LatticeScan

Reference

Post-quantum regulatory timeline

The dated obligations driving the transition, in order. Entries marked proposed are directed but not yet issued; entries marked draft are published for comment and not final. Every entry links to a primary source.

  1. 13 Aug 2024

    NIST publishes the first post-quantum standards

    FIPS 203 (ML-KEM), FIPS 204 (ML-DSA) and FIPS 205 (SLH-DSA) are finalized.

    NIST
  2. 11 Mar 2025

    NIST selects HQC as an additional algorithm

    A backup key-encapsulation mechanism is chosen to complement ML-KEM (NIST IR 8545).

    NIST
  3. 6 Jun 2025

    Executive Order 14306 signed

    Directs DHS, through CISA, to publish a list of product categories that support post-quantum cryptography.

    CISA
  4. 23 Jan 2026

    CISA publishes the Product Categories list

    An initial list of technology categories that support or are transitioning to post-quantum standards.

    CISA
  5. 22 Jun 2026

    Executive Order 14412 signed

    Securing the Nation Against Advanced Cryptographic Attacks. Sets federal deadlines and directs a procurement rule for contractors.

    White House
  6. 24 Jun 2026

    OMB Memorandum M-26-15

    Directs agencies to execute the migration and names an automated cryptographic inventory, populated into a CBOM, as its foundation.

    White House
  7. 22 Oct 2026
    proposed

    Agency migration plans due to OMB

    Within 120 days of M-26-15, agencies submit post-quantum migration plans.

    White House
  8. 1–3 Dec 2026

    PKI Consortium PQCMM certification program

    The Post-Quantum Cryptography Maturity Model certification program is announced at the PQC Conference in Amsterdam.

    PKI Consortium
  9. ~Dec 2026
    proposed

    FAR proposed rule for contractors

    Within 180 days of EO 14412, the FAR Council proposes a rule requiring covered contractors to meet post-quantum FIPS by the end of 2030.

    Federal Register
  10. ~Mar 2027
    proposed

    CISA defines the minimum elements of a CBOM

    Within 270 days of EO 14412, CISA publishes guidance on the minimum elements for a Cryptographic Bill of Materials.

    Federal Register
  11. 31 Dec 2030

    Federal key-establishment deadline

    High Value Assets and high-impact systems must move to post-quantum key establishment. Covered contractors must meet post-quantum FIPS.

    White House
  12. 31 Dec 2031

    Federal signature deadline

    The same systems must move to post-quantum digital signatures.

    White House
  13. After 2035
    draft

    NIST disallows classical public-key algorithms

    Draft NIST guidance (IR 8547) proposes deprecating RSA and elliptic-curve algorithms after 2030 and disallowing them after 2035.

    NIST

This timeline covers the United States, where the obligations are furthest along. See standards alignment for the technical standards behind these dates.