Executive Order 14412 · Signed Jun 22, 2026

91 FR 38483 · Published Jun 25, 2026 · Effective on signing

Share

Securing the Nation Against Advanced Cryptographic Attacks

cybersecurityquantum computingfederal IT policyfederal contractingnational security

Signed by President Donald Trump

The order directs federal agencies to inventory their most sensitive systems and transition them to quantum-resistant encryption standards, with key deadlines in 2030 and 2031, and coordinates guidance, procurement rules, and international outreach to support the shift.

It responds to the threat that adversaries could steal encrypted data now and decrypt it later once large-scale quantum computers exist, pushing the government and its contractors toward NIST-approved post-quantum cryptography before that capability arrives.

What this order does

What it orders

The order directs OMB and the National Cyber Director to lead coordination of a national post-quantum cryptography (PQC) migration strategy for federal agencies. Each agency must designate a PQC migration lead within 30 days, and within 90 days OMB must issue guidance requiring agencies to inventory high-value assets and high-impact systems and transition them to PQC for key establishment by December 31, 2030, and for digital signatures by December 31, 2031. NIST must run a pilot migration project, NSA must report annually on National Security Systems migration, and CISA must issue guidance on a cryptographic bill of materials.

The order also directs the FAR Council to propose rules requiring federal contractors to comply with PQC standards by 2030 and to update vulnerability disclosure requirements. It excludes National Security Systems from the standard OMB guidance track, applies only within existing legal authority and available appropriations, and creates no enforceable private rights.

Who it affects

Federal agencies and their chief information officers, agencies operating National Security Systems, federal contractors subject to forthcoming FAR rules, critical infrastructure owners and operators, and foreign governments and industry groups targeted for PQC outreach.

Why it matters

Agencies and contractors face binding 2030 and 2031 deadlines to overhaul cryptographic systems protecting sensitive data, which could require significant technical work and procurement changes; delays risk data later being decrypted by adversaries using future quantum computers.

What must happen and when

How the order is supposed to work

Implementation proceeds in stages: agencies name migration leads first, then OMB issues binding guidance with hard 2030/2031 deadlines for high-value systems, while NIST pilots migration on its own systems and issues technical standards CISA and agencies rely on. NSA reports annually to the President on National Security Systems progress. Enforcement teeth mainly come through OMB oversight and forthcoming FAR rule changes binding contractors, though the order explicitly preserves existing agency authority and is contingent on appropriations.

Actions and deadlines

  • Identify agency PQC migration lead and provide contact details to OMB and National Cyber DirectorWithin 30 days of signing
  • Issue guidance requiring agencies to inventory and plan PQC migration for high-value assets and systemsWithin 90 days of signing
  • Transition high-value assets and high-impact systems to PQC for key establishment2030-12-31
  • Transition high-value assets and high-impact systems to PQC for digital signatures2031-12-31
  • Initiate a PQC migration pilot project on NIST-owned information systemsWithin 180 days of signing
  • Complete the NIST PQC migration pilot project2027-12-31
  • Submit report to the President on PQC migration status for National Security SystemsWithin 180 days of signing
  • Release public guidance on minimum elements for a cryptographic bill of materialsWithin 270 days of signing
  • Revise Cryptographic Module Validation Program processes to accelerate validationsWithin 180 days of signing
  • Publish proposed FAR rule requiring contractor compliance with PQC standardsWithin 180 days of signing
  • Publish proposed FAR rule on contractor vulnerability disclosure programs covering cryptographic vulnerabilitiesWithin 270 days of signing

Agencies directed to act

Office of Management and BudgetDepartment of CommerceNational Institute of Standards and TechnologyNational Security AgencyDepartment of Homeland SecurityCybersecurity and Infrastructure Security AgencyDepartment of StateDepartment of WarNational Aeronautics and Space AdministrationGeneral Services AdministrationFederal Acquisition Regulatory CouncilOffice of the Director of National Intelligence

Authority and reach

Authorities cited

Article II

Constitutional grant of executive power to the President.

Executive Order

Ask GovernmentReporter about this order

Ask anything about what this order does, who it affects, and how it changes policy.