The US put post-quantum cryptography on the clock
A June 2026 executive order sets hard federal deadlines for the move to quantum-safe encryption, and it reaches government contractors, not just agencies. Here is what it actually says.
On June 22, 2026, the White House issued Executive Order 14412, "Securing the Nation Against Advanced Cryptographic Attacks." Two days later the Office of Management and Budget followed with memorandum M-26-15, which tells federal agencies how to carry it out. Together they turn the post-quantum transition from a good idea into a schedule.
The deadlines
The order puts real dates on the calendar:
- By December 31, 2030, federal High Value Assets and high-impact systems must move to post-quantum key establishment.
- By December 31, 2031, the same systems must move to post-quantum digital signatures.
- Within 180 days (around December 2026), the Federal Acquisition Regulatory Council must publish a proposed rule requiring "covered contractors" to comply by December 31, 2030 with NIST's FIPS, including the ones that incorporate post-quantum algorithms.
That third point is the one most companies miss. The deadline does not stop at government agencies. It is being written into the rules that govern who the government is allowed to buy from.
Inventory comes first
M-26-15 is blunt about where the work starts. It calls an automated cryptographic inventory "the foundation of the migration plan," and says that data should populate a central Cryptographic Bill of Materials, or CBOM. The executive order then directs CISA, within 270 days (around March 2027), to publish guidance on the minimum elements of a CBOM so it can be assessed automatically.
In plain terms: before anyone migrates anything, they have to know what cryptography they are running and where. That is the step almost no organization has actually done.
What it means if you sell to the government, or to someone who does
If your company is a federal contractor, the coming FAR rule reaches you directly. If you sell to a company that is a federal contractor, expect the question to flow down to you through their vendor requirements. Either way, the first thing anyone asks is what cryptography you use and whether you can show it. A cryptographic inventory is the answer, and it is worth having before you are asked for it.
Sources
- whitehouse.govhttps://www.whitehouse.gov/presidential-actions/2026/06/securing-the-nation-against-advanced-cryptographic-attacks/
- federalregister.govhttps://www.federalregister.gov/d/2026-12909
- whitehouse.govhttps://www.whitehouse.gov/wp-content/uploads/2026/06/M-26-15-Execution-of-the-Migration-to-Post-Quantum-Cryptography.pdf
We cite original sources only. No news outlets or aggregators.
Comments
Leave a comment
Get the next one
We email when there is something new. No noise.