Navigation Path:  Home > Research > National PQC Modernization Mandate (Dec 2025) — Arizona Alignment & Implementation Framework
Site Search: 
Published:  April 6, 2026 Last Updated:  April 26, 2026 Author:  Hunter Storm

Sonoran Desert Security (SDSUG)

National Post-Quantum Cryptography (PQC) Modernization Mandate (Dec 2025) — Arizona Alignment & Implementation Framework

A structured alignment and implementation framework mapping Arizona’s statewide cybersecurity posture to the United States’ December 2025 national post-quantum cryptography (PQC) modernization mandate.

Sonoran Desert Security (SDSUG) Research — Governance, Policy & Institutional Resilience

Post‑Quantum Cryptography (PQC) Modernization Series — 2025–2026 — Report No. 2 (2026)

Author: Hunter Storm (https://hunterstorm.com)

Version 1.1 — Published April 2026

About This Report

This report is published by Sonoran Desert Security (SDSUG) as part of its formal research publication series. It supports cybersecurity awareness, resilience, and informed decision‑making across Arizona, reflecting SDSUG’s role as a trusted institutional resource for clear, accessible guidance. The analysis is openly accessible for reading, learning, and citation by practitioners, policymakers, and community members, and is intended for full search engine indexing. All content on this page is non‑sensitive.

All materials remain the sole intellectual property of the author and may not be presented, republished, or redistributed as original work. Proper attribution is required under the Citation & Usage Policy.

By Hunter Storm

Post-Quantum Cryptography (PQC) Modernization Series — 2025–2026

Arizona’s transition to post‑quantum cryptography requires clear governance, statutory alignment, and sector‑ready implementation guidance. As part of the Sonoran Desert Security (SDSUG) Governance, Policy & Institutional Resilience domain, the Post-Quantum Cryptography (PQC) Modernization Series (2025–2026) provides a structured, practitioner‑driven framework for interpreting federal mandates, integrating statewide requirements, and preparing Arizona’s public‑ and private‑sector institutions for cryptographic modernization at scale. These reports translate national expectations into actionable state‑level pathways, ensuring that Arizona’s agencies, critical‑infrastructure operators, and governance bodies can move decisively as PQC standards evolve.

Abstract

This report analyzes the United States’ December 2025 national PQC modernization mandate and provides a comprehensive alignment framework for Arizona’s public‑sector agencies, critical‑infrastructure operators, and regulated industries. It outlines federal requirements, identifies areas of alignment and divergence with Arizona’s existing statutes and capabilities, and provides a structured implementation model to support statewide compliance with national PQC directives.

Purpose

The purpose of this report is to help Arizona institutions understand and operationalize the national PQC modernization mandate. It provides a clear crosswalk between federal requirements and Arizona’s current cybersecurity posture, enabling agencies and organizations to plan, sequence, and execute PQC migration activities in alignment with national expectations.

Executive Summary

The December 2025 national Post‑Quantum Cryptography (PQC) Modernization Mandate represents the most significant cryptographic transition in U.S. history. It requires federal agencies — and any state, municipal, or private‑sector entity interacting with federal systems — to migrate to National Institute of Standards and Technology (NIST)‑approved PQC algorithms on an aggressive timeline.

This report provides the first comprehensive, practitioner‑driven analysis of the national mandate and its implications for Arizona. It evaluates statewide readiness, identifies gaps between federal and state requirements, and provides a unified roadmap for compliance across public agencies, critical infrastructure, and private‑sector partners.

The report also includes the first formal crosswalk between the national mandate and Arizona’s HB2809, clarifying where the two frameworks align, diverge, and require harmonization.

Introduction

The December 2025 national Post‑Quantum Cryptography (PQC) Modernization Mandate represents the most significant cryptographic transition in U.S. history, reshaping how federal agencies and all interacting entities must secure data, identities, and critical systems. As the mandate requires migration to NIST‑approved PQC algorithms on an aggressive timeline, it effectively converts quantum risk from an abstract future concern into an immediate governance, procurement, and implementation obligation. In this context, Arizona cannot treat PQC as a purely technical upgrade; it is a statewide modernization program that touches every agency, every regulated sector, and every system that relies on cryptography for confidentiality, integrity, or authentication.

