
On June 22, 2026, President Trump signed Executive Order 14422, setting binding deadlines for federal agencies to transition to post-quantum cryptography. This blog outlines the EO's requirements, the two critical migrations (encryption by 2030 and authentication by 2031), and practical steps for organizations to start preparing now.
The Executive Order at a Glance
Executive Order 14422 (June 22, 2026) imposes binding deadlines on federal agencies for transitioning High Value Assets (HVAs) and high impact systems to post‑quantum cryptography. HVAs are systems designated by OMB as the government’s crown jewels—compromise of an HVA would severely affect national security, foreign relations, or public confidence. High impact systems are those rated “high” under FIPS 199, where a breach could cause loss of life, major financial damage, or mission degradation.
The order mandates two distinct migrations. Key establishment (encryption) must be completed by December 31, 2030, to defend against harvest‑now‑decrypt‑later attacks, where encrypted traffic is collected today and decrypted once a cryptographically relevant quantum computer (CRQC) exists. Digital signatures (authentication) must be completed by December 31, 2031, to prevent forgery of certificates, code signatures, and access credentials after a CRQC is operational. A one‑year gap between deadlines reflects the greater deployment maturity of post‑quantum encryption versus authentication, but concurrent work is essential to meet the 2031 target.
National Security Systems are explicitly excluded; they follow a separate classified NSA track with deadlines already set between 2030 and 2033 (from 2022). The EO also directs the FAR Council to propose rules requiring federal contractors to comply with NIST‑standardized post‑quantum algorithms (FIPS) by December 31, 2030, and to implement vulnerability disclosure programs for cryptographic weaknesses.
The EO builds on work from previous Administrations and updates NIST’s 2024 deprecation guidance (which called for deprecating RSA and Elliptic Curve Cryptography by 2030 and disallowing them by 2035). It focuses on NIST‑standardized algorithms, not Quantum Key Distribution (QKD), because QKD requires dedicated physical links and specialized hardware, rendering it unsuitable for Internet‑scale deployments.
Practical examples of affected systems include:
- Databases containing millions of federal employee records (HVA)
- Platforms processing classified intelligence (HVA)
- Systems managing federal financial transactions (HVA or high impact)
- Any system where confidentiality, integrity, or availability is rated “high” under FIPS 199
For enterprise software engineers supporting federal agencies, the immediate action items are: identify PQC migration leads (due July 2026), inventory HVAs and high impact systems, and plan for staggered migration—encryption by 2030, authentication by 2031—while ensuring supply chain products (cloud platforms, web browsers, TLS stacks) already support NIST‑standardized post‑quantum algorithms.
Why This EO Matters Now: Accelerated Q-Day Timeline
The executive order arrives at a moment when the timeline for a cryptographically-relevant quantum computer (CRQC)—commonly referred to as Q-Day—has been measurably accelerated. In April 2026, Cloudflare moved its internal target for full post-quantum security to 2029, citing research breakthroughs from Google and Oratomic. This industry shift directly informs the urgency of the EO's December 2031 deadline for post-quantum authentication, which signals a government assessment that there is a non-negligible probability of a CRQC operational around that time.
The immediate technical concern is the harvest-now-decrypt-later (HNDL) threat. An adversary collects encrypted traffic today and stores it for decryption once a quantum computer is powerful enough. Any data with a lifespan exceeding three to ten years—common for government records, financial transactions, healthcare data, and defense communications—is at risk. Therefore, organizations must deploy post-quantum encryption as soon as possible to protect data in transit and at rest from future decryption.
The EO bifurcates the migration into two phases: post-quantum key establishment (encryption) by December 2030, and post-quantum digital signatures (authentication) by December 2031. These are distinct challenges:
- Post-quantum encryption protects against HNDL attacks. It is already widely available—over two-thirds of browser traffic to Cloudflare's network uses post-quantum key agreement, and most major products support it.
- Post-quantum authentication prevents a CRQC from forging certificates, impersonating servers, or creating malicious code signatures. This protection is only needed after Q-Day, but its deployment is far more complex due to:
- Larger signature sizes (e.g., ML-DSA) impacting performance in short-lived TLS connections.
- A longer dependency chain requiring coordinated upgrades across clients, servers, certificate authorities, transparency logs, and root stores.
- Limited ecosystem deployment compared to encryption.
The compressed timeline—just one year between encryption and authentication deadlines—means these efforts cannot proceed sequentially. Enterprise teams must begin both migrations concurrently. Starting with post-quantum encryption for all critical traffic addresses the HNDL risk immediately. Simultaneously, planning for authentication migration—including inventorying certificate lifecycles, testing ML-DSA compatibility, and engaging with certificate authorities—is essential to meet the 2031 deadline. The EO's requirement for federal contractors to comply with NIST FIPS by 2030 will further accelerate product support across the industry.
