For years, post-quantum cryptography (PQC) readiness was recognized as imperative in device design and cybersecurity roadmaps and as important and well understood in principle. Also, it has long been consistently deferred. The White House recently made such deference much more difficult.
President Trump signed the executive order "Securing the Nation Against Advanced Cryptographic Attacks," directing federal agencies and their contractors to complete a mandatory transition to post-quantum cryptographic algorithms on a now-compressed schedule.
There are many post-quantum data and information risks, including digital signature forgery, live TLS and VPN session compromise, blockchain and cryptocurrency integrity, symmetric key weakening, and authentication protocol exposure. The class of PQC attacks that has garnered the most attention is the "harvest-now, decrypt-later" class. In these attacks, adversaries collect encrypted data now, intending to decrypt it once large-scale quantum computers become available. The White House EO cited "harvest-now, decrypt-later" as the primary driver of urgency.
The deadlines are unforgiving. Federal agencies must implement PQC for key establishment by December 31, 2030, and for digital signatures by December 31, 2031. Both timelines are accelerated relative to prior guidance under National Security Memorandum 10 (2035 deadline), which means agencies that had been pacing migration against NSM-10 schedules may find themselves behind schedule. “A post-quantum computer that is cryptographically relevant will break the encryption we use today, and this is more likely to happen sooner than previously thought,” Ellen Boehm, SVP, strategy and AI Innovation at Keyfactor said.
When it comes to PQC governance, agencies must designate a senior PQC migration lead and develop formal plans to identify and replace at-risk cryptographic systems, with OMB (Office of Management and Budget) and the National Cyber Director coordinating the effort. The order also tasks NIST and CISA with defining a cryptographic bill of materials in 270 days, a CBOM, that gives organizations a structured way to inventory which algorithms and key schemes they depend on and where quantum exposure exists.
Just as software bills of materials have become a standard cataloging tool in vulnerability management following a series of supply chain incidents, CBOMs catalog cryptographic dependencies. However, as with SBOMs, the operational challenges associated with CBOMs are significant. As Boehm explained, most organizations have limited visibility into where cryptographic primitives are embedded across their infrastructure, let alone which key schemes are in use at the library or firmware level.
Because CBOMs, as important as they are, are a static point-in-time of the complete inventory, Boehm recommends organizations be sure to get adequate discovery and inventory capabilities in place now, “because cryptography is embedded inside APIs, libraries, cloud services, applications and third-party tools. There can be 1000s upon 1000s of cryptographic assets, and unmanaged CAs or unmanaged PKI that organizations might not even know existed.”
The updated PQC timeline will have reach far beyond federal agencies. The Federal Acquisition Regulatory Council is directed to write procurement rules requiring covered contractors to use NIST- and FIPS-approved post-quantum algorithms and to update vulnerability disclosure programs to explicitly cover cryptographic weaknesses, all by 2030. A PQC migration pilot, directed through Commerce, is due December 31, 2027, and is intended to surface implementation issues and document best practices before the hard compliance deadlines arrive.
For security leaders in organizations that hold federal contracts or supply software, hardware, or services to those that conduct procurement, the rule is most pressing. “This is moving much more quickly than most thought, and it’s something organizations really have to get working on,” Boehm said.
