At A Glance 

On June 22, 2026, President Trump signed two Executive Orders that officially launch the federal government’s next phase of post-quantum cryptography (PQC) migration while accelerating U.S. quantum technology development. The orders establish new deadlines for federal agencies, signal upcoming requirements for contractors, and reinforce the importance of cryptographic inventory, crypto-agility, and NIST-approved PQC standards. 

Who is Affected

• Federal Agencies 
• Federal Contractors 
• Critical Infrastructure Operators 
• Defense Organizations 
• Enterprises that support regulated industries 

Key Deadlines

• 30 days – Agencies designate a PQC migration lead 
• 90 days – OMB issues implementation guidance 
• 180 days – NIST launches its migration pilot 
• December 31, 2030 – PQC key establishment deadline 
• December 31, 2031 – PQC digital signature deadline

 What Do the New Executive Orders Mean? 

 On June 22, 2026, President Trump signed two Executive Orders that, taken together, draw the clearest line yet between where the United States wants quantum technology to go and how it intends to defend against the risks that come with it: 

The first: “Securing the Nation Against Advanced Cryptographic Attacks” sets hard deadlines for the federal government’s migration to post-quantum cryptography (PQC) and reaches beyond federal agencies to contractors and critical infrastructure operators. 

The second: “Ushering in the Next Frontier of Quantum Innovation” which open with the line that America “stands at the cusp of a quantum revolution.” is an industrial-strategy order aimed at building a powerful quantum computer, deploying quantum sensors and networks, and securing the supply chains and workforce behind them.  

For years, the case for post-quantum cryptography rested on a forecast: a sufficiently powerful quantum computer would one day break the public-key encryption (e.g. RSA and ECC) that protects nearly all digital communication. What changed on June 22 is that the forecast became federal policy with deadlines attached.  

 The cryptographic-attacks order states the threat plainly in its opening section: the arrival of large-scale quantum computers, especially in adversary hands, “will pose a significant threat to widely used cryptographic security systems,” and ongoing cyber activity “presents the risk of adversaries collecting United States information now, and decrypting it later once large-scale quantum computers are operational.” 

Taken together, these Executive Orders recognize that advancing quantum computing and defending against its security implications are now inseparable national priorities. One order accelerates quantum innovation; the other accelerates the operational readiness required to protect critical systems in the quantum era. This guide reviews each order and translates it into actionable insights. 

Executive Order One: Securing the Nation Against Advanced Cryptographic Attacks 

This is the order that should be open on the desk of every CISO, head of PKI, and compliance lead.  

Key Takeaway: PQC migration is now official U.S. policy, with named owners 

The order makes PQC migration official U.S. policy, committing the government to “responsibly and effectively executing the transition of Federal information systems to National Institute of Standards and Technology (NIST)-approved Federal Information Processing Standards (FIPS) for Post-Quantum Cryptography (PQC), and to assist critical infrastructure owners and operators with their transitions.” 

Two offices are put in charge of coordination: the Director of United States Office of Management and Budget (OMB) and the National Cyber Director are directed to “lead the strategic coordination and oversight of the national PQC migration policy and strategy.” NIST, NSA, and CISA are tasked with giving agencies ongoing technical guidance. This is no longer a recommendation from a standards body. It is a top-down program with named owners.  

Just as importantly, the order shifts the conversation from awareness to execution. Organizations are no longer being asked whether they should prepare for post-quantum cryptography, they are being directed to establish ownership, inventory cryptographic assets, and execute a migration strategy against defined milestones. 

Key Takeaway: Official PQC migration-related deadlines are set. Ranging from just 30 days to 2031

The heart of the order is in Section 4. Within 90 days, OMB must issue guidance requiring every agency to review its inventory of high value assets (HVAs) and high impact systems, and then: 

• “transition all HVAs and high impact systems to use PQC for key establishment by December 31, 2030” 

• “transition all HVAs and high impact systems to use PQC for digital signatures by December 31, 2031” 

Notice what comes before the migration deadlines: assigning ownership and understanding the current environment. The order recognizes that organizations face challenges migrating cryptography they have not yet identified. 

There is also a near-term action that is easy to miss: within just 30 days of the order, every agency head must “identify its PQC migration lead”; a named individual reporting to the CIO who owns cryptographic inventory, the migration plan, and cross-agency coordination. 

