US federal agencies will have to complete their post-quantum cryptography (PQC) migration by 2030, or 2031 at the latest depending on use cases.
In a new executive order (EO) signed on June 22 (EO 14409), US president Donald Trump issued requirements designed to help accelerate the migration to quantum-safe technologies.
This move aims to “safeguard America’s most sensitive data, our critical infrastructure, and the digital economy that drives jobs and growth,” the White House explained in a fact sheet accompanying the executive order.
The main requirement is that all US federal agencies should transition “high value assets” and “high impact systems” to use PQC for key establishment by December 31 2030 and for “digital signatures” by December 31 2031.
Key establishment refers to key-encapsulation mechanisms (KEM), which are sets of algorithms that, under certain conditions, can be used by two parties to establish a shared secret key over a public channel.
Digital signatures are standardized suites of algorithms used to detect unauthorized modifications to data and to authenticate the identity of a user.
In addition to these deadlines, the EO requires the US Department of Commerce to immediately initiate a pilot project for PQC migration and to complete it by December 31, 2027.
Federal Push to Accelerate PQC Migration and Coordination
Beyond timed requirements, President Trump directed the Office of Management and Budget (OMB)and US National Cyber Director to lead an accelerated nationwide transition to PQC.
He also called on the State Department and other agencies to support critical infrastructure operators and international partners in adopting PQC.
Finally, the executive order tasked the OMB, the Department of Defense, NASA and the General Services Administration with identifying cost efficiencies in the migration strategy. The Federal Acquisition Regulatory Council has been instructed to ensure contractors meet federal cybersecurity and vulnerability disclosure standards by 2030.
Quantum Threats Reshape Security Priorities, Experts Warn
This new executive order underscores the growing risk of “harvest now, decrypt later” attacks, where adversaries collect encrypted data today with the intention of breaking it once quantum computing becomes viable – a scenario commonly called Q‑Day.
Speaking to Infosecurity, Laurent Leloup, secretary general of the Global Quantum Threat Alliance (GQTA), highlighted that this executive order “marks a systemic shift” by “moving from ‘quantum’ project management to a national security emergency.”
“By pulling the PQC transition deadline forward to 2030, Washington is imposing a brutal acceleration that de facto weakens organizations that opted for a diluted approach to their resilience,” he argued.
He also warned that critical industries like the financial sector should therefore “immediately overhaul their trust architectures” and adopt crypto-agility, else they will “face security obsolescence.”
Crypto-agility is a concept that involves creating an abstract layer between the applications and the cryptography libraries allowing security teams to update to the latest encryption algorithms without having to replace their stack entirely.
Instead of directly integrating the encryption algorithms into the code, following a crypto agile approach means security teams will just have to send a command to ‘encrypt’ and the abstract layer connects to a security policy that says, “for any ‘encrypt,’ command use this standard with these key parameters.”
Gary Barlet, public sector CTO at Illumio, also warned that the quantum research community should now focus their efforts on helping PQC transition before focusing “solely on future encryption standards.”
“The more immediate challenge is protecting the people, systems, research environments and supply chains that support quantum innovation today,” he said.
“Adversaries do not need a quantum computer to steal quantum breakthroughs. They only need access. That is why visibility, segmentation, and breach containment strategies remain critical. Protecting quantum research starts with assuming compromise is possible and ensuring that one successful intrusion cannot become a broader national security event.”
Read now: How Businesses Should Approach the Post-Quantum Cryptography Transition
Industry Momentum Accelerates Shift to Quantum-Safe Encryption
The private sector has already begun moving toward post-quantum cryptography, with firms such as Google, Dell and HP outlining transition efforts over the coming decade and Cloudflare targeting full PQC migration by 2029.
Now, the US government is seeking to formalize and accelerate this shift through a coordinated national strategy.
Read more: Quantum Computing Threat to Encryption Is Closer Than Expected, Warns Google
The push also comes amid rising international momentum, with France’s cybersecurity agency (ANSSI) announcing it will stop certifying products that lack quantum-safe encryption starting in 2027, adding further pressure on organizations to act quickly.
Billy McDiarmid, VP at cybersecurity firm Red Sift, noted that despite “important work being done by government, industry and academia” towards accelerating the PQC transition, “the pace has not always matched the scale of the risk.”
“The 2031 federal target is an important marker, but it should not be treated as a comfortable deadline. Any organization holding data that needs to remain private for years should be planning against a 2029-2031 window now,” McDiarmid advocated.
He also emphasized that “post-quantum migration is not just about buying new algorithms” but also to ensure all certificates, keys, applications, APIs, cloud services, suppliers, devices and third-party systems are secure with quantum-safe encryption.
