Quantum computing has moved from the laboratory into the national security conversation —and the regulatory landscape is shifting fast. Government contractors and companies operating in the quantum technology space face a growing web of export controls, foreign investment scrutiny, cybersecurity mandates, and data protection obligations that demand attention now, not when a commercially viable quantum computer arrives. Industry needs to stay attuned to legal and regulatory risks and stay ahead of the compliance curve.
What Is Quantum Computing, and Why Does It Matter for National Security?
Traditional computers process information in binary “bits”—ones and zeros. Quantum computers exploit the principles of quantum mechanics to use “qubits,” which can exist in multiple states simultaneously, enabling them to solve certain classes of problems exponentially faster than their classical counterparts. The national security implications are profound. A sufficiently powerful quantum computer could defeat the public-key encryption systems that protect military communications, financial transactions, and critical infrastructure.
Beyond codebreaking, quantum technologies promise advances in sensing and navigation, submarine and stealth-platform detection, secure communications, logistics optimization, and artificial intelligence acceleration—all of which are driving significant Department of Defense investment. The United States increasingly views quantum computing alongside AI, semiconductors, and biotechnology as a strategic technology that may determine future military superiority, particularly amid intensifying competition with China.
For companies in the defense, technology, aerospace, semiconductor, and research sectors, the upshot is this: Even if your organization does not think of itself as a “quantum company,” you may find yourself subject to new and evolving regulatory obligations.
Export Controls: New Rules with a Global Reach
The export control landscape for quantum computing shifted dramatically in September 2024, when the Bureau of Industry and Security (BIS) published an interim final rule (IFR) imposing worldwide export controls on quantum computing items, semiconductor manufacturing equipment, and related technologies. The rule created new “900 series” Export Control Classification Numbers (ECCNs) covering quantum processors, cryogenic cooling systems, parametric signal amplifiers, specialized materials, software, and complete quantum computers. These controls require a license for exports to virtually every destination in the world—including, notably, Canada, Australia, and the United Kingdom, countries that have traditionally enjoyed broad exemptions. However, the rule also enables countries to receive a “License Exception–Implemented Export Controls” once they have implemented adequate controls.
Perhaps most significant for employers in the quantum space, BIS stopped short of requiring deemed export licenses for foreign national employees from countries of concern (Country Groups D:1 and D:5, including China, Russia, and Iran). Companies must now submit annual reports detailing their deemed exports of quantum technologies, including descriptions of the technology, the parties involved, and end-item details—and must file termination reports within 30 days when a foreign person who previously had access to covered technology leaves employment.
The compliance burden is real. Government contractors and commercial companies alike should assess whether their products, components, or research activities fall within the new ECCNs; audit their workforce for foreign national access to controlled technology; and evaluate whether international collaborations or cloud-based quantum services create cross-border transfer risks.
CFIUS: Foreign Investment Under the Microscope
The same IFR that has expanded export controls also has implications for foreign investment. The rule stipulates that covered investments in U.S. companies involved in designing, fabricating, developing, testing, producing, or manufacturing the newly controlled quantum items will now require mandatory review by the Committee on Foreign Investment in the United States (CFIUS), unless the foreign investor qualifies as an “excepted investor” or another exemption applies.
CFIUS has long had broad authority to review transactions that could give foreign persons access to critical technologies, and quantum computing has been squarely in its crosshairs. The practical consequences extend beyond traditional acquisitions. Minority investments, venture capital transactions, joint ventures, and even certain licensing arrangements can trigger CFIUS jurisdiction when they involve critical technologies or access to sensitive government-funded research. Startups and growth-stage quantum companies should evaluate whether prospective investors would trigger mandatory filing obligations, whether governance rights or access to technical information could raise concerns, and whether mitigation measures might be required.
For government contractors, the stakes are higher still. A CFIUS review that results in a forced divestiture or onerous mitigation agreement can disrupt operations, chill future investment, and jeopardize existing government contracts. Companies with government contracts or government-funded research should factor CFIUS risk into their capital-raising and M&A strategies from the outset.
“Harvest Now, Decrypt Later”: A Present-Day Threat with Long-Term Consequences
One of the most discussed—and underestimated quantum risks is the “harvest now, decrypt later” (HNDL) threat. Adversaries are already collecting encrypted data today, storing it with the expectation that future quantum computers will be able to break the encryption and expose the underlying information. This is not a theoretical risk. The intelligence community and NSA have publicly acknowledged the threat, and it has been a driving force behind the urgency of federal post-quantum cryptography mandates.