The order also directs NIST to start a pilot within 180 days and to “initiate a pilot project for PQC migration on an appropriate subset of information systems owned or operated by NIST, to be completed no later than December 31, 2027.” Before the government-wide deadlines hit, NIST is meant to migrate a slice of its own systems and show the rest of government how it’s done. Watch this pilot: it will become the de facto playbook, and the lessons from it will shape what auditors and procurement officers expect everyone else to do. 

The pilot is likely to influence more than technical implementation. It will also shape expectations for how agencies inventory cryptography, prioritize migrations, measure progress, and ultimately demonstrate readiness. 

 Key Takeaway: Contractors, critical infrastructure and allies are on the clock too 

This is the part with the widest blast radius. The order directs the Federal Acquisition Regulatory Council to publish a proposed rule requiring “covered contractors to comply by December 31, 2030, with NIST’s FIPS, including all applicable FIPS incorporating PQC compliant algorithms.” 

A second rule, due within 270 days, would require contractor vulnerability disclosure programs to include “reports of cryptographic vulnerabilities, including testing for lack of encryption and the use of non-FIPS approved algorithms.” 

In simple terms, this means that if you sell to the federal government, post-quantum readiness is becoming a contractual requirement, not a nice-to-have. By the end of 2030, non-FIPS, non-PQC cryptography in your products could put you out of compliance, and the vulnerability-disclosure rule means you’ll be expected to actively detect and report weak or missing encryption. 

For many organizations, the practical challenge extends well beyond selecting a PQC algorithm. Understanding where cryptography is used, coordinating migration across teams, and adapting existing environments will likely prove to be the larger effort. 

Agencies that act as Sector Risk Management Agencies must work with CISA to help critical infrastructure operators build PQC migration plans. The State Department is directed to engage foreign governments and industry groups to “encourage their transition to PQC algorithms standardized by NIST.” And within 270 days, CISA and NIST must release public guidance on the minimum elements of a cryptographic bill of materials (CBOM): a machine-readable inventory designed to “enable the automated assessment of the cryptographic assets utilized by a hardware or software element.” The inclusion of a CBOM reinforces a broader shift. Cryptography is becoming an operational asset that organizations will be expected to understand, manage, and update over time.  

Executive Order Two: Ushering in the Next Frontier of Quantum Innovation 

The second order is less about defense and more about offense: building American leadership in quantum computing, sensing, and networking. It is sprawling, but a few pieces matter most for anyone tracking the security implications. 

Key Takeaway: A national effort to develop a quantum computer is established

The order establishes the “Quantum Computer for Application Development and Discovery Science (QC-ADDS) Effort,” a national push to develop a quantum computer “at a scale intended to initiate the era of quantum-enabled scientific discovery,” with the goal of delivering at least one such machine to a Department of Energy facility. 

The innovation order also directs the Department of War to identify at least three next-generation quantum sensor projects to field by September 30, 2028; tasks multiple agencies with five-year plans for quantum sensing and networking; orders a strategy to strengthen domestic quantum supply chains; and calls for a government-wide quantum workforce recruitment and retention strategy, plus a network of National QIST Workforce Development Institutes. 

On the security side, it expands the Quantum Information Science and Technology Counterintelligence Protection Team to guard the quantum ecosystem against “adversarial threats to the QIST ecosystem, including cybersecurity threats.” 

Crucially, the order also directs the intelligence community and the Department of War to identify the national security implications of more powerful commercial quantum computers, “such as the implications for the migration to post-quantum cryptography.” 

This means that the same document that propels the race toward a more capable quantum computer also explicitly names cryptographic migration as one of the risks that it will create. Essentially, the government is acknowledging, in writing, that building quantum capability and defending against it are two halves of one strategy. 

Perhaps the most important takeaway is that these two Executive Orders are not in tension with one another, they are complementary. One is designed to accelerate quantum capability. The other recognizes that advancing quantum capability also requires a corresponding evolution in how cryptography is managed and modernized.  

What Should Your Organization Do Now? 

