What the order does
On June 22, 2026, the White House signed an executive order titled Securing the Nation Against Advanced Cryptographic Attacks. It moves the federal government from planning for post-quantum cryptography to migrating on a fixed schedule.
The order has three parts that matter most to organizations. It sets dated deadlines for federal civilian agencies to replace today's public-key cryptography with post-quantum algorithms. It directs federal contracting agencies to require the same of their contractors. And it tasks federal agencies with helping critical infrastructure operators make the transition.
The short version
Federal agencies now have hard deadlines to migrate high-value systems to post-quantum cryptography: key establishment by the end of 2030 and digital signatures by the end of 2031. If you sell to the government or support critical infrastructure, those dates affect you too.
The federal deadlines
The order applies to federal civilian agencies and focuses on high-value assets, the systems that hold the most sensitive data and carry the most risk. The key dates are below.
Earlier federal guidance had pointed to 2035 as the horizon for completing the transition. This order sets nearer, firmer dates for high-value federal systems and pairs them with a leadership structure to drive the work.
Who is responsible inside government
The order names who leads the migration so it does not stall:
- OMB and the National Cyber Director lead the nationwide migration effort.
- The Department of Commerce, the National Security Agency, and the Department of Homeland Security deliver implementation guidance to agencies.
- Every federal agency designates a post-quantum cryptography migration lead.
- The State Department and other agencies assist and encourage critical infrastructure operators to make the same transition.
Who it affects beyond federal agencies
The binding deadlines apply to federal civilian agencies. The reach is wider than that in practice.
Federal contractors
By the end of 2030, federal contracting agencies must issue regulations requiring contractors to comply with NIST's FIPS post-quantum standards. If your organization sells to the federal government, expect post-quantum requirements to appear in acquisition rules and contract terms, and plan to demonstrate readiness rather than scramble for it. For a closer look, see what the order means for federal contractors.
Critical infrastructure operators
The order directs federal agencies to assist and encourage critical infrastructure operators in moving to post-quantum cryptography. The language is support and encouragement rather than a mandate, but it signals where expectations are heading for energy, finance, healthcare, communications, and the other sectors that underpin daily life.
Everyone else
If you are not a federal agency, a contractor, or a critical infrastructure operator, the order still sets a clear national baseline. Cryptographic standards tend to spread from federal requirements to the wider market through vendors, auditors, insurers, and customers. The federal deadlines are a reasonable planning anchor for any organization that protects data which must stay confidential for years.
Why the dates matter even if you are not covered
Sensitive data captured today can be stored now and decrypted later, once quantum computers are capable of breaking current encryption. If your data needs to stay private past 2030, the migration timeline is already relevant to you. See harvest now, decrypt later attacks for the full picture.
The standards behind the deadlines
The deadlines build on cryptographic standards that are already final. In August 2024, NIST published its first three post-quantum standards: ML-KEM (FIPS 203) for key establishment, ML-DSA (FIPS 204) for digital signatures, and SLH-DSA (FIPS 205) for hash-based signatures. In March 2025, NIST selected HQC as a backup key-establishment algorithm, with its standard in development, and a FALCON-based signature standard (FIPS 206) is also in progress.
Because the algorithms are standardized, the work ahead is largely migration: finding where cryptography lives in your systems, replacing what needs replacing, and verifying the result. For more detail, see NIST post-quantum cryptography standards.
What to do now
Whether the deadlines bind you directly or set your planning baseline, the first steps are the same. They also mirror the four dimensions of the QRAMM framework.
- Build a cryptographic inventory. You cannot migrate what you cannot see. Find where your systems use public-key cryptography, in applications, networks, certificates, and vendor products. See the cryptographic inventory guide.
- Assess your readiness and risk. Rank systems by data sensitivity and how long that data must stay confidential. High-value, long-life data comes first.
- Set governance and ownership. Name an owner for the migration, the same role the order requires of federal agencies, and define how you will track progress.
- Plan the migration. Sequence the work against the federal dates, favor crypto-agile designs, and use hybrid approaches during the transition. See post-quantum migration planning and crypto agility.
How QRAMM helps
QRAMM is a free, open framework for measuring and improving quantum readiness across four dimensions: cryptographic visibility, strategic governance, data protection, and implementation readiness. The assessment toolkit turns the steps above into a scored plan you can act on and report to leadership.
Sources
This summary draws on the White House materials announcing the order. We describe only what those materials state.
- Executive order: Securing the Nation Against Advanced Cryptographic Attacks (June 22, 2026)
- White House fact sheet (June 2026)
- NIST selects HQC as a backup post-quantum algorithm (March 2025)
Last updated June 24, 2026. QRAMM is maintained by CSNP and is not affiliated with any government agency. This page is informational and is not legal advice.