Back to Insights
Regulation2 min read24 June 2026

Federal Push for Quantum-Resistant Cryptography: New Deadlines and Initiatives

The U.S. government mandates a nationwide shift to quantum-resistant cryptography by 2030, impacting federal agencies and contractors.

PN
Priya NatarajanCompliance & Risk Analyst
A futuristic government office with computer screens displaying cryptographic algorithms, diverse professionals engaged

President Trump signed two executive orders on Monday, setting strict timelines for federal agencies to migrate to quantum-resistant cryptography by 2030. This move is part of a broader initiative to prepare the nation against potential advanced cryptographic attacks that could emerge with the advent of quantum computing.

The first order, titled "Securing the Nation Against Advanced Cryptographic Attacks," requires federal agencies to transition their key-establishment mechanisms by the end of 2030 and digital-signature systems by the end of 2031. Agencies must appoint senior migration officials within 30 days, while the Office of Management and Budget has 90 days to issue guidance on implementing these changes.

The urgency of this mandate stems from the "harvest now, decrypt later" threat model, which anticipates adversaries collecting encrypted data now to decrypt it later using quantum computers. This scenario is not just theoretical; it is a significant concern in current threat assessments involving nation-state actors.

Building on NIST's post-quantum cryptography standards published in 2024, the order also tasks NIST and CISA with developing a cryptographic bill of materials (CBOM) within 270 days. This CBOM aims to catalog cryptographic algorithms and dependencies, facilitating a more efficient migration away from vulnerable systems.

Contractors will play a crucial role in this transition. The Federal Acquisition Regulatory Council is directed to establish procurement requirements that enforce NIST PQC standards compliance by 2030. Contractors in fields like security, cloud services, and managed services will need to align with these standards to maintain federal contracts.

Chris Hickman, CISO at Keyfactor, emphasized the compulsory nature of these orders, stating, "A lot of suppliers out there don't want to lose revenue from the federal government, so it's time to take this stuff seriously." Ilona Cohen, HackerOne's chief legal and policy officer, highlighted the systemic risk posed by contractors, framing compliance as more than a bureaucratic task.

The second order, "Ushering in the Next Frontier of Quantum Innovation," introduces the Quantum Computing for Accelerated Discovery and Development for Science (QC-ADDS) program. This initiative involves several government bodies, including the Department of Energy and NASA, in a coordinated effort to advance quantum computing R&D.

The directives set a clear mandate and timeline. However, the effectiveness of these orders will largely depend on whether agencies and their contractors perceive these deadlines as non-negotiable. For organizations involved in federal projects, understanding the implications of these orders and preparing accordingly is vital.

Organizations can benefit from specialized security-awareness training to ensure their teams are prepared to handle these complex transitions and comply with new standards effectively.

How this could have been prevented

  • Ensure all cryptographic systems are inventoried and assessed for quantum vulnerability.
  • Implement NIST-recommended quantum-resistant algorithms as part of your cryptographic strategy.
  • Train your team on the latest standards with Train2Secure.

Explore how security-awareness training can prepare your organization for these changes.

Start free — no card required

Frequently asked questions

What is the deadline for federal agencies to adopt quantum-resistant cryptography?

Agencies must transition key-establishment mechanisms by December 31, 2030, and digital-signature systems by December 31, 2031.

What is the 'harvest now, decrypt later' threat?

It refers to adversaries collecting encrypted data now to decrypt it later using advanced quantum computers.

How will contractors be affected by these orders?

Contractors must comply with NIST PQC standards by 2030 to continue federal procurement.

Ready to Reduce Your Human Cyber Risk?

Sign up and start training your team in minutes. No sales calls, no demos — just pick a plan and go. Phishing simulations, video courses, and certificates from day one.

train2secure analytics dashboard showing training completion stats and user progress