If you’re a federal agency 

The clock has already started. Your near-term task is naming a PQC migration lead and beginning the cryptographic inventory of your high value assets and high impact systems. Your fixed deadlines are PQC for key establishment by the end of 2030 and for digital signatures by the end of 2031. Watch the NIST pilot due in 2027. It will set expectations for everyone else. 

If you’re a federal contractor or sell into the supply chain 

PQC is becoming a condition of doing business. Plan for a Federal Acquisition Regulation (FAR) requirement to meet NIST FIPS, including PQC algorithms, by the end of 2030, and for a vulnerability-disclosure obligation that specifically covers weak or missing encryption. The practical first step is the same as the government’s: find out where cryptography lives in your products and where you’re relying on outdated algorithms. 

If you operate critical infrastructure 

You are explicitly named as someone the government intends to assist through Sector Risk Management Agencies and CISA. You aren’t under the federal deadlines directly, but the direction of travel is unmistakable, and the forthcoming cryptographic bill of materials guidance will likely become the reference standard for demonstrating you know what cryptography you’re running. 

If you’re an enterprise outside government entirely 

There may be no statutory deadline, but you have every signal you need. When the U.S. government commits its own systems, its contractors, and its diplomatic weight to NIST PQC standards by 2030/2031, those standards become the baseline your customers, partners, insurers, and regulators will eventually expect.  

Although each audience faces different timelines and responsibilities, a common theme runs through both Executive Orders: organizations are expected to treat cryptography as something that must be actively managed over time, not simply deployed and forgotten. That expectation extends well beyond any single migration effort. 

 Why Cryptographic Inventory Is Now the Critical First Step 

 Across both orders, the same requirement keeps surfacing: know your cryptography. The cryptographic-attacks order requires agencies to review their inventories before migrating, assigns a migration lead to own that inventory, and directs the creation of a cryptographic bill of materials standard for automated assessment. Every deadline in the order assumes you already know where your vulnerable algorithms are. 

However, most don’t. Even if they think they do. Cryptography is buried across applications, certificates, APIs, VPNs, cloud infrastructure, routers, endpoints, operational technology, and PKI. It is rarely centralized, often managed by different teams, and difficult to inventory or govern. It is impossible to confirm you will meet the 2030 deadline for migration without the current-state visibility that makes a migration strategy possible. 

Why Crypto-Agility Matters Beyond This Migration 

This is also why cryptographic agility (the ability to quickly swap in and out cryptography without re-architecting underlying applications) matters more than any single algorithm swap. PQC migration will not be the last cryptographic transition. Standards will keep evolving, and organizations that can discover, manage, and update their cryptography without rip-and-replace projects will absorb deadlines like these as routine, not as emergencies. 

How QuSecure Helps Organizations Prepare For The Quantum Executive Orders  

This is where technology decisions become important. The organizations best positioned for this transition will be those that can gain visibility into their cryptographic environments, modernize without unnecessary disruption, and remain adaptable as standards continue to evolve. 

QuSecure built QuProtect R3 for exactly the gap these orders expose: helping government, defense, and enterprise organizations modernize cryptography without massive rip-and-replace programs. It wraps around your existing infrastructure and delivers an automated, continuous inventory of cryptographic assets across the network: the visibility that every deadline in the cryptographic-attacks order quietly depends on, and the foundation for a cryptographic bill of materials. It also provides orchestrated crypto-agility, letting organizations transition to NIST-approved PQC and update algorithms by policy without code changes or downtime, and allows users to download an up-to-date cryptographic bill of materials (CBOM) at the click of a button for when auditors and contracting officers start asking for proof of PQC readiness. QuSecure already supports NIST-aligned PQC, hybrid migration, centralized governance, and deployment across cloud, on-premises, air-gapped, and tactical environments, with established adoption across federal and defense programs. 

The two Executive Orders signed on June 22, 2026 made one thing clear: the post-quantum transition is no longer a question of *if* or even *when*. The dates are on the calendar. The organizations that start now and use next gen solutions like QuProtect R3 for cryptographic agility, will meet them without disruption and allow them to respond quickly to any new requirements going forward, saving significant time and resources. The ones that wait or stick with the traditional approach of managing cryptography at the infrastructure-level, will struggle to meet these deadlines both now and in the future.  

---

 Want to understand your current cryptography and how to migrate within these deadlines?
Talk to a QuSecure expert or schedule a demo