Home / Learning Center / Federal contractor requirements

Policy update

What the 2026 executive order means for federal contractors

The order reaches contractors through the federal acquisition process. Here is what is coming, when, and how to be ready before solicitations require it.

The contractor requirement

The June 2026 executive order, Securing the Nation Against Advanced Cryptographic Attacks, sets deadlines for federal agencies to move to post-quantum cryptography. It also reaches the companies that sell to the government.

The order directs that, by the end of 2030, federal contracting agencies issue regulations requiring contractors to comply with NIST's FIPS post-quantum cryptography standards. In plain terms, post-quantum requirements are on their way into federal contracts, and the time to prepare is before they appear in the solicitations you bid on.

The short version

If your organization sells to the federal government, expect post-quantum cryptography requirements to show up in acquisition rules and contract terms. Build the ability to demonstrate readiness now, rather than scrambling when a requirement lands in a solicitation.

How the requirement reaches your contracts

Federal contract requirements are imposed through the acquisition process. Agencies write rules, those rules become clauses, and the clauses flow into solicitations and contracts. Two points matter for planning:

  • Through acquisition rules. The order tasks federal contracting agencies, working through the federal acquisition system, with issuing post-quantum requirements by the end of 2030. Expect those requirements to reference NIST's FIPS post-quantum standards.
  • Down the supply chain. Prime contractors typically flow security requirements down to subcontractors and suppliers. If you supply a prime, the requirement reaches you even if you do not hold the contract directly.

This is the same pattern other federal security requirements have followed, where a baseline standard becomes a contract obligation and then propagates through the supplier base.

The timeline to plan against

The dates below come from the executive order. Specific contract compliance dates will be set in the acquisition rules and individual solicitations, which is why preparing ahead of those dates matters.

DateWhat happens
Dec 31, 2027The Department of Commerce completes a post-quantum cryptography migration pilot.
End of 2030Federal contracting agencies issue regulations requiring contractors to comply with NIST's FIPS post-quantum standards.
Dec 31, 2030Federal civilian agencies migrate high-value assets for key establishment.
Dec 31, 2031Federal civilian agencies migrate high-value assets for digital signatures.

The agency deadlines of 2030 and 2031 are a strong signal of what agencies will expect from the products and services they buy. Contract requirements tend to track the standards agencies must meet themselves.

What it means in practice

For a contractor, the work is less about any single deadline and more about being able to show, credibly, that your cryptography is on a path to the federal standards.

  • Know where your cryptography lives. You cannot attest to readiness you cannot see. Inventory the public-key cryptography in your products, services, and infrastructure.
  • Map to the NIST standards. The relevant targets are ML-KEM (FIPS 203), ML-DSA (FIPS 204), and SLH-DSA (FIPS 205). Knowing which of your systems need which is the basis of a migration plan.
  • Be ready to demonstrate it. Expect proposals and contract reviews to ask about post-quantum readiness. A documented inventory and migration plan is the evidence.
  • Include your supply chain. Your subcontractors and software suppliers are part of your readiness. Engage them early.

Already managing CMMC or FedRAMP?

Post-quantum readiness fits alongside the federal security programs you may already follow. See the compliance guide for how QRAMM maps to CMMC, FedRAMP, and other frameworks, including the 2026 executive order.

How to prepare with QRAMM

QRAMM is a free, open framework for measuring and improving quantum readiness. Its four dimensions line up with what a contractor needs to demonstrate:

  1. Cryptographic visibility. Build the inventory. Start with the cryptographic inventory guide.
  2. Strategic governance. Assign an owner and track progress, the same discipline the order asks of federal agencies.
  3. Data protection. Prioritize systems by data sensitivity and how long that data must stay confidential.
  4. Implementation readiness. Sequence the migration. See post-quantum migration planning.

The assessment toolkit turns these into a scored plan you can act on and reference in proposals.

Sources

This page describes only what the White House materials announcing the order state.

Last updated June 25, 2026. QRAMM is maintained by CSNP and is not affiliated with any government agency. This page is informational and is not legal advice. Confirm specific obligations against the applicable acquisition regulations and your contract terms.

Get ahead of the requirement

Post-quantum requirements are coming to federal contracts. Use QRAMM to measure your readiness and build a plan you can show.