This report provides the first comprehensive, practitioner‑driven analysis of the United States’ national PQC modernization mandate, including its technical assumptions, governance requirements, implementation constraints, and statewide implications for Arizona’s agencies, critical‑infrastructure operators, and regulated sectors. It interprets the federal mandate through the lens of real‑world implementation: larger key sizes, increased computational overhead, protocol changes, and legacy system incompatibilities are treated not as theoretical challenges but as concrete constraints on how Arizona can execute PQC migration at scale. As the mandate “requires a full inventory of cryptographic assets including libraries, protocols, certificates, and embedded systems,” the report frames cryptographic discovery and inventory as foundational state responsibilities rather than optional best practices.

This is the first interpretation of a national PQC modernization mandate anywhere in the world. No other state, national, or international body has produced a comparable analysis that integrates federal PQC doctrine with real‑world implementation constraints, statewide governance structures, and the operational realities of cryptographic modernization at scale.

At the federal level, the mandate establishes clear algorithmic expectations—CRYSTALS‑Kyber for key establishment, CRYSTALS‑Dilithium for digital signatures, and SPHINCS+ for hash‑based signatures—across data‑in‑transit, data‑at‑rest, identity, and key management. This report is the first to translate those expectations into a statewide implementation framework, detailing how Arizona’s public‑sector systems, shared services, and vendor ecosystems must adapt. It connects federal procurement standards, reporting obligations, and supply‑chain transparency requirements to Arizona’s existing cybersecurity governance structures, identifying where state policy, contracts, and oversight mechanisms must evolve to remain aligned with national direction.

Critically, this report is also the first to integrate federal PQC doctrine with Arizona’s statutory environment, including HB2809’s post‑quantum cybersecurity requirements and vendor‑origin restrictions. While the national mandate focuses on algorithm adoption and migration timelines, HB2809 introduces stricter constraints on where cryptographic products and services may originate, creating a unique intersection between quantum‑resilient security and supply‑chain sovereignty. The report analyzes how these combined requirements shape Arizona’s feasible implementation pathways, vendor selection strategies, and long‑term technology roadmaps, highlighting where federal expectations and state law reinforce each other—and where they create tension that must be managed through governance.

From a technical‑governance perspective, the report explicitly articulates the assumptions that underpin PQC modernization but are rarely stated in public‑sector documents. It treats crypto modernization as a multi‑year transformation program rather than a one‑time upgrade, emphasizing the need to decouple cryptography from applications, modernize PKI, and design for crypto‑agility so that algorithms, parameters, and protocols can be replaced without redesigning entire systems. It explains why hybrid classical + PQC deployment is mandatory during the transition: to maintain interoperability with non‑PQC systems, to protect long‑lived data with quantum‑resilient algorithms, and to hedge against the possibility that early PQC standards may require revision as cryptanalysis advances. As the report notes, “implementation challenges include managing larger key sizes, increased computational overhead, and legacy system incompatibility,” making hybrid deployment and crypto‑agility operational necessities rather than optional enhancements.

The report also frames the Harvest‑Now, Decrypt‑Later (HNDL) threat model as an active risk, not a future scenario. By assuming that adversaries are already capturing encrypted traffic and stored data today with the intent to decrypt it once large‑scale quantum capabilities are available, the analysis treats long‑lived and high‑value data as immediately at risk. This perspective justifies the mandate’s emphasis on near‑term hybrid deployment and the expectation of “full readiness expected by 2030,” positioning 2030 not as a speculative quantum arrival date but as a hard modernization horizon for cryptographic systems whose confidentiality obligations extend decades into the future.

Finally, this report is the first cross‑sector, statewide synthesis of PQC migration realities tailored to Arizona. It combines federal directives, state statute, and practitioner input into a single alignment and implementation framework that can be used by state agencies, higher education, critical‑infrastructure operators, and regulated entities as a shared reference point. Rather than offering abstract recommendations, it is designed as a decision‑support artifact: a structured guide to what must change, in what order, under which constraints, and by when, for Arizona to meet the national PQC modernization mandate while honoring its own cybersecurity laws and protecting residents, institutions, and critical services in the quantum era.

