Posted in

Trump Signs Executive Order Requiring Federal Agencies to Adopt Post-Quantum Cryptography by 2031

President Donald Trump has signed a new executive order aimed at strengthening the cybersecurity posture of federal agencies by accelerating the adoption of post-quantum cryptography (PQC).

Signed on June 22, the order establishes firm deadlines for federal agencies to migrate critical systems and sensitive assets to quantum-resistant encryption standards. Under the new directive, agencies must transition key establishment mechanisms by December 31, 2030, and digital signature systems by December 31, 2031.

National security systems will follow a separate migration pathway and are not covered by the same timeline.

Why the Transition Is Urgent

The executive order addresses growing concerns about the future impact of quantum computing on modern encryption.

Although large-scale quantum computers capable of breaking today’s cryptographic systems do not yet exist, security experts warn about a long-term threat known as “harvest now, decrypt later.”

Under this scenario, adversaries collect and store encrypted government data today with the intention of decrypting it in the future once sufficiently powerful quantum computers become available.

The administration’s latest directive explicitly recognizes this risk and significantly accelerates the federal government’s cryptographic modernization efforts.

Timeline Moves Up by Several Years

The new order advances the government’s quantum-resistance strategy by four to five years compared to previous plans.

The earlier federal roadmap, established under the 2022 National Security Memorandum 10 (NSM-10), targeted full migration by 2035. The new deadlines bring that timeline forward, creating greater urgency for agencies and contractors alike.

NIST Standards Form the Foundation

The migration schedule aligns with the post-quantum cryptography standards finalized by the U.S. National Institute of Standards and Technology (NIST) in August 2024.

For key establishment and encryption, agencies will be required to adopt:

  • FIPS 203
  • ML-KEM (formerly known as CRYSTALS-Kyber)

For digital signatures, approved standards include:

  • FIPS 204 (ML-DSA)
  • FIPS 205 (SLH-DSA)

While these standards have been available for nearly two years, the executive order transforms them from recommendations into mandatory federal requirements with defined implementation deadlines.

Immediate Actions Required from Federal Agencies

The transition process begins almost immediately.

Within 30 Days

Each federal agency must appoint a dedicated Post-Quantum Cryptography Migration Lead.

The designated official will report to the agency’s Chief Information Officer (CIO) and oversee:

  • Cryptographic asset inventories
  • Migration planning
  • Implementation tracking
  • Compliance efforts

Within 90 Days

The Office of Management and Budget (OMB) must issue guidance directing agencies to:

  • Review high-value assets
  • Identify high-impact systems
  • Assess existing cryptographic deployments
  • Develop migration strategies
  • Submit formal transition plans

NIST Pilot Program Scheduled for 2027

As part of the government’s implementation strategy, NIST will conduct a pilot migration project involving selected internal systems.

The pilot must be completed by December 31, 2027, and is expected to provide valuable lessons for broader government-wide deployment efforts.

Federal Contractors Also Face New Requirements

The executive order extends beyond federal agencies and will impact companies that provide products and services to the U.S. government.

The Federal Acquisition Regulatory (FAR) Council has been directed to propose new procurement rules within 180 days.

Under the proposed framework, covered contractors would be required to comply with NIST-approved cryptographic standards, including post-quantum algorithms, by December 31, 2030.

A second rule, expected within 270 days, would require contractors to include cryptographic weaknesses in vulnerability disclosure programs.

This would include identifying issues such as:

  • Missing encryption controls
  • Use of non-FIPS cryptographic algorithms
  • Weak cryptographic implementations

New Focus on Cryptographic Asset Inventories

One of the most significant elements of the order focuses on visibility into existing cryptographic systems.

Within 270 days, the Cybersecurity and Infrastructure Security Agency (CISA) and NIST must publish minimum requirements for a Cryptographic Bill of Materials (CBOM).

A CBOM serves as a machine-readable inventory of cryptographic components used within software and hardware products.

The initiative is designed to support “crypto-agility”—the ability to quickly replace outdated or vulnerable cryptographic algorithms as security requirements evolve.

Without a complete inventory, organizations may struggle to identify where vulnerable encryption technologies are deployed.

Impact on Critical Infrastructure

The executive order also directs Sector Risk Management Agencies and CISA to assist critical infrastructure operators in developing their own migration plans.

While these measures are currently advisory rather than mandatory, they signal broader efforts to prepare critical sectors for the quantum era.

Industries likely to be affected include:

  • Energy
  • Telecommunications
  • Financial services
  • Transportation
  • Healthcare

What Organizations Should Do Now

For federal agencies and contractors, the immediate priority is understanding where cryptography is currently being used.

Organizations should begin by:

  1. Identifying all systems that rely on encryption and digital signatures.
  2. Cataloging cryptographic algorithms currently in use.
  3. Determining which systems are not compatible with NIST-approved PQC standards.
  4. Developing phased migration plans aligned with the 2030 and 2031 deadlines.
  5. Preparing for upcoming procurement and compliance requirements.

Experts emphasize that inventory management will be the foundation of successful post-quantum migration efforts.

Quantum Innovation and Security Go Hand in Hand

The executive order was accompanied by a second directive focused on advancing quantum computing innovation in the United States.

While one order seeks to accelerate the development of quantum technologies, the other aims to ensure that government systems are protected from the security challenges those technologies may eventually create.

Looking Ahead

Although the migration deadlines are now officially established, much of the implementation framework remains under development.

Upcoming guidance from OMB and future FAR regulations will determine how aggressively agencies and contractors must pursue compliance.

For now, one thing is clear: the era of post-quantum cryptography is no longer a future consideration for federal organizations—it has become an immediate strategic priority.

Leave a Reply

Your email address will not be published. Required fields are marked *