Trump Executive Order Sets 2030 Deadline for Federal Post-Quantum Crypto Migration

President Donald Trump signed Executive Order 14409 on June 22, 2026, imposing hard deadlines for U.S. federal agencies to migrate high-value assets and high-impact systems to post-quantum cryptography (PQC). Key establishment must be completed by December 31, 2030, and digital signatures by December 31, 2031, with national security systems on a separate track.

The order directly responds to the harvest-now-decrypt-later threat, where adversaries collect encrypted data today and stockpile it for future decryption once a large-scale quantum computer is built. This moves the government's prior PQC timeline, set in 2022 by National Security Memorandum 10, forward by four to five years from its 2035 target.

Near-term deadlines and agency requirements

Agencies face immediate actions. Within 30 days, each agency head must name a PQC migration lead reporting to the agency CIO, responsible for cryptographic inventory and migration planning. Within 90 days, the Office of Management and Budget (OMB) must issue guidance requiring agencies to review high-value assets and high-impact systems, plan migration, and submit plans.

Key milestones and entities affected:

• The National Institute of Standards and Technology (NIST) must run a pilot migration on a subset of its own systems by December 31, 2027.
• The Federal Acquisition Regulatory Council has 180 days to propose a rule requiring covered contractors to meet NIST's PQC standards by December 31, 2030.
• A second proposed rule due in 270 days would fold cryptographic flaws into contractor vulnerability disclosure programs, including tests for missing encryption and non-FIPS algorithms.
• Within 270 days, CISA and NIST must publish minimum elements for a cryptographic bill of materials, a machine-readable list of cryptographic assets in hardware and software.

Implications for critical infrastructure and contractors

The order directs Sector Risk Management Agencies and CISA to help critical infrastructure operators build migration plans, though this assistance is not a mandate. For federal contractors, the FAR clause will likely turn the 2030 deadline into a procurement requirement, forcing vendors to certify PQC compliance or face exclusion from government contracts.

The companion order signed the same day, Ushering in the Next Frontier of Quantum Innovation, pushes development of quantum computers, with a goal of building a machine by 2028. Together, the two orders create a coordinated push: accelerate the PQC migration while funding the technology that makes it urgent. The gating task for most agencies and contractors remains the cryptographic inventory, knowing which systems use which algorithms before they can sequence swaps. OMB's 90-day guidance and the FAR rules will determine whether the deadlines become real procurement pressure or slip once the hard work starts.