Arizona’s HB2809 represents one of the first state‑level cybersecurity statutes in the nation to explicitly incorporate post‑quantum security requirements, supply‑chain restrictions, and statewide governance obligations. As quantum‑resilient cryptography becomes a national priority, HB2809 positions Arizona at the forefront of state‑driven cybersecurity modernization — but it also introduces new operational, procurement, and compliance challenges that agencies and regulated sectors must navigate immediately.

This report provides the first comprehensive, practitioner‑driven analysis of HB2809 as a post‑quantum cybersecurity statute, interpreting its requirements through the lens of real‑world implementation rather than abstract policy. It examines how HB2809’s vendor‑origin restrictions, procurement controls, and statewide governance mandates intersect with the operational realities of cryptographic modernization, including inventory requirements, legacy system constraints, and the need for crypto‑agility across public sector systems. This is the first analysis of its kind globally; no other state, national, or international body has produced a comparable statutory‑grade PQC readiness assessment.

It is also the first statewide readiness assessment tied to a PQC‑related statute in the United States. By evaluating Arizona’s current posture, sector‑specific obligations, and operational gaps, the report establishes a baseline for statewide PQC preparedness and identifies the governance structures, inventories, and modernization pathways required for compliance. This analysis provides Arizona agencies, higher education institutions, and critical infrastructure operators with a clear, actionable understanding of what HB2809 demands — and what must change for the state to meet its statutory and operational obligations in the quantum era.

Post‑quantum cryptography (PQC) — sometimes written in industry materials as “post quantum” — refers to cryptographic algorithms designed to remain secure against adversaries equipped with large‑scale quantum computers.

1. Technical Assumptions & Implementation Constraints

The analysis in this report assumes the operational realities of post‑quantum migration as defined by NIST PQC standards and federal modernization guidance. These include the expected challenges associated with PQC deployment, such as larger key sizes, increased computational overhead, protocol‑level adjustments, and incompatibility with legacy systems and constrained environments. The assessment incorporates the “harvest now, decrypt later (HNDL)” threat model, treating long‑lived data as already at risk and prioritizing hybrid deployments as an immediate mitigation strategy.

Harvest‑Now, Decrypt‑Later (HNDL) Threat Model

The HNDL threat model assumes that adversaries are capturing encrypted data today with the intent to decrypt it once large‑scale quantum capabilities become available. This makes long‑lived, high‑value, or legally protected data immediately at risk, regardless of when quantum computers reach operational maturity.

Arizona’s HB2809 introduces additional constraints beyond the federal mandate, including stricter vendor‑origin requirements and procurement limitations that affect implementation pathways. The analysis assumes that organizations will require crypto‑agility, phased hybrid adoption, and multi‑year modernization planning, with full statewide readiness expected by 2030 in alignment with federal timelines.

HNDL as an Active Risk

The Harvest‑Now, Decrypt‑Later (HNDL) threat model assumes adversaries are already capturing encrypted data today with the intent to decrypt it once quantum capabilities mature. This makes long‑lived, high‑value, or legally protected data immediately vulnerable. Agencies must treat HNDL as an active risk because confidentiality obligations extend far beyond the lifespan of current cryptography. Hybrid deployment is the only near‑term mitigation.

Crypto Modernization

Crypto modernization is the multi‑year transformation required to replace legacy cryptographic systems, protocols, and dependencies with quantum‑resilient alternatives. It includes inventorying all cryptographic assets, decoupling cryptography from applications, updating libraries and protocols, modernizing PKI, and ensuring that identity, key management, and data‑protection systems can support PQC algorithms. Crypto modernization is not a technical upgrade — it is an enterprise‑wide governance, procurement, and operational program that affects every system where cryptography is embedded, inherited, or assumed.

Crypto‑Agility

Crypto‑agility is the architectural capability to change cryptographic algorithms, parameters, keys, and protocols without redesigning systems or disrupting operations. It enables hybrid deployment, algorithm rotation, protocol updates, and rapid response to cryptographic failures or new standards. Because PQC algorithms are new, may evolve, and must coexist with classical cryptography for years, crypto‑agility is non‑negotiable. Without it, organizations cannot meet federal timelines, adopt hybrid modes, or mitigate long‑term technical debt.

