On June 22, 2026, the White House issued Executive Order 14409, “Securing the Nation Against Advanced Cryptographic Attacks.” While it has direct implications for federal agencies, there are parts that are worth paying attention to for enterprise security and risk leaders. Here’s what’s worth your attention, whether or not you hold a federal contract.
You Now Have A Clear Operating Assumption With An Accelerated Timeline
The order opens with “harvest now, decrypt later” as its rationale: adversaries collecting encrypted sensitive data today to decrypt it once large-scale quantum computers exist. It commits the US government to migrating to NIST’s PQC standards by end of 2030 for key establishment and by end of 2031 for digital signatures for high value assets and high impact systems. This is a notable departure from the previous target of 2035 across Federal systems overall.
What this means: The “should we start now” debate is settled for any organization sitting on data with a long confidentiality shelf life. The order generates greater urgency surrounding this risk. Data exfiltrated today is exposed the day a cryptographically relevant quantum computer arrives (Q-Day!) — and you don’t control when that is. Determine the shelf life of your sensitive data. What holds longer term value is specific to your organization, from source code, health and biometric records, authentication credentials, to trade secrets. Identify where long-lived sensitive data intersects with vulnerable public-key cryptography, external exposure, and third-party dependencies.
The FAR Rule Has Takeaways For Non-Contractors Too
Section 6 directs the Federal Acquisition Regulatory (FAR) Council to publish a proposed rule to amend the FAR, within 180 days, requiring covered contractors to comply by December 31, 2030, with NIST’s FIPS, including the PQC-compliant algorithms. This deadline is not unique: other governments internationally have mandated similar timelines for PQC migration.
What this means: Even if you do not sell to the federal government, you should treat 2030 (for key establishment) and 2031 (for digital signatures) as the de facto benchmark for your own security program. Named deadlines for PQC migration from governments will influence regulatory and sector-specific deadlines, as well as third-party partner requirements and technology vendor roadmaps. If you sell to the federal government, PQC becomes a contract term with a date attached. The proposed rule — not the final rule — is the thing to watch, because that’s where scope and definitions get set. File your comments while they still count.
Cryptographic Bill of Materials (CBOMs) Will Be SBOM’s Sequel
Section 5 directs CISA and NIST to publish, within 270 days, the minimum elements for a cryptographic bill of materials (CBOM) which is a structure designed to let you automatically assess the cryptographic assets inside a piece of hardware or software. This starts us down the path for a new vendor risk management and procurement requirement.
What this means: You can’t migrate what you can’t see, and most enterprises have no current inventory of where and how cryptography is used across their environment. The CBOM will help. Even more important to note: the SBOM made after the 2021 cybersecurity EO, went from being a niche artifact to a procurement expectation. If you sell hardware or software, stay tuned for the published elements to come so a CBOM is something you can produce for buyers. Today, we see open source solutions like CBOMkit from IBM Research leading CBOM creation. Your own third-party risk management processes must include revising SLAs and procurement agreements to ask vendors to disclose their own products’ CBOMs. CBOMs for legacy hardware will likely be unobtainable and will either require a waiver or hardware replacement or firmware upgrade.
Your Vulnerability Disclosure Now Covers Weak Cryptography
Section 6 also directs the FAR Council to propose, within 270 days, rules requiring covered contractors’ vulnerability disclosure programs to capture cryptographic vulnerabilities — explicitly including testing for the absence of encryption and the use of non-FIPS-approved algorithms.
What this means: “We didn’t encrypt that” and “we used a non-approved algorithm” move from being audit findings to being reportable vulnerability classes. Cryptographic hygiene is now a continuous vulnerability-management best practice rather than a periodic compliance check. If you run a VDP or a bug bounty, your scope, intake, and triage logic need to account for cryptographic findings and your remediation SLAs need a place to put them. This raises the bar for your security vendors in this area as well; begin to assess this as a part of your procurement due diligence going forward. These disclosures will likely extend to areas including IAM, CIAM, tokenization, data protection, unified messaging, and other domains.
Critical Infrastructure Gets a Partner, Not a Mandate — Yet
Section 5 directs every federal agency that serves as a Sector Risk Management Agency to work through CISA to help critical infrastructure owners and operators build their PQC migration plans.
What this means: If you are a security leader for a utility, hospital system, bank, pipeline, wastewater system, or any other critical infrastructure operator, take note. Your sector agency and CISA are now tasked with assisting you in developing your PQC migration plans. Watch to see if any assistance in the form of “voluntary” sector guidance comes through, which may eventually turn into a baseline that regulators and insurers later expect. Engage early so you have greater input into shaping your migration plan. Start with identifying and prioritizing critical and high-consequence functions: remote access into OT environments, identity and certificate infrastructure, encrypted data flows between operators and third parties, firmware and software signing, backup and recovery systems, and communications tied to incident response or safety operations.
Assemble Your Team For PQC Migration
The federal government is treating PQC as an execution program, not a standards update. Enterprises should do the same. The hardest parts will be ownership, sequencing, validation, and dependency management. Cryptographic discovery and inventory will be uncomfortable for many organizations because cryptography is often embedded in products, protocols, libraries, APIs, certificates, HSMs, identity systems, and vendor-managed services that security teams do not fully own. Including more PQC questions in RFPs and contract renewals, third-party risk reviews, cyber insurance discussions, and board-level risk conversations also requires coordination with other internal stakeholders.
Ensure that stakeholders recognize that timelines can change. We’ve seen deadlines become progressively more aggressive in the last 18 months and teams must be prepared for the idea that that could continue. Forrester clients can check out the full initiative blueprint to help drive their quantum security migration, or schedule a guidance session or inquiry with us.
