News
Microsoft Moves Up Quantum Safe Security Timeline
Microsoft is accelerating its quantum-safe security timeline, saying advances in quantum computing and new federal requirements have pushed post-quantum cryptography from a future planning issue into an immediate engineering priority.
In a Tuesday Microsoft Security blog post, Mark Russinovich, chief technology officer for Microsoft Azure, said the company is moving up its internal schedule for transitioning critical products and services to post-quantum cryptography, or PQC, by 2029.
"For years, planning for post-quantum cryptography (PQC) was framed as a future problem: important, inevitable, but distant," Russinovich wrote. "That perspective is evolving as technology advances and organizations prepare for the scale and complexity of the transition ahead."
The update comes just days after the White House issued Executive Order 14412, "Securing the Nation Against Advanced Cryptographic Attacks," which directs federal agencies to begin moving high-value assets and high-impact systems toward NIST-approved post-quantum cryptography standards.
The order reflects growing concern that bad actors may be collecting encrypted data now with the expectation that quantum computers will eventually be powerful enough to break widely used cryptographic systems.
"The advent of large-scale quantum computers, particularly in the hands of adversaries, will pose a significant threat to widely used cryptographic security systems," the order states. It also warns that ongoing cyber activity creates the risk of adversaries "collecting United States information now, and decrypting it later once large-scale quantum computers are operational."
Microsoft said that same "harvest now, decrypt later" risk is already changing how customers think about long-lived sensitive data. The company said organizations in regulated industries, critical infrastructure and other high-risk environments are prioritizing information that may need to remain confidential for many years.
Russinovich said Microsoft now believes the risk horizon has shifted.
"We believe cryptographically relevant quantum computers could arrive sooner than previously expected -- and the work required to prepare is significant so organizations need to start now," he wrote. "The quantum capabilities are accelerating. The time to respond is now."
As part of that shift, Microsoft said it is accelerating its Quantum Safe Program and incorporating PQC requirements into its Secure Future Initiative, the companywide security engineering effort launched after a series of high-profile security failures and government reviews. The company said the move is intended to put quantum-safe readiness into the same operational framework used for other security priorities, including ownership, measurable milestones and progress tracking.
Microsoft said its near-term work will focus on three areas: upgrading network cryptography, building crypto-agility for stored data and modernizing cryptographic trust chains used for identity, signing and certificates.
For network cryptography, Microsoft said adopting TLS 1.3 can establish a baseline for hybrid and post-quantum key exchange as standards mature. For stored data, the company said organizations need crypto-agility, meaning cryptographic settings should be configurable without forcing broad application redesigns. For trust chains, Microsoft pointed to code signing, certificate issuance, key protection and update pipelines as among the more complex areas that will need to be modernized.
The White House order sets a similar direction for federal systems. It requires agencies to identify a PQC migration lead within 30 days and directs OMB, in consultation with CISA and the national cyber director, to issue guidance within 90 days requiring agencies to review inventories of high-value assets and high-impact systems.
Under the order, those systems must transition to PQC for key establishment by Dec. 31, 2030, and for digital signatures by Dec. 31, 2031. The order also calls for a NIST pilot project to be completed by Dec. 31, 2027, and directs CISA and NIST to publish public guidance on minimum elements for a cryptographic bill of materials.
"It is the policy of the United States to safeguard national security and maintain technological leadership by responsibly and effectively executing the transition of Federal information systems to National Institute of Standards and Technology (NIST)-approved Federal Information Processing Standards (FIPS) for Post-Quantum Cryptography (PQC), and to assist critical infrastructure owners and operators with their transitions," the order states.
For enterprise IT teams, Microsoft said the hardest part may not be choosing algorithms, but finding where cryptography already exists across applications, services, networks, identities, certificates and hardware.
"Most organizations lack clear visibility into where cryptography exists across applications, infrastructure, and legacy systems, making discovery and prioritization the primary challenge," Russinovich wrote.
Microsoft is urging orgs to begin with strategy, ownership and inventory, while also modernizing protocols and designing new systems with crypto-agility in mind. The company said starting earlier can reduce risk while helping organizations avoid disruptive, rushed migrations later.