On June 22, 2026, the White House signed an executive order titled “Securing the Nation Against Advanced Cryptographic Attacks,” converting what had been a set of agency guidance and aspirational timelines into a directive with hard, dated deadlines for migrating federal systems — and, through the Federal Acquisition Regulation, federal contractors — to post-quantum cryptography (PQC). Signed the same day as its companion, “Ushering in the Next Frontier of Quantum Innovation,” it is the defensive half of a two-part national quantum posture: while the innovation order accelerates the building of quantum computers, this order races to protect the nation’s data before those computers can break the encryption that protects it.

For compliance, security, and procurement teams, this is the order that turns post-quantum readiness from a forward-looking best practice into a scheduled obligation. The deadlines are specific, the agency roles are assigned, and the reach extends well beyond federal agencies themselves.

The Threat, Named in an Executive Order

The order identifies quantum computing as a national-security concern and explicitly names the mechanism: “harvest now, decrypt later.” Adversaries are presumed to be collecting encrypted data today — data they cannot yet read — in order to decrypt it once a cryptographically relevant quantum computer becomes operational. The significance of naming this threat in a presidential directive is that it reframes the risk timeline. The danger is not located at some future Q-Day; it is present, because data with a long confidentiality lifetime is being stolen now against a future decryption capability. Any organization holding secrets that must stay secret for years already has a problem, whether or not a quantum computer exists today.

This is the same threat model that drove CISA’s compressed Q-Day mandate and that underlies the CNSA 2.0 procurement deadlines and the FIPS 140 validation pipeline. The June 2026 order ties those threads into a single mandate with the force of an executive order behind it.

The Core Mandate and the Deadlines

The order’s central policy is that the U.S. government must transition federal information systems to NIST-approved Federal Information Processing Standards (FIPS) for post-quantum cryptography, while assisting critical-infrastructure operators in doing the same. The migration is anchored by two hard dates for the government’s most sensitive systems:

DeadlineRequirement
30 daysAgencies identify their PQC migration leads
90 daysOMB issues PQC guidance for high-value assets and high-impact systems
180 daysNIST initiates a PQC pilot; CISA issues cryptographic bill of materials guidance; FAR Council issues proposed contractor rules
270 daysNSA status report; release of cryptographic bill of materials elements
Dec 31, 2027NIST pilot project completion
Dec 31, 2030High-value assets and high-impact systems transition to PQC for key establishment
Dec 31, 2031High-value assets and high-impact systems transition to PQC for digital signatures

The scope of “high-impact systems” is defined by reference to existing standards: systems with at least one security objective rated “high” under FIPS 199, alongside High Value Assets (HVAs) designated under OMB Memorandum M-19-03. Every covered agency must inventory these systems, transition them on the schedule above, and submit implementation plans to OMB and the National Cyber Director. National Security Systems are carved out of the 90-day OMB guidance requirement but remain under NSA oversight.

The Provision That Reaches the Private Sector: The FAR Rule

The most important clause for non-government organizations is the directive to the Federal Acquisition Regulatory (FAR) Council. The order requires the FAR Council to publish proposed rules requiring federal contractors to:

  • Use NIST FIPS standards incorporating PQC-compliant algorithms, with a compliance deadline of December 31, 2030;
  • Implement vulnerability disclosure policies (VDPs) aligned with NIST guidelines; and
  • Ensure those VDPs address cryptographic vulnerabilities, including the detection of non-approved encryption methods.

This is how a federal-systems mandate becomes a private-sector obligation. Any company that sells to the U.S. government — and the universe of federal contractors is vast — will face a contractual requirement to have migrated to PQC-compliant cryptography by the end of 2030 and to run a vulnerability disclosure program capable of surfacing cryptographic weaknesses. The “detection of non-approved encryption methods” language is notable: it implies contractors must be able to identify where deprecated or non-compliant cryptography persists in their environments, which is impossible without a cryptographic inventory.

The Supporting Infrastructure: CBOM and Faster Validation

Two operational provisions deserve attention because they tell you how the government expects migration to be done.

Cryptographic bill of materials (CBOM). CISA is directed to issue guidance on a cryptographic bill of materials, and the order calls for releasing CBOM elements within 270 days. A CBOM is to cryptography what an SBOM is to software: a structured inventory of where and how cryptographic algorithms are used across systems. It is the foundational artifact of any credible migration, because an organization cannot replace cryptography it cannot find. Expect CBOM to become the expected baseline of “reasonable” cryptographic governance, much as SBOM has for software supply chains.

Accelerated validation. The order directs NIST to expedite the Cryptographic Module Validation Program (CMVP) within 180 days. The CMVP backlog has been a genuine bottleneck — validated PQC modules are the supply that the demand created by these deadlines depends on. Speeding validation is the government’s acknowledgment that the migration timeline is only achievable if compliant, validated modules are actually available to buy and deploy.

What to Do Now

The deadlines may run to 2030 and 2031, but the work that makes them achievable starts immediately. For both federal contractors and any organization with long-lived sensitive data:

  1. Build your cryptographic bill of materials. This is the non-negotiable first step in both the executive order and every credible PQC roadmap. Inventory where your systems use public-key cryptography — TLS, code signing, VPNs, document signing, embedded devices, third-party libraries. You cannot plan a migration without it.

  2. If you sell to the government, treat Dec 31, 2030 as a hard contract date. The FAR rule will make PQC compliance a condition of doing business. Map your products and internal systems against it now; retrofitting cryptography across a product line takes years, not months.

  3. Stand up or upgrade a vulnerability disclosure program. The order requires contractor VDPs aligned with NIST guidance and capable of addressing cryptographic vulnerabilities. If you do not have a NIST-aligned VDP, building one is now part of your federal-eligibility roadmap.

  4. Prioritize by data lifetime, not just system criticality. Because of “harvest now, decrypt later,” the most urgent systems are those protecting data that must remain confidential for many years. A secret that needs to hold until 2040 is already exposed if it transits classical encryption today.

  5. Track the 90-, 180-, and 270-day milestones. The OMB guidance (90 days), CISA CBOM guidance and FAR proposed rule (180 days), and CBOM elements (270 days) are the documents that will define the precise technical requirements. They are your specification; calendar them and plan to act on the proposed FAR rule during its comment period.

  6. Engage your vendors. Your PQC posture is only as strong as the cryptography in the products you buy. Begin asking vendors for their PQC roadmaps and FIPS-validated PQC support now; their timelines are now your dependency.

Conclusion

“Securing the Nation Against Advanced Cryptographic Attacks” ends the era in which post-quantum migration was a recommendation. It sets dated deadlines — key establishment by 2030, digital signatures by 2031 — assigns the work to CISA, NIST, NSA, and OMB, and uses the FAR to pull federal contractors into the same schedule. Paired with the same-day innovation order accelerating quantum computing itself, it makes the government’s view explicit: the threat is near enough, and the migration slow enough, that it must be mandated now. The organizations that begin with a cryptographic inventory today will spend the next four years executing a plan. Those that wait will spend them scrambling to build one.

This article is provided for informational purposes only and does not constitute legal advice.