Years ago, I was on a scholarship in Izmir, Turkey. I found myself one excessively hot Mediterranean day in a pickup basketball game with some Turkish students. In a mixture of Turkish and English, we established I was American. The very next question was,
“Oh, you’re American. You hate Canadians, right?”
I was aghast at the question and honestly had never been asked something like that. My response was, “What? No! Who hates Canadians?”
If you are a cybersecurity professional, you should be loving them right now because of their recent release of their “Roadmap for the migration to post-quantum cryptography for the Government of Canada” (ITSM.40.001), out on street as of June 2025. The release, done with typical Canadian modesty, provides a highly tactical roadmap for how the Canadian government will specifically transition to post-quantum cryptography with specific timelines. The document came from Canada’s cybersecurity agency, the Canadian Centre for Cyber Security (CCCS). It is a tactical and focused document providing practical operational guidance for the post-quantum transition for all of Canada’s non-classified IT systems.
By contrast, the US cybersecurity agency, the Cybersecurity and Infrastructure Security Agency (CISA) within the Department of Homeland Security (DHS) has not provided the same level of operational guidance for federal agencies. In fact, the last federal government document to provide additional details on how to prepare for PQC was President Biden’s Executive Order 14144, published on his way out the White House door in January 2025. In June 2025, President Trump amended Executive Order 14144 with an order of his own, right around the time our neighbors to the north were toiling away producing clear guidance and being security minded. Trump’s order actually removed some quantum guidance making the landscape less clear.
One continent, two very different approaches.
A look at Canada’s new PQC guidance compared to guidance released by the US federal government to date is telling. The US has taken a top-down approach that is long on strategy and short on implementation. Canada is doing the hard and less glamorous work of implementing. Strategic thinking is great and can help set the stage. Set the stage for what? More strategy? At some point, we will not be able to wish the quantum problem away and will have to get down to business. Canada has started and the US has an opportunity to use that roadmap to form a unified approach to this topic.
While the roadmap from our Canadian friends is commendable, it is also a missed opportunity for the US cybersecurity community. The US was publishing policies and guidance on quantum as far back as 2021. We should have been years ahead and we should also take a moment to reflect on why we aren’t now.
Cyber Specific
Awareness matters. In quantum computing and quantum cryptography it matters a lot. Quantum is a difficult and unintuitive subject that may feel is inaccessible. The first step needs to be educating people, formally or informally, on what quantum computing is and why it is different from classical computing. This is where the US was circa 2021. The National Institute for Standards and Technology (NIST) had been involved in working to find new asymmetric encryption algorithms that would withstand a quantum attack since 2015. In the 2021-2022 window, a lot of things happened.
DHS and CISA published their roadmap for PQC transition.
The White House published National Security Memorandum-10.
Congress passed the Quantum Cybersecurity Preparedness Act.
CISA stood up its Quantum Initiative.
This was a lot of action at the strategic level, but not much movement on implementation. Strategy does need to come first but at some point, we need to get tactical. We are still waiting for that moment.
A look at CISA’s Quantum Initiative webpage is very telling. It has all the hallmarks of an inactive federal government webpage and even refers to the release of the NIST PQC algorithms in the future tense (they were released in August 2024). I have no direct knowledge of any work CISA’s Quantum Initiative is doing currently, but the evidence suggests not much. With huge reductions in the federal workforce at DHS and at NIST, and the removal of key quantum language in the Trump cybersecurity executive order, it also doesn’t feel like actions are underway. I hope I’m wrong.
In the US, we have what we have. DHS’s roadmap, NIST’s algorithms, NSM-10, and the law. NSM-10 tries to balance maintaining leadership in quantum science with security from the PQC threat creating a mixed message. Ignoring that, NSM-10 is a top-down approach that provides some direction and guidance but not the sort of tactical guidance needed by cybersecurity and IT implementers. This memorandum is not just about defense; it's about securing a long-term economic and scientific competitive advantage for the nation.
