What happened
The U.S. government has significantly accelerated its push toward post-quantum cryptography (PQC) after President Donald Trump signed two executive orders focused on quantum technology and cybersecurity.
One order aims to strengthen U.S. leadership in quantum computing research, workforce development, and domestic innovation. The second focuses on protecting government systems against future quantum-enabled cyberattacks by accelerating the adoption of post-quantum cryptography.
Federal agencies must appoint PQC migration leads, transition key establishment and encryption for high-value systems by the end of 2030, and complete migration for digital signatures by the end of 2031. The orders also direct the National Institute of Standards and Technology (NIST) to expand guidance, launch a PQC pilot program, and help critical infrastructure prepare for the transition.
The timeline is much faster than many organizations expected. While quantum threats were once viewed as a long-term concern, security leaders are increasingly preparing for “harvest now, decrypt later” attacks, where adversaries steal encrypted data today in anticipation of future quantum capabilities.
Who is affected
The immediate impact falls on U.S. federal agencies and federal contractors that must comply with NIST’s post-quantum standards by the end of 2030. Critical infrastructure operators are also expected to begin preparing for quantum-resistant security.
Experts say the transition will be both expensive and operationally complex. Jonathan Nguyen-Duy, CTO of Arqit, noted that cryptography is embedded throughout applications, cloud environments, software libraries, networks, connected devices, and third-party systems, making migration far more than a simple algorithm replacement.
Garfield Jones, SVP of Research and Strategy at QuSecure, warned that many organizations are still identifying where cryptography exists across their IT and OT environments, creating additional implementation challenges. The U.S. Office of the National Cyber Director previously estimated a government-wide PQC migration cost of approximately $7.1 billion over a ten-year period, although experts believe the accelerated timeline could increase costs.
Why CISOs should care
For CISOs, quantum readiness is quickly shifting from a future planning exercise to an active modernization program. Organizations with long-lived sensitive data face growing risks if attackers capture encrypted information today with plans to decrypt it once quantum computing matures.
Security leaders will also need to coordinate across security, infrastructure, application, and operational technology teams while managing vendor compatibility, asset visibility, and board-level expectations. As Celia Merzbacher, Executive Director of the Quantum Economic Development Consortium, emphasized, organizations that have not started planning should begin immediately.
3 practical actions
- Inventory cryptographic assets across IT, cloud, and OT environments to identify systems using vulnerable encryption.
- Develop a phased PQC migration roadmap aligned with NIST guidance, prioritizing high-value systems and sensitive data.
- Brief executive leadership and boards on quantum risk, funding needs, and long-term migration timelines to ensure sustained organizational support.
