PQC (Post-Quantum Cryptography) 07-01-2026

EO 14409: What the federal PQC mandate means for you

Larry Seltzer
Understanding EO 14409

The United States government has now put a timeline on post-quantum cryptography (PQC). Executive Order 14409 establishes deadlines for migrating critical systems to quantum-resistant cryptography. Those deadlines will influence technology vendors, contractors, and private organizations far beyond the federal government. 

If your organization works with the government, supports regulated industries, or relies on modern public key infrastructure (PKI), now is the time to begin planning your migration. The mandate applies directly to federal agencies, but its impact will extend across the broader technology ecosystem. 

Quantum Central

What the executive order requires

Executive Order 14409, issued by President Trump on June 22, 2026, requires federal agencies to adopt PQC on an aggressive schedule.

If the U.S. government takes this effort seriously, it follows that the technology industry—and those who interact with the government—will be incentivized, and in some cases required, to make the migration too. That probably means you.

The executive order establishes several milestones, including:

  • By December 31, 2030, agencies must "transition all HVAs [high value assets] and high impact systems to use PQC for key establishment."
  • By December 31, 2031, agencies must "transition all HVAs and high impact systems to use PQC for digital signatures."

The terms "high value assets" and "high impact systems" are defined broadly, meaning every federal agency will have substantial work ahead.

What these requirements mean

The first requirement—using PQC for key establishment—refers to ML-KEM, the quantum-resistant key establishment mechanism standardized by NIST as FIPS 203 nearly two years ago. Many large organizations, including DigiCert, have already implemented ML-KEM on internet-facing systems. 

The second requirement—digital signatures—refers to ML-DSA, standardized as FIPS 204. Adoption isn’t yet widespread, but the technology is mature enough for testing today.  

DigiCert Labs provides code and step-by-step instructions for building your own ML-DSA-enabled PQC test servcer, making it easier to evaluate post-quantum digital signatures in a representative environment. Other PQC signature algorithms exist, but they primarily serve specialized use cases. 

The first milestones arrive quickly

We’ll have an early indication of how seriously the federal government intends to pursue this effort:

  • By July 22, 2026, thirty days after the order was issued, every agency must designate a leader for its PQC migration program. This mirrors the approach DigiCert took for its own PQC migration.
  • By September 20, 2026, the Office of Management and Budget (OMB) must provide guidance on inventorying assets and meeting the 2030 and 2031 deadlines.

The overall schedule aligns closely with what much of the industry, including DigiCert, has already recommended. It’s ambitious but achievable. Private organizations should also establish aggressive yet realistic migration plans.

Where organizations should begin

The migration begins not with PQC algorithms but with the infrastructure that supports them.

The new PQC algorithms require TLS 1.3. If portions of your environment haven’t yet migrated, there’s likely a reason, such as network security products that depend on TLS inspection. The PQC transition provides a compelling reason to complete this long-overdue upgrade.

Begin testing in an isolated environment that accurately represents production systems. Don’t expect every implementation to succeed immediately—this is a learning process for the entire industry. That same lab environment can also help accelerate your TLS 1.3 migration.

After establishing a test environment, implement ML-KEM, then move it into production as soon as practical. ML-KEM protects against "harvest now, decrypt later" attacks by securing today's encrypted traffic against future quantum decryption. Because ML-KEM has already seen broad deployment, organizations aren't venturing into untested territory.

The impact extends beyond government

Government technology mandates have a history of becoming broader market expectations.

Vendors that serve federal agencies will prioritize PQC support. Government organizations will increasingly expect their suppliers and partners to do the same.

Early deployments suggest this transition is well underway. In our own testing, many federal websites already demonstrated strong network security, including TLS 1.3 support. The U.S. Embassy in Beijing also supports ML-KEM, which shows that federal agencies already know how to deploy it. Not every site has reached that level of readiness, however, underscoring the scale of the migration ahead.

Financial services are moving aggressively as well. As one of the world's most highly regulated sectors, many financial institutions recognize the importance of early PQC adoption. We continue to work closely with organizations in that sector as they prepare for migration.

Just as federal mandates influence the broader market, financial institutions will increasingly expect their business partners to support post-quantum cryptography. The day when most organizations will need PQC capabilities is approaching. This executive order moves that timeline closer.

Getting started

The first step toward quantum readiness is understanding where PQC can be deployed in your environment and where gaps still remain.

Begin by inventorying cryptographic assets, planning your TLS 1.3 migration, and testing ML-KEM in representative environments. Early preparation will make the eventual transition significantly easier.

Create your free Quantum Central account today to evaluate your PQC readiness, explore post-quantum capabilities, and plan your migration more confidently.

 

Subscribe to the blog