Full Report
President Trump signed an executive order on June 22 setting hard deadlines for federal agencies to move high-value assets and high-impact systems to post-quantum cryptography. Key establishment must move by December 31, 2030; digital signatures by December 31, 2031. EO 14409 leaves national security systems on a separate track. The deadlines matter because of a threat that does not
Analysis Summary
# Regulation/Compliance: Executive Order 14409 (Securing the Nation Against Advanced Cryptographic Attacks)
## Overview
Executive Order 14409 mandates a structured, accelerated transition of federal information systems and "covered contractor" networks to Post-Quantum Cryptography (PQC). The order addresses the "Harvest Now, Decrypt Later" threat, where adversaries collect encrypted sensitive data today to decrypt it once large-scale quantum computers become available. It pulls forward previous migration targets (NSM-10) by four to five years.
## Key Details
- **Issuing Authority:** President of the United States / White House
- **Effective Date:** June 22, 2026
- **Jurisdiction:** Federal Executive Agencies and "Covered Contractors"
- **Status:** Final (In Effect)
## Requirements
### Mandatory Requirements
1. **Appointment of PQC Lead:** Agencies must name a migration lead within 30 days reporting to the CIO.
2. **Cryptographic Inventories:** Agencies must inventory all cryptographic assets, specifically focusing on High-Value Assets (HVAs) and High-Impact Systems.
3. **Migration Plans:** Agencies must submit detailed migration plans to OMB based on forthcoming guidance.
4. **Key Establishment Migration:** All key establishment mechanisms must utilize FIPS-approved PQC by Dec 31, 2030.
5. **Digital Signature Migration:** All digital signatures must utilize FIPS-approved PQC by Dec 31, 2031.
6. **Contractor Compliance:** Federal contractors must adhere to specific FIPS PQC standards by 2030.
### Recommended Practices
1. **Critical Infrastructure Alignment:** Sector Risk Management Agencies (SRMAs) and CISA provide assistance for private sector critical infrastructure to build voluntary migration plans.
2. **Adoption of CBOM:** Organizations should prepare for the use of Cryptographic Bill of Materials (CBOM) to enhance "crypto-agility."
## Affected Organizations
- **Industries:** Federal Government Agencies, National Security (on a separate track), Defense Industrial Base, and all "Covered Contractors" selling to the federal government.
- **Organization Size:** All sizes (if acting as a federal contractor).
- **Geographic Scope:** United States (Federal jurisdiction).
## Compliance Timeline
- **July 22, 2026 (30 Days):** Each agency head must name a PQC migration lead.
- **September 20, 2026 (90 Days):** OMB to issue formal guidance on inventory review and migration planning.
- **December 19, 2026 (180 Days):** FAR Council to propose rules for "covered contractors."
- **March 20, 2027 (270 Days):** CISA/NIST to publish minimum elements for CBOM; FAR Council to propose rules regarding cryptographic flaw disclosure.
- **December 31, 2027:** NIST to complete its subset pilot migration.
- **December 31, 2030:** **Final Deadline** for Key Establishment (FIPS 203).
- **December 31, 2031:** **Final Deadline** for Digital Signatures (FIPS 204/205).
## Implementation Guidance
### Assessment Phase
- **Cryptographic Inventory:** Identify all instances where encryption, key exchange, and digital signatures are used within the environment.
- **Dependency Mapping:** Flag all systems currently using non-PQC (classical) algorithms that are vulnerable to quantum attacks.
### Implementation Phase
- **Sequence the Swap:** Target High-Value Assets and High-Impact Systems first.
- **Procurement Review:** Update vendor requirements to ensure new purchases are "quantum-ready."
### Validation Phase
- **Vulnerability Disclosure Programs:** Contractors must test for missing encryption or use of non-FIPS-approved algorithms.
- **Reporting:** Submit completed migration plans and status updates to OMB/CIO.
## Technical Requirements
- **FIPS 203:** Requirement for Module-Lattice-Based Key-Encapsulation Mechanism (ML-KEM/CRYSTALS-Kyber).
- **FIPS 204:** Requirement for Module-Lattice-Based Digital Signature Standard (ML-DSA).
- **FIPS 205:** Requirement for Stateless Hash-Based Digital Signature Standard (SLH-DSA).
## Penalties & Enforcement
- **Fines:** Standard federal procurement penalties for non-compliance.
- **Other Consequences:** Loss of federal contracts; inability to pass required security authorizations (ATO).
- **Enforcement:** Enforced via the Federal Acquisition Regulation (FAR) Council and OMB oversight.
## Related Standards
- **NIST FIPS 203, 204, 205:** The foundational technical standards for PQC.
- **National Security Memorandum 10 (NSM-10):** The previous (now accelerated) crypto-transition framework.
## Resources
- **Official Documentation:** hxxps[://]www[.]whitehouse[.]gov/presidential-actions/2026/06/securing-the-nation-against-advanced-cryptographic-attacks/
- **NIST PQC Portal:** hxxps[://]www[.]nist[.]gov/news-events/news/2024/08/nist-releases-first-3-finalized-post-quantum-encryption-standards
## Practical Recommendations
1. **Immediate Action:** Identify your PQC Migration Lead today.
2. **Build a CBOM:** Start developing a machine-readable list of cryptographic assets (CBOM) to enable "crypto-agility."
3. **Vendor Outreach:** Ask software and hardware vendors for their PQC roadmap, specifically referencing FIPS 203, 204, and 205.