The Government Has Until 2030 to Swap Out Encryption a Quantum Computer Could Break

President Trump signed an executive order on June 22 that gives federal agencies until the end of 2030 to move their most sensitive systems off encryption a future quantum computer could break, and until the end of 2031 to do the same for digital signatures. The order, titled "Securing the Nation Against Advanced Cryptographic Attacks," moves the government's deadline up by about five years from the target the previous government-wide policy had set.

The threat the order describes is not a machine that exists now. It is one that might exist later, and the data being collected against that day.

Ongoing cyber activity against our Nation also presents the risk of adversaries collecting United States information now, and decrypting it later once large-scale quantum computers are operational.

That risk has a name in the field: harvest now, decrypt later. An adversary copies encrypted traffic today, stores it, and waits for a quantum computer powerful enough to unlock it. Anything with a long secrecy life, diplomatic cables, weapons designs, personal records, is exposed by that logic even if no quantum computer breaks it this decade.

What the order requires

The order sets a sequence of deadlines, most of them measured from June 22.

• Within 30 days, each agency head names a "PQC migration lead" who reports to the agency's chief information officer and owns the cryptographic inventory and migration plan.
• Within 90 days, the Office of Management and Budget issues guidance requiring agencies to review their inventories of high value assets and high impact systems and submit migration plans.
• By December 31, 2030, agencies must move those systems to post-quantum cryptography for key establishment, the step that sets up an encrypted connection.
• By December 31, 2031, agencies must move them to post-quantum digital signatures, which verify that data and software are authentic.
• By December 31, 2027, the National Institute of Standards and Technology must complete a pilot migration on a subset of its own systems.

National security systems run on a separate track under the order and are not covered by the 2030 and 2031 dates for civilian high value assets.

Why the dates line up

The two deadlines match standards NIST finalized in August 2024. Key establishment uses FIPS 203, the algorithm known as ML-KEM and formerly called CRYSTALS-Kyber. Digital signatures use FIPS 204 and FIPS 205, known as ML-DSA and SLH-DSA. The algorithms have been published and ready for almost two years. The order is what attaches a schedule to them.

It also speeds up the clock. The prior government-wide target, set by National Security Memorandum 10 in 2022, ran to 2035, according to reporting by The Hacker News. The new order pulls that forward to 2030 and 2031 for the systems it covers.

The order reaches private contractors

The directive does not stop at federal networks. It tells the Federal Acquisition Regulatory Council to propose a rule within 180 days that would require "covered contractors" to meet NIST's standards, including the post-quantum algorithms, by December 31, 2030. A second proposed rule, due within 270 days, would fold cryptographic flaws into contractor vulnerability disclosure programs, including tests for missing encryption and for algorithms NIST has not approved.

Within 270 days, CISA and NIST are directed to publish the minimum elements for a "cryptographic bill of materials," a machine-readable list of the cryptographic pieces inside a given piece of hardware or software. The premise is that an agency cannot replace weak algorithms on a deadline if it does not know where they are running.

For agencies that serve as Sector Risk Management Agencies, the order directs work with CISA to help critical infrastructure operators build their own migration plans. That portion is framed as assistance, not a mandate.

What is not settled yet

The order sets dates. It leaves the enforcement details to documents that have not been written. OMB's 90-day guidance and the FAR Council's proposed rules will determine whether the 2030 and 2031 deadlines become real procurement pressure or another federal migration target. The White House fact sheet describes the order as a step to "safeguard America's most sensitive data, our critical infrastructure, and the digital economy." Cloudflare, whose engineers work on the underlying protocols, called the order an "important milestone" in a company blog post and wrote that the work now shifts to implementation.

The fact sheet also tied the order to a companion action the administration signed the same day on quantum research and development, part of a pair of orders the White House cast as both defending against quantum attacks and building quantum capability.