President Donald Trump issued an executive order on June 22 directing federal agencies to transition high-value assets and high-impact systems to post-quantum cryptography, with deadlines of Dec. 31, 2030, for key establishment protocols and Dec. 31, 2031, for digital signature systems. The order responds to risks that adversaries could collect encrypted U.S. data now and decrypt it later once quantum computing technology advances. The directive applies to sensitive federal systems, federal procurement standards, and planning across critical infrastructure sectors, establishing a framework to protect the nation's sensitive data, critical infrastructure, and digital economy against future cryptographic attacks.
Federal Agencies Receive 30-Day and 90-Day Implementation Mandates
Agency heads must name a post-quantum cryptography migration lead within 30 days of the executive order. These officials will report to agency chief information officers and manage cryptographic inventories, develop migration plans, and coordinate implementation across departments.
Within 90 days, the Office of Management and Budget must issue guidance in coordination with the Cybersecurity and Infrastructure Security Agency (CISA) and the National Cyber Director. Agencies will need to review their high-value assets and high-impact systems, excluding National Security Systems, and submit detailed plans for transitioning to new standards.
The executive order states: "The United States must take steps to strengthen cryptographic protections for the Nation's sensitive data, critical infrastructure, and digital economy."
NIST Begins Pilot Migration Project with 2027 Completion Deadline
The National Institute of Standards and Technology (NIST) must begin a pilot migration project within 180 days on selected systems it controls, with completion required by Dec. 31, 2027. This pilot will guide broader adoption before the 2030 and 2031 deadlines.
The order highlights long-term data risks, stating: "Ongoing cyber activity against our Nation also presents the risk of adversaries collecting United States information now, and decrypting it later once large-scale quantum computers are operational."
CISA and NIST have 270 days to publish guidance on minimum elements for a cryptographic bill of materials. Sector Risk Management Agencies will work with CISA to help critical infrastructure operators prepare migration plans.
Federal Acquisition Regulatory Council Publishes Proposed Contractor Rule Within 180 Days
The Federal Acquisition Regulatory Council has 180 days to publish a proposed rule requiring covered contractors to meet NIST standards, including post-quantum algorithms, by Dec. 31, 2030.
The Secretary of State will coordinate with federal agencies and intelligence officials to promote adoption of NIST post-quantum standards abroad. National Security Systems will follow a separate track, with the NSA director required to report progress to the president within 180 days and annually thereafter.
FAQ
What deadlines did Trump's executive order set for federal quantum-resistant encryption?
The executive order issued on June 22 sets a deadline of Dec. 31, 2030, for key establishment protocols and Dec. 31, 2031, for digital signature systems in high-value assets and high-impact federal systems.
Why did the executive order mandate a shift to post-quantum cryptography?
The order addresses risks that adversaries could collect encrypted U.S. data now and decrypt it later once quantum computing technology advances, threatening the nation's sensitive data, critical infrastructure, and digital economy.
What is NIST's role in the federal quantum-resistant encryption transition?
NIST must begin a pilot migration project within 180 days on selected systems it controls, with completion required by Dec. 31, 2027, to guide broader federal adoption before the 2030 and 2031 deadlines.
