaries are already positioning themselves to exploit future cryptographic weaknesses. Agencies that act now by implementing ACDI-mandated capabilities that improve visibility, prioritize sensitive data, modernize infrastructure, and strengthen ecosystem collaboration will be better prepared to protect mission-critical information and operate securely in a post-quantum world.
Need help preparing for the Post-Quantum Era?
Contact our experts at Everforth ECS to discover how we help agencies identify cryptographic
dependencies and build mitigation roadmaps.