Hybrid Migration (Why Hybrid Is Mandatory)

Hybrid classical + PQC modes ensure backward compatibility with systems that cannot immediately support PQC while providing quantum‑resilient protection for long‑lived data. Hybrid mitigates algorithmic uncertainty, preserves interoperability, and allows phased modernization across complex environments. It is the only migration path that maintains continuity, security, and operational stability during the transition.

2030 as the Migration Horizon

The federal PQC mandate establishes 2030 as the deadline for full adoption of PQC across data‑in‑transit, data‑at‑rest, identity, and key management systems. This horizon reflects the lifecycle of federal systems, vendor update cycles, and the time required to modernize infrastructure. Organizations that delay will face compressed timelines, increased operational risk, and potential non‑compliance. 2030 is not a prediction — it is the mandated modernization horizon.

2. Overview of the National PQC Mandate (Dec 2025)

The national mandate requires:

Mandatory PQC Adoption

All federal systems must transition to NIST‑approved PQC algorithms for:

  • data‑in‑transit
  • data‑at‑rest
  • identity and authentication
  • key establishment
  • digital signatures

Hybrid Modes Required

During transition, systems must use hybrid classical + PQC modes to ensure backward compatibility.

Cryptographic Inventory

Agencies must identify all cryptographic assets, including:

  • libraries
  • protocols
  • certificates
  • embedded systems
  • vendor‑managed components

Procurement Requirements

All new federal procurements must:

  • support PQC
  • use NIST‑approved algorithms
  • provide supply‑chain transparency

Reporting & Validation

Agencies must submit:

  • annual migration progress
  • risk assessments
  • dependency maps
  • vendor compliance documentation

3. NIST PQC Standards & Migration Guidance

The national mandate is anchored in NIST’s PQC standardization process, which selected:

  • CRYSTALS‑Kyber — Key establishment
  • CRYSTALS‑Dilithium — Digital signatures
  • SPHINCS+ — Stateless hash‑based signatures

Migration Considerations

  • Larger key sizes
  • Increased computational overhead
  • Hybrid mode complexity
  • Certificate chain redesign
  • Cloud service dependencies
  • Vendor readiness variability

Systems Most Affected

  • TLS
  • VPN
  • PKI
  • Identity systems
  • Cloud interconnects
  • OT networks
  • IoT and embedded devices

4. Federal Procurement & Compliance Requirements

The national mandate affects:

Federal Agencies

  • Must fully comply
  • Must update all procurement contracts
  • Must validate vendor PQC readiness

State Agencies Receiving Federal Funds

Arizona agencies interacting with federal systems must:

  • adopt PQC
  • use hybrid modes
  • maintain compliance documentation
  • ensure vendor alignment

Critical Infrastructure with Federal Oversight

Includes:

  • energy
  • water
  • transportation
  • healthcare
  • manufacturing
  • defense industrial base

These sectors must align with federal PQC requirements to maintain compliance and funding eligibility.

5. Arizona’s Current Posture

Arizona’s statewide posture shows:

Strengths

  • Strong defense and semiconductor sectors
  • University of Arizona’s cyber and quantum programs
  • Growing practitioner community
  • Legislative momentum (HB2809)

Weaknesses

  • Fragmented cryptographic inventories
  • Legacy systems across agencies
  • Limited PQC expertise in municipalities
  • Under‑resourced rural infrastructure
  • No statewide PQC governance body

Critical Infrastructure Exposure

Arizona’s critical infrastructure relies heavily on:

  • outdated cryptographic libraries
  • unsupported VPNs
  • legacy PKI
  • vendor‑managed OT systems

6. Crosswalk: National Mandate vs. HB2809

This is the first formal crosswalk between the two frameworks.

RequirementNational PQC MandateHB2809Alignment
PQC adoptionRequiredRequiredStrong
Hybrid modesRequiredImpliedModerate
Cryptographic inventoryRequiredRequiredStrong
Vendor restrictionsNoneU.S.-onlyDivergent
Critical infrastructureEncouragedEncouragedStrong
TimelinesFederalStateParallel
ReportingRequiredRequiredStrong
Procurement standardsPQC‑readyPQC + U.S.-vendorPartial

Key Observations

  • HB2809 is stricter on vendor origin.
  • The national mandate is stricter on hybrid‑mode requirements.
  • Both require inventories and reporting.
  • Timelines are compatible but not identical.
  • Arizona must harmonize procurement and hybrid‑mode guidance.

