What happened
President Donald Trump signed an executive order aimed at strengthening data protection ahead of the arrival of practical quantum computing.
The order focuses on the threat known as “harvest now, decrypt later,” where attackers steal encrypted data today with the intention of decrypting it later once quantum computers become capable of breaking current cryptographic protections.
The executive order directs the Office of Management and Budget, the National Institute of Standards and Technology, the National Security Agency, the Department of Homeland Security, and CISA to work together on technical guidance for federal agencies adopting post-quantum cryptography.
Federal agencies must inventory high-value assets and high-impact systems and transition them to post-quantum cryptography for key establishment by December 31, 2030. Agencies must also transition digital signatures to post-quantum cryptography by December 31, 2031.
The order requires agencies to designate a post-quantum cryptography migration lead. The Department of Commerce will also run a pilot project through the end of 2027 to demonstrate a successful migration model for other agencies.
The State Department has been tasked with encouraging and assisting critical infrastructure operators and foreign governments in their post-quantum transition. The Pentagon, NASA, and the General Services Administration have also been directed to identify cost-saving opportunities.
Federal contractors will be required to comply with NIST standards for post-quantum cryptography-compliant algorithms by the end of 2030.
Who is affected
Federal agencies are directly affected because they must inventory high-value assets and high-impact systems and migrate them to post-quantum cryptography within the deadlines set by the executive order.
Federal contractors are also affected because they will be required to comply with NIST standards for post-quantum cryptography-compliant algorithms by the end of 2030.
Critical infrastructure operators and foreign governments may also be affected because the State Department has been directed to encourage and assist their post-quantum cryptography transition.
Organizations that store long-lived sensitive data should pay attention, especially if the data could remain valuable after quantum-capable decryption becomes practical.
Why CISOs should care
This executive order turns post-quantum cryptography from a long-term research concern into a dated compliance and migration requirement for federal agencies and contractors.
The 2030 deadline for key establishment and the 2031 deadline for digital signatures give organizations a clear timeline, but migration will require more than swapping algorithms. Agencies and contractors need cryptographic inventories, asset prioritization, vendor coordination, testing, procurement planning, and application updates.
For CISOs, the “harvest now, decrypt later” threat is the central risk. Data stolen today may still be valuable years from now, especially government records, defense information, health data, intellectual property, financial records, and critical infrastructure information.
The contractor requirement also broadens the impact beyond federal systems. Any organization doing business with the U.S. government may need to assess whether its cryptographic systems, products, and services can meet NIST post-quantum standards on the required timeline.
3 practical actions
- Start a cryptographic inventory now: Agencies and contractors will need to know where cryptography is used before they can migrate. CISOs should inventory certificates, key exchange mechanisms, encryption libraries, digital signature systems, VPNs, APIs, cloud services, identity platforms, and products that protect long-lived sensitive data.
- Prioritize high-value and high-impact systems: The order focuses on federal high-value assets and high-impact systems. Security teams should classify systems based on data sensitivity, mission importance, exposure, and the lifespan of protected information so migration work starts with the highest-risk environments.
- Engage vendors on post-quantum readiness: Federal contractors must comply with NIST post-quantum cryptography standards by the end of 2030. CISOs should ask software, hardware, cloud, identity, PKI, VPN, and security vendors for post-quantum roadmaps, supported algorithms, upgrade paths, and expected migration timelines.
John Kevin Hao is a news and feature writer covering cybersecurity, technology, and business targeted for professional audiences.