New EO puts a clock on quantum-safe encryption

Gettyimages.com/ blackdovfx
EO 14412 sets hard deadlines for agencies and contractors to migrate away from crypto that quantum computers can one day break, writes Gina Scinta of Thales Trusted Cyber Technologies.
On June 22, the White House issued Executive Order 14412 (EO 14412), Securing the Nation Against Advanced Cryptographic Attacks. The order calls for an accelerated national shift to quantum-resistant protections across federal agencies, contractors, and critical infrastructure. Some of the requirements of this order are due by late July, so agencies should start now to avoid falling behind.
This order is essentially a government-wide call to arms for the greatest cryptographic migration in crypto history, and rightly so.
As explained in Section 1 of EO 14412,bad actors with large-scale quantum computers will pose a significant threat to widely-used cryptographic security systems. There is a real risk of our adversaries collecting vital information now and decrypting it later, once large-scale quantum computers are operational.
The data being harvested now is highly sensitive and long-lived data, including classified information, personally identifiable information (PII), medical records, trade secrets and more.
It’s clear that large-scale quantum computers pose a genuine threat to cryptography as we know it today. When cryptographically relevant quantum computers (QRQC) become available, it will break public key infrastructure (PKI).
EO 14412 is call to action for federal agencies to start planning the transition of federal information systems to quantum safe NIST FIPS-approved algorithms for post-quantum ryptography (PQC).
Specific new PQC adoption policies
Unlike previous guidance-based policies, EO 14412 contains enforceable requirements. It underscores the urgency of adopting post-quantum cryptography (PQC) and expands the scope to nearly all federal systems.
In particular, the order addresses “harvest now, decrypt later” threats and accelerates key-establishment and digital signature migration timelines. It also establishes new compliance obligations for federal contractors.
It’s not an overstatement to say that implementing PQC will ensure that we all will be able to maintain our way of life in the internet age. A big part of this transition is ensuring that the PQC solutions are crypto agile to enable a smooth transition now and into the future.
Key Obligations for Federal Agencies
EO 14412 expands the scope of previous PQC policy significantly. Earlier guidance applied to narrower groups, including the intelligence community and national security systems. This order covers all federal agencies. It mandates a dedicated PQC migration lead, sets firm deadlines, and extends compliance obligations to federal contractors.
The key deadlines are:
- Appoint a PQC migrationlLead: Late July 2026
- Complete NIST-led pilot migration: Dec. 31, 2027
- Transition key-establishment protocols to PQC: Dec. 31, 2030
- Transition digital signatures to PQC: Dec. 31, 2031
- Federal contractor PQC readiness: End of 2030
EO 14412 compliance starts with risk assessment, inventory, and testing
With all this in mind, how do agencies make sure they are meeting the requirements of the executive order? Here are some important steps in the right direction.
Conduct a PQC risk assessment. You need to know what your “high value assets” and high impact systems are as described in the EO.
Create a crypto inventory. You can’t migrate your crypto to the new PQC algorithms if you don’t know where you are using them today. There are several good crypto discovery tools on the market today that can help you automate this process. Keep in mind that crypto discovery will be an ongoing activity because new crypto is constantly to be created.
Set up a test environment for your PQC migration. You don’t want to interrupt ongoing activities during the migration process.
Practice good crypto hygiene with your encryption and key management systems. Prioritize your high value assets (HVAs) and High Impact Systems for testing as mentioned in the EO and then transition to quantum-safe algorithms.
Keep in mind that you need to remain flexible by ensuring that the solutions you are using are crypto agile. Although NIST standardized three PQC algorithms in 2024, two more algorithms are being finalized, and another nine for digital signatures are being evaluated.
What to look for in PQC solutions
Federal agencies should look for several core capabilities when evaluating vendor solutions to make the migration process easier:
Make sure solutions are quantum-resistant and future-ready. They must support standardized quantum-resistant algorithms while enabling crypto agility with field upgradable technology.
Solutions should support quantum-enhanced key generation with an embedded QRNG chip, to deliver high-quality, quantum-based entropy. Hardware security modules in particular should be FIPS 140-compliant and should be able to generate quantum-enhanced keys.
Hardware should be hardened and tamper-resistant. This ensures the security of cryptographic keys for sensitive data and critical applications.
Solutions should be purpose-built to support government requirements. That means security from the core to the cloud to the edge, for both data at rest and in motion.
Identity Access Management solutions should use smart cards and tokens. This applies to uses including Common Access Card (CAC), Personal Identity Verification (PIV), High Assurance and Fast Identity Online (FIDO) for phishing-resistant multi-factor authorization.
EO 14412 is the most significant cryptographic policy directive issued in decades. It recognizes that protecting federal systems against quantum-era threats requires action now, before those threats are fully realized. The agencies and contractors that begin this migration in earnest today will be far better positioned when the deadlines arrive.
Gina Scinta is the deputy CTO of Thales Trusted Cyber Technologies.