Skip to Main Content Subscribe

Executive Order Speeds Up Post-Quantum Cryptography Timelines

Share

A new White House executive order and OMB guidance call for faster post-quantum cryptography migration for federal agencies.

3m read
Written by:
President Trump and members of his cabinet delivered remarks after signing an executive order on quantum computing and post-quantum cryptography June 22, 2026.
President Trump and members of his cabinet delivered remarks after signing an executive order on quantum computing and post-quantum cryptography June 22, 2026. Photo Credit: Official White House Photo | Joyce N. Boghosian

The White House’s latest quantum cybersecurity directive accelerated the timeline for agencies to prepare for post-quantum cryptography, and experts said the first step is understanding where vulnerable cryptography exists.

The order, signed last week, directed agencies to transition high-value assets and high-impact systems to PQC by Dec. 31, 2030. It also directed agencies to submit prioritized migration plans under new implementation guidance from the Office of Management and Budget.

Cybersecurity experts said agencies should begin by inventorying cryptographic assets, identifying sensitive data and prioritizing systems that will require the most time and effort to modernize.

“We’re never going to be able to say ‘we’re 100% cyber secure.’ It’s an ongoing expense that needs to be allocated for, and there’s a risk assessment that goes along with that,” Celia Merzbacher, director of the Quantum Economic Development Consortium (QED-C), told GovCIO Media & Research. “Maybe some of your data doesn’t need to be prioritized, but that’s for every organization and every CIO to undertake that assessment and make a plan.”

While larger organizations may have in-house capabilities for their PQC migration journey, others will likely work with service providers to keep systems secure, compliant and up to date.

“IT managers, CISOs or whoever is in charge of that migration need to know the questions to ask. They also need to know how to inform management and boards that they are on track to not have a problem, like a data breach or loss of encryption, because they have a plan in place and they’re executing on it,” said Merzbacher.

Where Agencies Should Focus Efforts

For agencies already preparing for the transition, experts said the biggest challenge won’t be replacing algorithms; it will be understanding where vulnerable cryptography already exists across sprawling federal environments.

Bill Wright, head of government affairs at Everpure and former member of the intelligence community, said he expects to see varying levels of quantum-readiness depending on how agencies previously treated data hygiene efforts.

“Those that have good visibility and accounting are going to be able to move quickly. Others that haven’t had the same kind of discipline over the years are going to struggle,” said Wright.

Agencies may also face additional challenges beyond data visibility and cleanup. Legacy systems often rely on older cryptographic implementations that are difficult to replace or upgrade. Without modernizing those systems, agencies may struggle to deploy PQC algorithms or implement cryptographic agility across their environments.

“It’s a problem throughout the government — this reliance on legacy systems, and we’ve been talking for the better part of a decade on how to leapfrog out of it,” Wright said.

Prathibha Rama, computer engineer at Johns Hopkins University Applied Physics Laboratory, said legacy systems should be among the first priorities in an agency’s PQC migration because they often require more time and engineering effort to modernize.

“Legacy systems tend to be more difficult to update. They take longer to update. A lot of times because there’s older hardware, you might have embedded systems involved in that. Those are systems you want to focus on early on because there’s going to be more engineering, creativity and feats that are involved in updating those systems,” Rama said in April.

Wright said IT leaders should design systems to remain cryptographically agile because NIST’s approved algorithms will likely continue to evolve as new standards emerge.

“The algorithms that agencies are being asked to migrate to aren’t guaranteed to be the last. NIST is going to continue to do the hard work of refining those. Agencies need to be designing systems so that you can swap out one algorithm for another without a wholesale disruption.”

Related Content