White House Orders Federal Agencies to Move High-Value Systems to Post-Quantum Cryptography

The White House has ordered federal civilian agencies to move high-value and high-impact systems to post-quantum cryptography, setting firm deadlines for the government’s largest cryptographic migration effort. The new executive order, titled “Securing the Nation Against Advanced Cryptographic Attacks,” was signed on June 22, 2026.

The order warns that future large-scale quantum computers could break many public-key cryptography systems used today. It also highlights the “harvest now, decrypt later” risk, where adversaries collect encrypted data now and wait for quantum computers powerful enough to decrypt it later.

The policy directs agencies to transition high-value assets and high-impact systems to NIST-approved post-quantum cryptography for key establishment by December 31, 2030, and for digital signatures by December 31, 2031. The White House fact sheet says the goal is to protect sensitive data, critical infrastructure, and the broader digital economy.

What the order requires

The order applies to federal agencies as defined in 44 U.S.C. 3502(1). It focuses on high-value assets and high-impact systems, while National Security Systems follow a separate reporting path through the National Security Agency.

Each agency must name a post-quantum cryptography migration lead within 30 days. That person must report to the agency CIO and oversee cryptographic inventory work, migration planning, and coordination with OMB and the National Cyber Director.

Within 90 days, OMB must issue guidance requiring agencies to review their high-value assets and high-impact systems, excluding National Security Systems, and submit plans for the transition. The White House order also directs NIST to run its own PQC migration pilot by the end of 2027.

Deadline	Requirement	Who is responsible
Within 30 days	Name a PQC migration lead	Agency heads
Within 90 days	OMB guidance for agency inventories and migration plans	OMB, CISA and the National Cyber Director
By December 31, 2027	Complete a NIST pilot migration on selected systems	NIST
By December 31, 2030	Move covered systems to PQC for key establishment	Federal agencies
By December 31, 2031	Move covered systems to PQC for digital signatures	Federal agencies

Why quantum-safe encryption is now a federal priority

Post-quantum cryptography refers to algorithms designed to resist attacks from both classical computers and future quantum computers. The issue is not that today’s quantum computers can already break modern encryption at scale, but that sensitive data can remain valuable for years.

NIST says quantum computers may be years or decades away from breaking many current cryptographic systems, but organizations should begin using the new standards now. The NIST post-quantum cryptography project released its first three principal PQC standards in 2024.

Those standards include ML-KEM for key establishment, ML-DSA for digital signatures, and SLH-DSA for stateless hash-based digital signatures. These algorithms form the technical base for much of the migration work now expected across federal systems.

• Key establishment protects how systems agree on shared encryption keys.
• Digital signatures protect identity, integrity, software updates and signed records.
• High-value assets often contain sensitive government data or critical mission systems.
• High-impact systems can cause serious harm if confidentiality, integrity or availability fails.
• Cryptographic inventories help agencies find where vulnerable algorithms still exist.

The order turns PQC into a procurement issue

The new policy does more than ask agencies to patch cryptography inside existing systems. It also pushes the federal supply chain toward post-quantum readiness through procurement rules, contractor requirements, and cryptographic module validation changes.

The Federal Acquisition Regulatory Council must propose rules requiring covered contractors to comply with NIST FIPS that include PQC algorithms by December 31, 2030. It must also update vulnerability disclosure program clauses so contractors report cryptographic weaknesses, including missing encryption and use of non-FIPS algorithms.

The White House announcement also says federal agencies should look for cost-saving measures such as cloud migrations, shared procurement of PQC tools, joint training programs, and centralized technical support.

Area	What changes	Why it matters
Federal systems	Agencies must migrate covered systems to PQC	Protects sensitive data from future quantum attacks
Contractors	New FAR rules must align covered contractors with PQC-enabled FIPS	Pushes quantum-safe requirements into the federal supply chain
Validation	NIST must speed up validation of PQC cryptographic modules	Helps vendors and agencies deploy approved cryptography faster
Vulnerability disclosure	Contractor VDPs must include cryptographic weaknesses	Makes weak or missing encryption a reportable security issue

NIST standards sit at the center of the migration

The order directs the federal transition toward NIST-approved Federal Information Processing Standards for PQC. This matters because agencies and contractors need a common technical baseline instead of adopting different quantum-safe algorithms independently.

The NIST PQC program says organizations should begin applying the new standards and that high-risk systems should move earlier than the broader 2035 deprecation timeline for quantum-vulnerable algorithms.

NIST’s National Cybersecurity Center of Excellence is also working with industry on discovery tools, cryptographic inventories, interoperability testing and migration practices. The NCCoE migration project says organizations must understand where quantum-vulnerable public-key algorithms appear in hardware, software and services before they can replace them.

Cryptographic inventories and CBOMs become essential

One of the most practical parts of the order is the push for better cryptographic visibility. Agencies cannot replace vulnerable cryptography until they know where it appears across applications, certificates, hardware devices, protocols, libraries, cloud services and vendor products.

Within 270 days, DHS through CISA, working with NIST, must publish public guidance on the minimum elements for a cryptographic bill of materials. A CBOM is meant to help organizations automatically assess cryptographic assets used by hardware or software.

OMB’s earlier M-23-02 memorandum already told agencies to inventory cryptographic systems and prepare for the transition to quantum-resistant cryptography. The new order gives that work sharper deadlines and links it to procurement, validation and critical infrastructure coordination.

• Identify where RSA, elliptic-curve cryptography and other vulnerable algorithms are used.
• Map cryptography inside applications, APIs, certificates, VPNs and identity systems.
• Prioritize systems that protect long-lived sensitive data.
• Check whether vendors have PQC roadmaps and validated modules.
• Plan for testing because PQC algorithms can affect performance, certificate size and interoperability.
• Use crypto agility so algorithms can change again without major system redesign.

Critical infrastructure and global coordination are included

The order also extends beyond civilian federal agencies. Sector Risk Management Agencies must work with DHS and CISA to help critical infrastructure owners and operators develop their own PQC migration plans.

The Secretary of State must work with NIST, DHS, the National Cyber Director, the Secretary of War and the Director of National Intelligence to engage foreign governments and industry groups in key countries. The goal is to encourage adoption of NIST-standardized PQC algorithms globally.

This global focus matters because encryption does not stop at national borders. Cloud services, software vendors, certificate authorities, identity providers, financial networks and hardware suppliers all need compatible cryptographic standards for the migration to work at scale.

How agencies and vendors should prepare

For agencies, the first step is governance. They need named migration leads, updated system inventories, a risk-based roadmap and budget planning that reflects the long life of cryptographic infrastructure.

For vendors and contractors, the message is also clear. Products sold to the federal government will need stronger cryptographic transparency, PQC support, and vulnerability disclosure processes that treat weak cryptography as a security issue.

The NIST NCCoE project says migration requires discovering where cryptography is used and developing roadmaps to prioritize NIST-standardized PQC algorithms. The older OMB migration memo laid the groundwork, but the 2026 order turns planning into a dated federal mandate.

FAQ