Securing the Nation Against Advanced Cryptographic Attacks
The order directs federal agencies to inventory their most sensitive systems and transition them to quantum-resistant encryption standards, with key deadlines in 2030 and 2031, and coordinates guidance, procurement rules, and international outreach to support the shift.
It responds to the threat that adversaries could steal encrypted data now and decrypt it later once large-scale quantum computers exist, pushing the government and its contractors toward NIST-approved post-quantum cryptography before that capability arrives.
What this order does
What it orders
The order directs OMB and the National Cyber Director to lead coordination of a national post-quantum cryptography (PQC) migration strategy for federal agencies. Each agency must designate a PQC migration lead within 30 days, and within 90 days OMB must issue guidance requiring agencies to inventory high-value assets and high-impact systems and transition them to PQC for key establishment by December 31, 2030, and for digital signatures by December 31, 2031. NIST must run a pilot migration project, NSA must report annually on National Security Systems migration, and CISA must issue guidance on a cryptographic bill of materials.
The order also directs the FAR Council to propose rules requiring federal contractors to comply with PQC standards by 2030 and to update vulnerability disclosure requirements. It excludes National Security Systems from the standard OMB guidance track, applies only within existing legal authority and available appropriations, and creates no enforceable private rights.
Who it affects
Federal agencies and their chief information officers, agencies operating National Security Systems, federal contractors subject to forthcoming FAR rules, critical infrastructure owners and operators, and foreign governments and industry groups targeted for PQC outreach.
Why it matters
Agencies and contractors face binding 2030 and 2031 deadlines to overhaul cryptographic systems protecting sensitive data, which could require significant technical work and procurement changes; delays risk data later being decrypted by adversaries using future quantum computers.
What must happen and when
How the order is supposed to work
Implementation proceeds in stages: agencies name migration leads first, then OMB issues binding guidance with hard 2030/2031 deadlines for high-value systems, while NIST pilots migration on its own systems and issues technical standards CISA and agencies rely on. NSA reports annually to the President on National Security Systems progress. Enforcement teeth mainly come through OMB oversight and forthcoming FAR rule changes binding contractors, though the order explicitly preserves existing agency authority and is contingent on appropriations.
Actions and deadlines
- Identify agency PQC migration lead and provide contact details to OMB and National Cyber Director
- Issue guidance requiring agencies to inventory and plan PQC migration for high-value assets and systems
- Transition high-value assets and high-impact systems to PQC for key establishment
- Transition high-value assets and high-impact systems to PQC for digital signatures
- Initiate a PQC migration pilot project on NIST-owned information systems
- Complete the NIST PQC migration pilot project
- Submit report to the President on PQC migration status for National Security Systems
- Release public guidance on minimum elements for a cryptographic bill of materials
- Revise Cryptographic Module Validation Program processes to accelerate validations
- Publish proposed FAR rule requiring contractor compliance with PQC standards
- Publish proposed FAR rule on contractor vulnerability disclosure programs covering cryptographic vulnerabilities