Trump Orders Federal Agencies To Migrate To Post-Quantum Cryptography By 2030

President Donald Trump signed executive orders Monday that accelerate the federal government’s transition to post-quantum cryptography, directing agencies to identify lead PQC transition officials within 30 days.

“The White House is drastically shortening the deadline for government agencies and organizations to adopt new quantum-resistant encryption systems that will withstand attacks that use quantum computers, as the federal government seeks to protect decades’ worth of secrets belonging to militaries, banks, governments, and most individuals on Earth”

Ars Technica

The orders require agencies to transition “high value assets” and “high impact systems” to post-quantum cryptographic keys by Dec. 31, 2030 and PQC digital signatures by the end of 2031.

Ars Technica

The White House also directs the Office of Management and Budget to issue new PQC guidance to agencies within 90 days, while the National Institute of Standards and Technology is tasked with starting a pilot project for PQC migration in the next 180 days.

Cybersecurity experts warn that U.S. adversaries could steal data today and decrypt using a quantum computer in the future, in what’s known as a “harvest now, decrypt later” strategy, and the accelerated deadlines are meant to force action before that future capability arrives.

Garfield Jones, former associate chief of strategic technology at the Cybersecurity and Infrastructure Security Agency, said the executive order “really lights a fire under everyone to say, ‘hey, this is something that the government’s taking seriously,’” while Matthew Hartman said the order “makes clear that quantum readiness is no longer a future problem.”

Federal News Network described how the executive order “drops it right in the CIO’s lap to say, ‘I’ve got to get this ready,”’ framing the work as something that must be completed within the official’s tenure rather than later.

Cybersecurity Dive reported that the directive requires the Office of Management and Budget to issue guidance setting two major deadlines for agencies’ adoption of post-quantum cryptography in high-value assets: Dec. 31, 2030 for key establishment and Dec. 31, 2031 for digital signatures.

Coin Gabbar

The same Cybersecurity Dive account said the order tasks the Commerce Department with pilot-testing PQC algorithms on selected NIST computer systems by the end of 2027 and directs agencies that write federal contracting rules to issue a regulation requiring contractors to comply with NIST’s Federal Information Processing Standards (FIPS) by the end of 2030.

John Miller of the Information Technology Industry Council said the executive order “sets appropriately aggressive timelines” for federal agencies, while CSO Online said Chris Hickman, CISO at Keyfactor, called it “It compels action.”

CSO Online also quoted Ilona Cohen, chief legal and policy officer at HackerOne, saying “Federal networks are only as resilient as the contractors supporting them,” tying the migration deadlines to future compliance pressure across the supply chain.

Alongside the cryptography deadlines, the executive order package also expands U.S. quantum efforts, with CoinDesk reporting that one order pushes for QC-ADDS and “intent to deliver at least one such computer to a Department of Energy facility.”

“Quantum computing is often seen as a risk to bitcoin”

CoinDesk

CoinDesk said the defensive order, Executive Order 14409, focuses on the “harvest now, decrypt later” problem by stating that adversaries “may already be collecting” encrypted U.S. data and could decrypt it later with quantum computers.

Cybersecurity Dive added that the order requires CISA and Sector Risk Management Agencies to help critical infrastructure operators develop PQC adoption plans, and it requires CISA to publicly release advice for constructing a cryptographic bill of materials.

IT Security Guru described the stakes as a shift from planning to action, quoting Simon Pamplin, CTO at Certes, that the executive order “confirms what has been treated as a forward-looking concern is now a federal mandate with fixed deadlines.”

The same IT Security Guru account warned that “Data stolen and encrypted today can be decrypted the day quantum breaks the math,” emphasizing that the risk is not limited to federal systems as the deadlines ripple into critical infrastructure and other organizations.