Key Takeaways
- Federal departments must shift sensitive systems to quantum-resistant cryptographic standards.
- New requirements assign agency leads, inventories, planning duties, and oversight responsibilities.
- Broader implementation could affect contractors, infrastructure operators, and international cybersecurity coordination.
Agencies Face 2030 and 2031 Deadlines for Sensitive Federal Systems
President Donald Trump ordered federal agencies to move high-value assets and high-impact systems to post-quantum cryptography, setting deadlines of Dec. 31, 2030, for key establishment and Dec. 31, 2031, for digital signatures. The June 22 executive order applies to sensitive federal systems, procurement rules, and planning across critical infrastructure sectors.
The order focuses on the risks posed by quantum computing. It warns that adversaries could collect encrypted U.S. data today and decrypt it later once quantum technology advances. Post-quantum cryptography refers to cryptographic algorithms or methods designed to resist attacks from both quantum and classical computers.
The Executive Order states:
“The United States must take steps to strengthen cryptographic protections for the Nation’s sensitive data, critical infrastructure, and digital economy.”
Agency heads must name a post-quantum cryptography migration lead within 30 days. These officials will report to agency chief information officers and manage cryptographic inventories, develop migration plans, and coordinate implementation across departments.
Within 90 days, the Office of Management and Budget must issue guidance in coordination with the Cybersecurity and Infrastructure Security Agency (CISA) and the National Cyber Director. Agencies will need to review their high-value assets and high-impact systems, excluding National Security Systems, and submit detailed plans for transitioning to new standards.
NIST, CISA, and Contractors Receive Defined Implementation Roles
Several federal agencies have specific responsibilities under the order. National Institute of Standards and Technology (NIST) must begin a pilot migration project within 180 days on selected systems it controls, with completion required by Dec. 31, 2027. This pilot will help guide broader adoption before the 2030 and 2031 deadlines.
The order also highlights long-term data risks. It states:
“Ongoing cyber activity against our Nation also presents the risk of adversaries collecting United States information now, and decrypting it later once large-scale quantum computers are operational.”
Procurement changes will move through rulemaking. The Federal Acquisition Regulatory Council has 180 days to publish a proposed rule that would require covered contractors to meet NIST standards, including post-quantum algorithms, by Dec. 31, 2030. Critical infrastructure is also included, with Sector Risk Management Agencies directed to work with CISA to help operators prepare migration plans, while CISA and NIST have 270 days to publish guidance on minimum elements for a cryptographic bill of materials.
The order extends beyond domestic systems by directing the Secretary of State to coordinate with federal agencies and intelligence officials to promote adoption of NIST post-quantum standards abroad. National Security Systems will follow a separate track, with the NSA director required to report progress to the president within 180 days and annually thereafter.