For companies handling classified information, controlled unclassified information (CUI), or other sensitive government data, the HNDL threat raises immediate compliance concerns. Data encrypted with algorithms such as RSA or elliptic curve cryptography (ECC) that must remain confidential for decades—think health records, financial data, or defense-related technical information—is vulnerable today, even though the quantum computer capable of breaking it does not yet exist. Government contractors should be asking hard questions about which of their data sets require long-term confidentiality protection, whether their current encryption protocols are adequate for the HNDL threat environment, and whether their government customers are beginning to impose post-quantum protections as a contractual requirement.
NIST Post-Quantum Cryptography Standards and Emerging Compliance Obligations
The National Institute of Standards and Technology (NIST) has been at the forefront of developing quantum-resistant cryptographic standards. In August 2024, NIST finalized three post-quantum cryptography (PQC) standards, and in March 2025, selected the Hamming Quasi-Cyclic algorithm as a supplementary key encapsulation mechanism to secure data against quantum computers.
These standards are already reshaping the federal compliance landscape. The Quantum Computing Cybersecurity Preparedness Act, signed into law in December 2022, requires federal agencies to inventory their quantum-vulnerable IT systems and begin prioritizing migration to PQC. National Security Memorandum 10, issued in May 2022, sets an overarching goal of mitigating quantum risk by 2035. OMB Memorandum M-23-02 requires agencies to submit annual inventories of quantum-vulnerable cryptographic systems and designate migration leads. And the NSA’s CNSA 2.0 suite mandates that all new National Security System acquisitions be CNSA 2.0-compliant by January 1, 2027.
For government contractors, PQC is not yet a direct contractual requirement under CMMC or DFARS cyber clauses, which still reference classical cryptographic standards. But the direction of travel is unmistakable. PQC requirements will eventually flow to contractors, and individual agencies are already moving aggressively. Contractors who wait for a formal mandate before beginning their migration planning risk finding themselves unable to meet deadlines when they arrive.
Practical Takeaways for Government Contractors and Quantum Companies
The regulatory environment around quantum computing is evolving rapidly, but companies can take concrete steps now to position themselves for compliance and competitive advantage.
On export controls, companies should conduct a thorough classification review of their quantum-related products, components, software, and technology against the new 900-series ECCNs, and implement robust procedures for tracking and reporting deemed exports to foreign national employees. Regarding CFIUS, any company in the quantum space considering foreign investment—whether through venture capital, joint ventures, or acquisitions—should evaluate mandatory filing obligations early and engage experienced counsel before closing.
On the cybersecurity front, companies should begin conducting a cryptographic inventory to identify all systems, applications, and data stores that rely on quantum-vulnerable encryption. This is the foundational step recommended by NIST, CISA, and NSA alike. Companies should prioritize migration planning for data that requires long-term confidentiality, develop a roadmap for adopting NIST’s PQC standards, and monitor agency-level procurement requirements that may impose PQC obligations ahead of government-wide mandates.
Finally, companies should keep a close eye on the broader regulatory horizon. Additional export controls, expanded investment screening, new procurement requirements, and increased cybersecurity obligations are all likely. As with many areas of national security regulation, the controls tend to arrive before the technology fully matures. Companies that begin preparing now will be better positioned to seize opportunities while avoiding the regulatory pitfalls that are sure to follow.
Conclusion
Quantum computing sits at the intersection of technological promise and national security risk. For government contractors and companies in the quantum ecosystem, the legal and regulatory landscape is no longer a future concern—it is a present-day compliance obligation that is expanding with each passing quarter. From export controls and CFIUS reviews to HNDL threats and post-quantum cryptography mandates, the breadth of risk is substantial. The companies that take a proactive, integrated approach to compliance—assessing their export control exposure, evaluating foreign investment risk, inventorying their cryptographic infrastructure, and monitoring evolving federal requirements—will be the ones best positioned to thrive as quantum technology moves from the lab to the marketplace. We will continue to monitor developments in this space and will provide updates as new regulations and guidance emerge.
[Credit: Jonathan “Jack” Harrington, Paul Ney, Bradley Arant Boult Cummings LLP, The National Law Review]