7. Governance Implications for Arizona

Arizona must establish:

Statewide PQC Governance Council

To coordinate:

  • migration
  • procurement
  • vendor certification
  • reporting
  • cross‑sector alignment

Unified PQC Migration Framework

To prevent:

  • inconsistent adoption
  • misconfigured hybrid modes
  • vendor fragmentation
  • duplicated effort

Critical Infrastructure Alignment

Operators need:

  • guidance
  • templates
  • inventories
  • vendor requirements
  • migration support

Municipal Support

Rural and under‑resourced municipalities require:

  • training
  • technical assistance
  • shared services
  • funding pathways

8. Implementation Risks

Technical Risks

  • Misconfigured hybrid modes
  • Legacy system incompatibility
  • Performance degradation
  • Vendor delays

Operational Risks

  • Workforce shortages
  • Incomplete inventories
  • Inconsistent adoption
  • Lack of training

Strategic Risks

  • Supply‑chain vulnerabilities
  • Non‑compliance with federal mandates
  • Increased exposure during transition

9. Recommended Statewide Roadmap

Phase 1 (0–12 Months): Governance & Inventory

  • Establish PQC Governance Council
  • Conduct statewide cryptographic inventory
  • Create procurement standards
  • Launch pilot migrations
  • Begin workforce upskilling

Phase 2 (1–3 Years): Hybrid Deployment

  • Deploy hybrid classical + PQC modes
  • Modernize critical infrastructure crypto
  • Certify vendors
  • Build regional support hubs
  • Expand training programs

Phase 3 (3–5 Years): Full PQC Transition

  • Complete PQC migration
  • Validate statewide compliance
  • Conduct annual audits
  • Maintain continuous monitoring
  • Update governance frameworks

Findings

  • Federal PQC timelines exceed Arizona’s current readiness, requiring accelerated planning and resource allocation.
  • Arizona’s HB2809 provides partial alignment, but additional statewide governance mechanisms are needed to meet federal expectations.
  • Critical‑infrastructure sectors face the largest compliance burden, particularly in environments with legacy operational technology.
  • Federal procurement requirements will reshape vendor ecosystems, necessitating updated statewide procurement policies.
  • Cross‑jurisdictional coordination is insufficient, creating gaps between state, federal, and sector‑specific mandates.

Conclusions

Arizona must strengthen statewide governance, accelerate PQC planning, and improve cross‑sector coordination to meet the national PQC modernization mandate. While HB2809 provides a foundation, additional alignment efforts are required to ensure compliance, reduce systemic risk, and support a unified statewide transition to quantum‑resilient systems.

Appendices

  • Post‑Quantum Cryptography (PQC) Modernization — 2019–2026 Longitudinal Practitioner Dataset & Analytic Framework
  • NIST PQC standards
  • Federal mandate summary
  • Migration templates
  • Glossary
  • Inventory worksheets

Post‑Quantum Cryptography (PQC) Modernization — 2019–2026 Longitudinal Practitioner Dataset & Analytic Framework

This analysis is grounded in more than a decade of practitioner‑level experience in quantum technology research, post‑quantum cryptography, and large‑scale cryptographic‑modernization efforts across global financial institutions, advanced‑research ecosystems, and national‑level governance bodies. The methodology reflects long‑horizon exposure to quantum‑risk modeling, cryptographic‑lifecycle management, and the operational realities of migrating complex, multi‑sector environments toward NIST‑approved post‑quantum standards.

The analysis was developed using a practitioner‑first, governance‑aligned methodology grounded in national standards, state legislative analysis, and cross‑sector threat modeling. It incorporates federal PQC guidance, NIST standards, Arizona legislative text, and statewide cybersecurity assessments.

The author, Hunter Storm, brings extensive expertise across emerging and disruptive technologies (EDTs), including post‑quantum cryptography (PQC), quantum technologies, and hybrid cyber‑physical‑psychological threat modeling. Her background includes:

  • involvement in PQC and quantum‑technology working groups
  • advisory work across financial, research, and critical infrastructure domains
  • leadership in enterprise architecture and cross‑domain governance
  • deep experience in Security Operations Center (SOC) design and operational architecture
  • research leadership in statewide cybersecurity posture assessments
  • authorship of Arizona’s 2026 Material Weaknesses Audit, Statewide Action Plan, and Cyber Fusion Center roadmap

Her work integrates EDT strategy, governance modernization, and practitioner‑layer security, with a focus on long‑horizon risk, cryptographic transition planning, and institutional resilience.

