President Trump signed an executive order on June 22 that imposes hard deadlines on federal agencies to migrate their most critical systems to post-quantum cryptography. Key establishment must move by December 31, 2030. Digital signatures follow a year later, by December 31, 2031.
The order, EO 14409, addresses a threat that doesn’t require a working quantum computer today. Adversaries can harvest encrypted U.S. data now and decrypt it once a large-scale quantum machine exists — the “harvest now, decrypt later” problem. The previous government-wide target, set by National Security Memorandum 10 in 2022, ran to 2035. This order pulls that timeline forward by four to five years.
The deadlines align with standards NIST finalized in August 2024. Key establishment uses FIPS 203 (ML-KEM, formerly CRYSTALS-Kyber). Digital signatures use FIPS 204 and 205 (ML-DSA and SLH-DSA). The standards have been ready for nearly two years. The order turns them into a schedule with consequences.
Agencies have 30 days to name a PQC migration lead. Within 90 days, OMB will issue guidance requiring inventories of high-value assets and high-impact systems, plus migration plans. NIST is running a pilot migration on its own systems, due by December 31, 2027.
The order also reaches contractors. The Federal Acquisition Regulatory Council has 180 days to propose a rule giving covered contractors until December 31, 2030, to meet NIST’s PQC standards. A second rule, due in 270 days, would fold cryptographic flaws into contractor vulnerability disclosure programs.
CISA and NIST have 270 days to publish minimum elements for a cryptographic bill of materials — a machine-readable inventory of what cryptography is running where. It’s the foundation for crypto-agility: you can’t swap out weak algorithms on a deadline if you don’t know where they are.
The practical takeaway? The inventory starts now. Federal teams and their vendors need to find every place key exchange and signatures happen, flag what isn’t NIST PQC, and sequence the swap against those 2030 and 2031 dates. The standards exist. The deadlines now exist. The hard part is knowing what you’ve got.
