The White House has issued a major executive order directing U.S. federal civilian agencies to migrate high‑value systems to post‑quantum cryptography (PQC), with firm deadlines of 2030 for key establishment and 2031 for digital signatures.
The order, titled “Securing the Nation Against Advanced Cryptographic Attacks,” warns that large‑scale quantum computers could eventually break today’s widely used public‑key cryptography, especially in adversary hands.
It specifically highlights “harvest now, decrypt later” campaigns, where attackers steal encrypted data today and plan to decrypt it once quantum capabilities mature.
To address this, the policy mandates a government‑wide shift to National Institute of Standards and Technology (NIST)‑approved Federal Information Processing Standards (FIPS) for PQC to protect sensitive data, critical infrastructure, and the digital economy.
The directive applies to federal “agencies” as defined in 44 U.S.C. 3502(1). It focuses on high-impact systems and high-value assets (HVAs) as defined by the Office of Management and Budget (OMB).
It defines PQC as cryptography designed to resist both quantum and classical attacks, aligning with NIST’s emerging PQC FIPS for key establishment and digital signatures.
White House Orders Federal Agencies
Within 30 days, each agency head must appoint a “PQC migration lead” reporting to the CIO, responsible for cryptographic inventory, prioritized migration planning, and cross‑agency coordination.
Within 90 days, OMB must issue guidance requiring agencies to review their HVA and high-impact system inventories (excluding National Security Systems).
Transition those systems to PQC for key establishment by December 31, 2030, and to PQC‑based digital signatures by December 31, 2031, and submit formal migration plans.
NIST must also run a PQC migration pilot on a subset of its own systems, to be completed by the end of 2027.
Sector Risk Management Agencies must work with the Cybersecurity and Infrastructure Security Agency (CISA) to help critical infrastructure owners and operators build PQC migration plans, extending federal direction into private‑sector operators of essential services.
The Secretary of State, together with NIST, DHS, the National Cyber Director, the Secretary of War, and the Director of National Intelligence, is tasked with engaging foreign governments and key industry groups to promote the adoption of NIST‑standardized PQC algorithms globally.
Within 270 days, DHS (through CISA) and NIST must publish guidance on a “cryptographic bill of materials” (CBOM) that defines the minimum elements needed to inventory and assess cryptographic assets in hardware and software automatically.
The White House Executive Order promotes PQC adoption through procurement, directing federal agencies to pursue cost-saving measures such as cloud migrations, shared procurement, training, and centralized support.
NIST must adjust the Cryptographic Module Validation Program’s processes to speed up the validation of PQC‑enabled modules.
The Federal Acquisition Regulatory Council must propose rule changes requiring covered contractors to comply with PQC‑enabled NIST FIPS by December 31, 2030.
To update vulnerability disclosure program clauses so that contractors report cryptographic weaknesses, including lack of encryption and use of non‑FIPS algorithms.
While the order does not create new legal rights for private parties, it effectively turns PQC migration into a compliance requirement for agencies and their supply chains.