Two Distinct Migrations: Encryption vs. Authentication
The migration to post-quantum cryptography comprises two distinct phases: key establishment (encryption) and digital signatures (authentication). These phases address fundamentally different attack timelines and present separate technical challenges. The U.S. executive order (EO 14412) codifies this split by setting a December 31, 2030 deadline for federal agencies to transition high-value assets and high-impact systems to post-quantum encryption, and a December 31, 2031 deadline for post-quantum authentication. The one-year gap is tight, and the two migrations must proceed concurrently—sequential execution would almost certainly cause the 2031 deadline to be missed.
Post-Quantum Encryption: Urgent Now
Post-quantum key establishment is needed today to counter harvest-now-decrypt-later attacks. In this scenario, an adversary collects encrypted traffic now—from TLS handshakes, VPN connections, or any public-key-based key exchange—and stores it until a cryptographically relevant quantum computer (CRQC) exists. Any data that retains value for years (classified documents, financial records, long-term healthcare data) is at risk. The 2030 deadline reflects that this threat is immediate; organizations handling sensitive data that will still be secret in 3–10 years must deploy post-quantum key agreement (e.g., ML-KEM, the NIST-standardized KEM) now. For example, a federal agency protecting employee records or intelligence data cannot wait—traffic encrypted today with Diffie-Hellman or ECDH must be upgraded to hybrid or pure post-quantum key exchange to prevent future decryption.
Post-Quantum Authentication: Needed After Q-Day, but Preparation Is More Complex
Post-quantum authentication prevents an adversary with a CRQC from forging digital signatures to impersonate servers, sign malicious code, or compromise access control. This threat materializes only after a CRQC exists, so the 2031 deadline is later. However, the migration is significantly harder due to two factors:
- Larger signatures. The NIST-standardized ML-DSA (FIPS 204) produces signatures roughly 10–50 times larger than classical RSA or ECDSA signatures. In short-lived TLS connections, this can degrade handshake performance and increase bandwidth costs. Workarounds like Merkle Tree Certificates (jointly explored by Cloudflare and Google Chrome) aim to mitigate this, but the ecosystem is early.
- Longer dependency chain. Post-quantum authentication requires coordinated upgrades across clients, servers, certificate authorities (CAs), certificate transparency (CT) logs, root stores, and browsers. Each link must support post-quantum certificates before the chain works end-to-end. Today, only limited ecosystem deployment exists.
This complexity means organizations cannot wait until 2030 to begin. They must start inventorying certificate dependencies, testing hybrid certificate chains, and engaging with vendors and CAs.
Standards Progress and Concurrent Action
The Internet Engineering Task Force (IETF) is actively standardizing protocol transitions. The PLANTS working group (Post-Quantum Use in Protocols for Internet and Network Security) has made good progress on post-quantum certificates for TLS. This work is essential to define how ML-DSA and ML-KEM integrate into TLS 1.3, X.509, and certificate transparency. Because the 2031 authentication deadline is only one year after the encryption deadline, and the dependency chain for authentication is longer, enterprises must run both migrations in parallel from today. Waiting for encryption to finish before starting authentication would leave no margin for the inevitable delays in certificate ecosystem rollouts.
What the EO Requires from Federal Agencies
The executive order (EO) signed June 2026 binds only federal agencies, but federal procurement authority will drive broader industry adoption. The EO targets two categories of sensitive systems: High Value Assets (HVAs)—systems whose compromise would significantly affect national security, foreign relations, or public confidence—and high impact systems, where confidentiality, integrity, or availability is rated "high" under FIPS 199. Agencies must prioritize these "crown jewels" for post-quantum cryptography (PQC) migration.
The EO establishes four binding milestones for each federal agency:
- July 2026 — Each agency head designates a PQC migration lead and submits the name and contact information to the Office of Management and Budget (OMB) and the National Cyber Director.
- September 2026 — OMB issues guidance requiring each agency to (1) complete an inventory of all HVAs and high impact systems, (2) develop a PQC migration plan, and (3) submit that plan to OMB and the National Cyber Director.
- December 2030 — All HVAs and high impact systems must be transitioned to PQC for key establishment (encryption).
- December 2031 — All HVAs and high impact systems must be transitioned to PQC for digital signatures (authentication).
The one-year gap between encryption and authentication deadlines reflects the current state of technology: post-quantum encryption is already widely deployed (e.g., in TLS 1.3 key agreement using ML-KEM), while post-quantum authentication is less mature due to larger digital signatures (ML-DSA) and longer supply-chain dependencies (certificate authorities, transparency logs, root stores). The EO correctly mandates both phases run concurrently to avoid missing the 2031 target. Note that National Security Systems are explicitly excluded from these deadlines and follow a separate classified track.
Although the EO does not bind other organizations (e.g., critical infrastructure, state/local governments, private sector), federal leadership is expected to accelerate adoption. The FAR Council must propose rules requiring "covered contractors" to comply with NIST FIPS incorporating PQC by December 2030—one year earlier than the agency authentication deadline—ensuring products are available when agencies need them. CISA’s Product Categories guidance now identifies cloud platforms, web browsers, and endpoint security as technologies where PQC is "widely available," directing agencies to procure only PQC-capable products.
