On June 22, 2026, President Trump signed an executive order mandating that federal agencies transition their high-value assets and high-impact systems to post-quantum cryptography (PQC) by specific deadlines. Key establishment processes must be updated by December 31, 2030, and digital signatures by December 31, 2031. Notably, national security systems are addressed separately under this directive.
This initiative aims to counter the “harvest now, decrypt later” threat, where adversaries collect encrypted data today with the intention of decrypting it once quantum computing capabilities mature. By accelerating the PQC adoption timeline by four to five years—moving the previous target from 2035 to 2030—the order underscores the urgency of protecting sensitive information against future quantum attacks.
The National Institute of Standards and Technology (NIST) finalized relevant standards in August 2024. For key establishment, agencies are to implement FIPS 203, which utilizes the ML-KEM algorithm (formerly known as CRYSTALS-Kyber). For digital signatures, FIPS 204 and 205 prescribe the use of ML-DSA and SLH-DSA algorithms, respectively. These standards have been available for nearly two years, and the executive order now sets enforceable deadlines for their implementation.
Implementation Timeline and Requirements
The executive order outlines a series of immediate and long-term actions for federal agencies:
- Within 30 days: Each agency head must appoint a PQC migration lead who will report to the agency’s Chief Information Officer (CIO) and oversee the cryptographic inventory and migration plan.
- Within 90 days: The Office of Management and Budget (OMB) will issue guidance requiring agencies to review their inventories of high-value assets and high-impact systems, develop migration plans, and submit these plans accordingly.
- By December 31, 2027: NIST is tasked with completing a pilot migration on a subset of its own systems to serve as a model for other agencies.
The order also extends its reach beyond federal networks. The Federal Acquisition Regulatory Council has 180 days to propose a rule mandating that “covered contractors” comply with NIST’s FIPS, including PQC algorithms, by December 31, 2030. Additionally, within 270 days, a second proposed rule will require contractors to incorporate cryptographic vulnerabilities into their disclosure programs, encompassing tests for missing encryption and non-FIPS algorithms.
Furthermore, the Cybersecurity and Infrastructure Security Agency (CISA) and NIST are directed to assist critical infrastructure operators in developing their own PQC migration plans, though this assistance is advisory rather than mandatory.
Establishing a Cryptographic Inventory
A critical component of the transition is the creation of a comprehensive cryptographic inventory. Within 270 days, CISA and NIST are to publish the minimum elements for a cryptographic bill of materials—a machine-readable list detailing the cryptographic assets within hardware or software. This inventory is essential for achieving crypto-agility, enabling organizations to efficiently replace vulnerable algorithms within set deadlines.
For federal agencies and their contractors, the immediate priority is to identify all instances of key exchange and digital signature processes, assess their compliance with NIST’s PQC standards, and plan for necessary updates in alignment with the 2030 and 2031 deadlines. Contractors should anticipate forthcoming Federal Acquisition Regulation (FAR) clauses that will enforce these compliance timelines.
In parallel, a companion order titled “Ushering in the Next Frontier of Quantum Innovation” was signed on the same day, emphasizing the development of quantum computing technologies that necessitate this proactive migration to PQC.
The effectiveness of these directives will depend on the forthcoming guidance from OMB and the implementation of FAR rules, which will determine whether the 2030 and 2031 deadlines translate into tangible procurement requirements or become aspirational targets subject to delay.
As quantum computing advances, the imperative for robust cryptographic defenses becomes increasingly critical. The federal government’s proactive stance serves as a model for other organizations to assess and enhance their cryptographic resilience in anticipation of future quantum threats.
