The White House's new executive order on Securing the National Against Advanced Cryptographic Attacks accelerates the federal government's transition to quantum-resistant security through new migration requirements, governance obligations, and implementation deadlines. Issued alongside a broader quantum technology order focused on innovation, commercialization, workforce development, and domestic capability building, the directive signals a growing emphasis on quantum readiness across government. 

From PQC Strategy to Implementation

The administration's March 2026 Cyber Strategy explicitly identified post-quantum cryptography (PQC) as a key element of maintaining U.S. leadership in emerging technologies. The strategy committed to modernizing federal systems through post-quantum cryptography, zero trust architecture, and cloud transition, while also promoting the adoption of post-quantum cryptography and secure quantum computing across the broader technology ecosystem. 

Until recently, federal quantum policy focused largely on standards development and planning. The new executive order shifts the focus to implementation. 

The PQC order accelerates migration deadlines for key establishment and digital signatures while establishing new requirements for agency migration planning, governance, and procurement. Under the order, agencies must transition high-value assets and high-impact systems to PQC for key establishment by December 31, 2030, and for digital signatures by December 31, 2031. Accelerated timelines create immediate pressure to inventory cryptographic systems, evaluate dependencies, and begin planning for procurement and deployment decisions that may take years to complete.

The order requires agencies to designate migration leads, review high-value assets and high-impact systems, and develop migration plans aligned with the accelerated deadlines. Together, these requirements move PQC from a strategic objective to an operational planning and management challenge.

Creating the Conditions for Migration

This order builds on a series of initiatives that have begun establishing the foundation for government-wide post-quantum migration.

In January, the Cybersecurity Infrastructure and Security Agency (CISA), in coordination with the National Security Agency, published an initial list of hardware and software product categories that support or are expected to support post-quantum cryptography standards. The list provides agencies and contractors with an early roadmap for procurement and transition planning.

The National Institute of Standards and Technology (NIST) has likewise begun shifting from standards development toward implementation. Earlier this month, the agency released draft guidance for integrating post-quantum cryptography into Personal Identity Verification credentials, including a transition period in which classical and post-quantum credentials can operate simultaneously. The executive order builds on these efforts by directing NIST to conduct a pilot migration project and requiring CISA and NIST to develop guidance on a cryptographic bill of materials to improve visibility into cryptographic dependencies across systems and software

Building Visibility Through a Cryptographic Bill of Materials

One of the more forward-looking provisions of the executive order is the direction to NIST and CISA to develop guidance for a Cryptographic Bill of Materials (CBOM).

Similar to a Software Bill of Materials (SBOM), a CBOM would provide visibility into where and how cryptography is deployed across systems and applications. Such visibility could help organizations identify cryptographic dependencies that may require replacement or modification during a post-quantum transition. 

One of the greatest challenges facing organizations today is the lack of visibility into where vulnerable cryptographic implementations reside. Cryptography is often deeply embedded across enterprise technology environments. Without reliable inventories, organizations may struggle to prioritize migration activities or assess the scope of required changes. The Administration's emphasis on CBOM development reflects a broader policy trend toward increased transparency and asset visibility as foundational elements of cybersecurity risk management.

At the same time, the experience of implementing SBOMs offers a useful reminder that improving visibility across complex technology ecosystems is often easier in concept than in practice. Organizations have faced challenges related to standardization, maintenance, and integration into existing risk management processes. As policymakers and industry begin developing CBOM frameworks, similar questions will likely emerge regarding scope, implementation, ownership, and how cryptographic information can be maintained accurately over time.

For federal contractors and technology providers, the CBOM initiative may also serve as an early indicator of future procurement expectations. As agencies seek greater insight into cryptographic dependencies, vendors may face growing requests to document and communicate how cryptographic functions are implemented within their products and services.

Vulnerability Disclosure Programs 

The executive order also addresses how organizations identify and report cryptographic weaknesses through updates to contractor Vulnerability Disclosure Program requirements. By directing attention to coordinated vulnerability disclosure practices, the administration reinforces a broader secure-by-design approach that has become increasingly central to federal cybersecurity policy.

Organizations preparing for post-quantum migration will likely need to do more than upgrade cryptographic implementations. They will also need governance mechanisms capable of identifying implementation flaws, interoperability issues, and newly discovered vulnerabilities that may emerge during the transition.

For contractors and technology providers supporting federal customers, the order further signals that vulnerability disclosure practices are increasingly viewed as a baseline component of cybersecurity maturity rather than a voluntary best practice.

Congressional Momentum and Growing Alignment

The executive orders also arrive as Congress considers accelerating the federal government's post-quantum cryptography timeline.

Legislative text released by the Senate Armed Services Committee as part of the Fiscal Year 2027 National Defense Authorization Act (NDAA) would require the Department of Defense to migrate to NIST-approved post-quantum cryptography algorithms on an accelerated schedule. If enacted, those requirements would move ahead of previously anticipated federal migration targets and place additional pressure on defense organizations and contractors to prepare for implementation.

For compliance teams and federal contractors, the significance of the NDAA proposal extends beyond the Department of Defense. Major federal cybersecurity requirements often ripple outward through acquisition requirements and contractual obligations. Combined with the executive order's direction to develop a proposed Federal Acquisition Regulation (FAR) rule requiring covered contractors to comply with applicable NIST standards, the proposal suggests that quantum readiness may increasingly become part of the broader federal compliance landscape.

Together, the executive order, agency guidance, and congressional proposals suggest growing alignment around accelerating federal migration to post-quantum cryptography.

The Challenge Ahead

The executive orders establish an ambitious direction for federal agencies, but implementation will be the true test.

Migrating to post-quantum cryptography is not a simple software upgrade. Cryptographic systems are embedded throughout federal networks, identity systems, communications infrastructure, software supply chains, and mission-critical applications. At a practical level, agencies will need to:

• Inventory existing cryptographic dependencies across networks and systems.
• Evaluate modernization requirements and migration pathways.
• Coordinate with vendors and technology providers.
• Manage interoperability between classical and post-quantum environments during the transition.
• Prioritize systems based on mission impact and implementation complexity.

The challenge extends beyond federal agencies. The order directs Sector Risk Management Agencies to support critical infrastructure owners and operators, signaling that post-quantum preparedness is increasingly viewed as an ecosystem-wide challenge. 

For federal agencies, contractors, and technology providers, the message is clear: post-quantum cryptography is no longer a future modernization objective. It is becoming a present-day implementation and compliance challenge.

‍