Home / Learning Center / 2026 executive order on post-quantum cryptography

Policy update

The 2026 executive order on post-quantum cryptography

On June 22, 2026, the White House set firm federal deadlines for moving to post-quantum cryptography. Here is what the order requires, and what it means for your organization.

What the order does

On June 22, 2026, the White House signed an executive order titled Securing the Nation Against Advanced Cryptographic Attacks. It moves the federal government from planning for post-quantum cryptography to migrating on a fixed schedule.

The order has three parts that matter most to organizations. It sets dated deadlines for federal civilian agencies to replace today's public-key cryptography with post-quantum algorithms. It directs federal contracting agencies to require the same of their contractors. And it tasks federal agencies with helping critical infrastructure operators make the transition.

The short version

Federal agencies now have hard deadlines to migrate high-value systems to post-quantum cryptography: key establishment by the end of 2030 and digital signatures by the end of 2031. If you sell to the government or support critical infrastructure, those dates affect you too.

The federal deadlines

The order applies to federal civilian agencies and focuses on high-value assets, the systems that hold the most sensitive data and carry the most risk. The key dates are below.

Dec 31, 2027
The Department of Commerce completes a post-quantum cryptography migration pilot.
End of 2030
Federal contracting agencies issue regulations requiring contractors to comply with NIST's FIPS post-quantum standards.
Dec 31, 2030
Federal civilian agencies migrate high-value assets to post-quantum cryptography for key establishment.
Dec 31, 2031
Federal civilian agencies migrate high-value assets to post-quantum cryptography for digital signatures.

Earlier federal guidance had pointed to 2035 as the horizon for completing the transition. This order sets nearer, firmer dates for high-value federal systems and pairs them with a leadership structure to drive the work.

Who is responsible inside government

The order names who leads the migration so it does not stall:

  • OMB and the National Cyber Director lead the nationwide migration effort.
  • The Department of Commerce, the National Security Agency, and the Department of Homeland Security deliver implementation guidance to agencies.
  • Every federal agency designates a post-quantum cryptography migration lead.
  • The State Department and other agencies assist and encourage critical infrastructure operators to make the same transition.

Who it affects beyond federal agencies

The binding deadlines apply to federal civilian agencies. The reach is wider than that in practice.

Federal contractors

By the end of 2030, federal contracting agencies must issue regulations requiring contractors to comply with NIST's FIPS post-quantum standards. If your organization sells to the federal government, expect post-quantum requirements to appear in acquisition rules and contract terms, and plan to demonstrate readiness rather than scramble for it. For a closer look, see what the order means for federal contractors.

Critical infrastructure operators

The order directs federal agencies to assist and encourage critical infrastructure operators in moving to post-quantum cryptography. The language is support and encouragement rather than a mandate, but it signals where expectations are heading for energy, finance, healthcare, communications, and the other sectors that underpin daily life.

Everyone else

If you are not a federal agency, a contractor, or a critical infrastructure operator, the order still sets a clear national baseline. Cryptographic standards tend to spread from federal requirements to the wider market through vendors, auditors, insurers, and customers. The federal deadlines are a reasonable planning anchor for any organization that protects data which must stay confidential for years.

Why the dates matter even if you are not covered

Sensitive data captured today can be stored now and decrypted later, once quantum computers are capable of breaking current encryption. If your data needs to stay private past 2030, the migration timeline is already relevant to you. See harvest now, decrypt later attacks for the full picture.

The standards behind the deadlines

The deadlines build on cryptographic standards that are already final. In August 2024, NIST published its first three post-quantum standards: ML-KEM (FIPS 203) for key establishment, ML-DSA (FIPS 204) for digital signatures, and SLH-DSA (FIPS 205) for hash-based signatures. In March 2025, NIST selected HQC as a backup key-establishment algorithm, with its standard in development, and a FALCON-based signature standard (FIPS 206) is also in progress.

Because the algorithms are standardized, the work ahead is largely migration: finding where cryptography lives in your systems, replacing what needs replacing, and verifying the result. For more detail, see NIST post-quantum cryptography standards.

What to do now

Whether the deadlines bind you directly or set your planning baseline, the first steps are the same. They also mirror the four dimensions of the QRAMM framework.

  1. Build a cryptographic inventory. You cannot migrate what you cannot see. Find where your systems use public-key cryptography, in applications, networks, certificates, and vendor products. See the cryptographic inventory guide.
  2. Assess your readiness and risk. Rank systems by data sensitivity and how long that data must stay confidential. High-value, long-life data comes first.
  3. Set governance and ownership. Name an owner for the migration, the same role the order requires of federal agencies, and define how you will track progress.
  4. Plan the migration. Sequence the work against the federal dates, favor crypto-agile designs, and use hybrid approaches during the transition. See post-quantum migration planning and crypto agility.

How QRAMM helps

QRAMM is a free, open framework for measuring and improving quantum readiness across four dimensions: cryptographic visibility, strategic governance, data protection, and implementation readiness. The assessment toolkit turns the steps above into a scored plan you can act on and report to leadership.

Sources

This summary draws on the White House materials announcing the order. We describe only what those materials state.

Last updated June 24, 2026. QRAMM is maintained by CSNP and is not affiliated with any government agency. This page is informational and is not legal advice.

See where your organization stands

The federal deadlines are set. Use QRAMM to measure your quantum readiness and build a plan you can act on.