President Donald Trump on June 22 signed an executive order that gives federal agencies until 2030 to move high-value assets and high-impact systems to post-quantum cryptography, with digital signatures due by 2031 and national security systems on a separate track.
KEY FACTS
- Deadline Key establishment must move by December 31, 2030.
- Second deadline Digital signatures must move by December 31, 2031.
- Standards The schedule matches NIST post-quantum standards finalized in August 2024.
- Contractors A proposed FAR rule would give covered contractors until December 31, 2030, to meet NIST FIPS requirements.
- Inventory CISA and NIST must publish minimum elements for a cryptographic bill of materials within 270 days.
The executive order cites the risk of so-called harvest now, decrypt later attacks, where encrypted data is collected now and decrypted later if large-scale quantum computers become available. The order moves the government-wide post-quantum cryptography timeline forward by four to five years from the 2035 target in the 2022 National Security Memorandum 10.
Within 30 days, each agency head must name a migration lead who reports to the agency CIO and oversees the cryptographic inventory and migration plan. Within 90 days, OMB is to issue guidance for reviewing inventories of high-value assets and high-impact systems and for submitting migration plans.
NIST is also set to run a pilot migration on a subset of its own systems, to be completed by December 31, 2027. The order reaches contractors and critical infrastructure as well, including proposed rules on vulnerability disclosure programs and assistance for migration planning.
The standards already exist, but the work now is mapping where key exchange and signatures are used and replacing non-NIST algorithms before the deadlines arrive. The federal schedule could create procurement pressure across agencies and vendors if the follow-on rules are finalized on time.
WHY IT MATTERS
The order turns post-quantum cryptography from a long-term policy goal into a dated federal requirement. For agencies and contractors, the immediate task is inventorying cryptographic systems so they can plan migrations before current encryption methods become vulnerable to quantum attacks.