The goal was never for any of these documents to stand on their own. The goal was to create the foundation and have the operational guidance come next. It didn’t. Those documents were all published by the end of 2022. NIST’s algorithms landed in 2024. We should have been well on our way, but we failed to do the hard part.
Maple Leavin’ Us Behind
ITSM.40.001, is a focused, tactical roadmap issued by the Canadian Centre for Cyber Security. Its scope is narrower and more operational, concentrating exclusively on the practical steps for migrating the Government of Canada's non-classified IT systems to post-quantum cryptography (PQC). It functions as an implementation guide for government IT managers and departmental leaders, outlining specific phases, deliverables, and governance structures to achieve the migration. It’s not a lot of fun to read. The name definitely isn’t cool. It doesn’t have snappy talking points, and it won’t draw crowds for a podcast. But it should.
While both nations identify a similar end-goal for migration around 2035, their paths and priorities differ. The US strategy envelops the migration within a larger framework of technology promotion and protection against adversaries. The Canadian roadmap is a direct and pragmatic plan of action, emphasizing the "how-to" of the transition for its own government systems.
The US did a great thing by starting on the asymmetric cryptography problem over a decade ago. It followed up with great strategic direction and then it stopped. The bottom line is that Canada has provided an implementation guide that will ultimately help the cybersecurity community regardless of borders. We should recognize that and work together.
But we should also look in the mirror. With a commanding, multiple year lead, the US was unable to get to operational guidance based on its body of strategic preparation. CISA stood up a Quantum Initiative in 2022 but has produced little. Canada has something that we can use, and we should. But we should also ask why the momentum died in the US.
Comparison of U.S. and Canadian Quantum Security Documents
Document Type & Scope
US: A high-level National Security Memorandum outlining a broad, whole-of-government national strategy.
Canada: A specific Information Technology Security Memorandum (ITSM) providing a detailed roadmap for a government-wide activity.
Issuing Authority
US: The President of the United States.
Canada: The Canadian Centre for Cyber Security (Cyber Centre), a part of the Communications Security Establishment.
Primary Focus
US: Dual focus: 1) Promoting U.S. leadership in QIS and quantum computing. 2) Mitigating the cryptographic risks of quantum computers.
Canada: Singular focus on migrating the Government of Canada's non-classified IT systems to PQC to protect against the quantum threat.
Strategic Pillars
US: Includes three main pillars: 1) Promoting leadership through R&D and partnerships. 2) Mitigating encryption risks. 3) Protecting U.S. technology from theft by adversaries.
Canada: Focused entirely on the risk mitigation pillar, detailing three execution phases: 1) Preparation. 2) Identification. 3) Transition.
Key Audiences
US: Directed at the highest levels of government, including the Vice President, Cabinet Secretaries, and heads of national security and intelligence agencies.
Canada: Aimed at directors, managers, and decision-makers within federal departments and agencies who are responsible for IT systems.
Migration Timeline
US: By 2035: Mitigate as much of the quantum risk as is feasible. Numerous near-term deadlines (90, 180, 365 days from May 2022) for establishing plans, inventories, and working groups.
Canada: April 2026: Initial departmental PQC migration plans due. End of 2031: Complete migration of high-priority systems. End of 2035: Complete migration of remaining systems.
Approach to Implementation
US: Sets strategic direction and assigns high-level responsibilities to various agencies (NIST, OMB, NSA, CISA) to develop specific plans and standards.
Canada: Provides a prescriptive, step-by-step roadmap for departments to follow, including recommendations for creating a committee, developing a financial plan, and establishing procurement policies.
Classified vs. Non-Classified Systems
US: Makes a clear distinction, outlining separate requirements and authorities for Federal Civilian Executive Branch (FCEB) agencies versus National Security Systems (NSS).
Canada: The roadmap explicitly applies only to non-classified IT systems. It directs departments to contact the Cyber Centre for separate advice on classified systems.