Data Sources

The findings draw from a uniquely broad and longitudinal set of practitioner‑derived inputs, including:

  • Enterprise quantum‑technology research (2019–2026) — direct involvement in Wells Fargo’s foundational Quantum Technology Research Team, including early quantum‑risk modeling, hybrid cryptography evaluation, and enterprise‑scale modernization planning.
  • QED‑C and national‑level PQC governance work — participation in technical advisory councils, quantum‑technology working groups, and cross‑sector modernization initiatives supporting U.S. PQC readiness.
  • PQC research and migration frameworks — exposure to industry‑leading PQC transition models, hybrid‑mode deployment patterns, and cryptographic‑inventory methodologies.
  • Cross‑sector cryptographic‑modernization engagements — practitioner‑level work supporting financial institutions, research organizations, public sector agencies, and critical infrastructure operators preparing for PQC transition.
  • Operational observations across cryptographic lifecycles — including key‑management evolution, certificate‑authority modernization, protocol migration, and dependency mapping across multi‑environment architectures.
  • Federal guidance and national frameworks — NIST PQC standards, CISA modernization advisories, federal cryptographic‑transition roadmaps, and cross‑sector risk‑management resources.
  • State‑level statutory and governance materials — including Arizona HB2809, statewide modernization plans, legislative analyses, and public sector cryptographic‑readiness assessments.
  • Practitioner interviews and SME consultations — with cryptographers, quantum researchers, security architects, public sector leaders, and critical infrastructure operators.
  • Review of federal PQC directives, including NIST standards, OMB memoranda, CISA guidance, and national‑level modernization expectations.
  • Analysis of Arizona’s statutory and regulatory landscape, with emphasis on HB2809, statewide cybersecurity governance structures, and sector‑specific obligations.
  • Cross‑sector practitioner interviews and operational insights from state agencies, critical‑infrastructure operators, and security leaders responsible for implementing cryptographic transitions.
  • Comparative assessment of state and federal requirements, identifying alignment points, gaps, dependencies, and areas requiring coordinated governance action.
  • Evaluation of implementation readiness, focusing on crypto‑agility, inventory maturity, risk exposure, and institutional capacity to execute PQC migration at scale.
  • SDSUG internal analysis and statewide PQC‑readiness modeling — integrating cross‑sector insight from Arizona’s practitioner community and institutional ecosystem.

Analytic Approach

The analysis applies a structured, practitioner‑driven lens that emphasizes:

  • Cryptographic‑lifecycle realism — assessing how long‑term key‑management, certificate‑authority, and protocol decisions shape PQC migration complexity.
  • Hybrid‑mode transition patterns — evaluating the operational viability of classical‑plus‑PQC deployments across diverse architectures.
  • Systemic dependency mapping — identifying how cryptographic weaknesses propagate across interconnected systems, supply chains, and multi‑sector environments.
  • Governance and statutory alignment — interpreting federal mandates, state requirements, and sector‑specific obligations through a modernization‑ready lens.
  • Quantum‑risk modeling — integrating long‑horizon analysis of quantum‑computing trajectories, algorithmic exposure, and cryptographic deprecation timelines.
  • Institutional memory and continuity — assessing how workforce stability, architectural lineage, and organizational maturity influence PQC readiness.

Scope

The PQC Modernization Series assesses:

  • statewide PQC readiness
  • sector‑specific migration requirements
  • cryptographic‑inventory maturity
  • governance and statutory alignment
  • hybrid‑mode deployment feasibility
  • critical infrastructure exposure
  • public sector modernization constraints
  • enterprise‑scale migration patterns
  • supply‑chain and vendor‑dependency risks

The analysis prioritizes clarity, implementability, and statewide resilience, emphasizing the decisions, timelines, and governance structures required to support Arizona’s transition to post‑quantum cryptography.