Supply Chain Pressure: Contractors and Product Availability
The post-quantum executive order (EO 14412) imposes a binding deadline on federal contractors through the Federal Acquisition Regulation (FAR) Council. The Council must publish proposed rules requiring covered contractors to comply with NIST post-quantum Federal Information Processing Standards (FIPS)—specifically the standards for ML-KEM (key establishment) and ML-DSA (digital signatures)—by December 31, 2030. Contractors must also implement vulnerability disclosure programs (VDPs) that address cryptographic vulnerabilities, as mandated by the same rulemaking process.
This deadline is deliberately set one year earlier than the federal agency deadline for post-quantum authentication (December 31, 2031). The sequencing ensures that products procured by agencies are already post-quantum capable before agencies face their own authentication migration deadlines. In effect, the supply chain must deliver before the customer can demand.
CISA’s Product Categories for Technologies That Use Post-Quantum Cryptography Standards clarifies which technology segments already have sufficient post-quantum cryptographic support to justify procurement mandates. The following categories are classified as “widely available,” meaning organizations should procure only post-quantum-capable versions:
- Cloud infrastructure platforms (IaaS, PaaS)
- Web browsers and web servers
- Chat and messaging software
- Endpoint security products (including full-disk encryption)
For enterprise software engineers, this creates immediate technical requirements. If your product falls into any “widely available” category, you must integrate NIST-standardized post-quantum algorithms—ML-KEM for key agreement and ML-DSA for signatures—into your codebase and certificate-handling logic. Failure to do so will disqualify your product from federal procurement contracts after December 31, 2030.
This supply-chain pressure is not punitive; it accelerates the entire ecosystem’s migration. When contractors ship post-quantum-ready software, commercial customers also benefit because the same code bases are used across both federal and private-sector deployments. The combination of a fixed compliance deadline and clear procurement guidance from CISA gives engineering teams deterministic goals and reduces the risk of fragmented, ad hoc adoption.
Getting to Work: A Roadmap for Organizations
The Executive Order (EO) on post-quantum cryptography mandates two separate but interdependent migrations: post-quantum key establishment (encryption) by 2030 and post-quantum digital signatures and certificates (authentication) by 2031 for federal High Value Assets (HVAs) and high impact systems. These timelines reflect technological readiness: post-quantum encryption is already widely deployed to counter harvest-now-decrypt-later attacks, where adversaries collect encrypted traffic today for future decryption. Post-quantum authentication, needed only after a cryptographically-relevant quantum computer (CRQC) exists, faces a longer dependency chain across clients, servers, certificate authorities, and browsers. The one-year gap between deadlines is tight—both workstreams must begin now, not sequentially.
Organizations should follow this evidence-based roadmap:
- Inventory systems – Identify all HVAs and high impact systems as defined by OMB guidance. For non-federal entities, map equivalent crown-jewel assets (e.g., financial transaction platforms, classified intelligence systems, employee record databases). Compromise of these systems could cause severe harm: loss of life, major financial damage, or mission degradation.
- Procure only PQC-capable products – Per CISA’s product categories, technologies where PQC is “widely available” include cloud platforms (IaaS, PaaS), web browsers and servers, chat and messaging software, and endpoint security products like full disk encryption. For these categories, organizations should immediately require PQC support in procurement contracts.
- Engage with IETF standards – Work with the IETF PLANTS working group on post-quantum certificates for TLS, and monitor progress on Merkle Tree Certificates (in collaboration with Google Chrome) to address signature-size performance issues in short-lived connections.
- Leverage the EO and OMB guidance as a framework – Use OMB’s forthcoming agency migration planning requirements as a template for internal timelines, even if not federally bound. The EO’s contractor requirements (FAR Council rules by 2030) create supply-chain pressure that will propagate across all vendors.
- Adopt products already in production – Cloudflare, for instance, has been deploying post-quantum encryption across its network since 2019 and now protects over two-thirds of browser traffic with post-quantum key agreement. Its SASE platform Cloudflare One provides post-quantum encryption across TLS, MASQUE, and IPsec on-ramps and off-ramps. This demonstrates that post-quantum encryption is production-ready and should be adopted now for all internet-facing services.
Start both migrations concurrently. The encryption migration is urgent against harvest-now-decrypt-later threats; the authentication migration requires ecosystem coordination that cannot be deferred. Use the EO’s deadlines as forcing functions for inventory, procurement, and standards engagement.
Editorial Policy & Research Methodology
Our findings are based on rigorous internal research, verified industry benchmarks, and direct technical implementation experience from our enterprise client projects. All statistics and technical claims are reviewed by senior engineers before publication to ensure accuracy, transparency, and helpfulness for our readers.