Limitations

The analysis is practitioner‑driven and qualitative. It does not rely on vendor‑reported metrics, marketing‑driven maturity models, or survey‑based scoring. Instead, it reflects:

  • longitudinal quantum technology experience
  • cryptographic lifecycle analysis
  • governance and statutory interpretation
  • cross‑sector modernization insight
  • SME‑level consultation
  • publicly available information
  • limited access to proprietary systems

Where quantitative data is unavailable or inconsistent, findings are presented using structured qualitative scoring consistent with industry‑standard risk assessment practices.

Why This Methodology Is Appropriate

PQC modernization is not a purely technical exercise. It is a governance, lifecycle, and dependency‑driven transformation shaped by:

  • cryptographic‑inventory complexity
  • architectural lineage
  • institutional memory
  • workforce readiness
  • statutory requirements
  • systemic dependencies

These conditions cannot be captured through short‑term surveys or tool‑generated metrics. They require long‑horizon, practitioner‑level exposure to quantum risk evolution, cryptographic modernization, and cross‑sector operational realities.

This methodology provides a grounded, accurate, and actionable foundation for statewide PQC transition.

About This Report

National PQC Modernization Mandate (Dec 2025) — Arizona Alignment & Implementation Framework is published periodically (federal mandate updates only) as part of Sonoran Desert Security (SDSUG) Research to provide practitioner‑driven intelligence for Arizona’s cybersecurity, governance, and critical‑infrastructure communities. This report contributes to the Post‑Quantum Cryptography (PQC) Modernization Series (2025–2026), which delivers statewide guidance on statutory alignment, governance readiness, and quantum‑resilient modernization.

For additional publications and analysis, visit the Sonoran Desert Security (SDSUG) Research hub.

Hunter Storm, President of SDSUG smiling

By Hunter Storm

President, Sonoran Desert Security (SDSUG)

CISO | Advisory Board Member | SOC Black Ops Team | Systems Architect | QED-C TAC Relationship Leader | Originator of Human-Layer Security

https://hunterstorm.com/

© 2026 Hunter Storm. All rights reserved.

Related Reports

These companion reports are part of the Sonoran Desert Security (SDSUG) Research Series. For the full collection, visit the Sonoran Desert Security (SDSUG) Research hub.

Version

Version 1.0 — Published April 2026

How to Cite This Report

Storm, Hunter. National PQC Modernization Mandate (Dec 2025) — Arizona Alignment & Implementation Framework. Sonoran Desert Security (SDSUG), Version 1.0, 2026.

For full citation standards and usage permissions, see the Sonoran Desert Security (SDSUG) Citation and Usage Policy.

Disclaimer

This report is provided for educational and informational purposes only. Sonoran Desert Security (SDSUG) does not provide legal, regulatory, or compliance advice. All analysis reflects practitioner‑level interpretation of publicly available information at the time of publication.

Sonoran Desert Security (SDSUG) is Arizona’s longest‑running cybersecurity community and a central institution in the region’s security ecosystem. Established in 2001 and operating continuously for more than 25 years, Sonoran Desert Security (SDSUG) provides practitioner‑led leadership, vendor‑neutral governance, and trusted peer collaboration across the Southwest. Through its annual research, ecosystem mapping, and community programs, Sonoran Desert Security (SDSUG) strengthens regional resilience and serves as a stable anchor for Arizona’s cybersecurity practitioners, organizations, and critical infrastructure partners. Sonoran Desert Security (SDSUG) also publishes independent research used by organizations and policymakers across Arizona, the broader Southwest, and national and international security, technology, and governance communities.

Explore Sonoran Desert Security (SDSUG)

Start Here
Guided introduction to SDSUG.

Membership
Join SDSUG for trusted peer collaboration and professional networking.

Leadership
Meet the team guiding SDSUG’s direction.

About SDSUG
Our mission, history, purpose, and values.

Events & Meetings
Upcoming topics, speakers, certification prep, and educational sessions.

Sponsors
Organizations supporting SDSUG’s.

SDSUG at a Glance
Overview and orientation FAQ.

Safety & Incident Response
Standards, trained officers, and incident‑response protocols.

Site Index
A full directory of SDSUG web pages.

Start Here
Events
Join SDSUG

Last Updated: April 2026

error: Content protection is enabled to prevent unauthorized copying.