This Presidential Action mandates that the United States government must transition its information systems to Post-Quantum Cryptography (PQC) standards developed by the National Institute of Standards and Technology (NIST) to defend against future threats posed by advanced quantum computers capable of breaking current encryption.
The order outlines a comprehensive strategy led by the Director of OMB and the National Cyber Director, requiring federal agencies to inventory High Value Assets (HVAs) and high impact systems, complete the transition to PQC for key establishment by December 31, 2030, and for digital signatures by December 31, 2031.
It also directs efforts to assist critical infrastructure owners, engage foreign governments, and revise federal procurement regulations (FAR) to ensure federal contractors comply with the new cryptographic standards.
Arguments For
Mitigates a significant national security vulnerability posed by the potential decryption of sensitive data collected now by adversaries who may possess future quantum computing capabilities.
Establishes a clear, Federally-mandated timeline (deadlines in 2030 and 2031) for critical asset migration to NIST-approved Post-Quantum Cryptography (PQC) standards, ensuring technological readiness.
Promotes technological leadership by directing NIST to standardize and guide the implementation of PQC across government and encouraging its adoption by critical infrastructure and foreign counterparts.
Improves cybersecurity posture across the executive branch by requiring comprehensive cryptographic inventories and mandates for federal contractors (via FAR amendments) to adhere to new security standards.
Arguments Against
Implementation presents significant logistical and administrative burden on agencies, requiring detailed inventory reviews and the management of two concurrent cryptographic standards (legacy and PQC) during the transition period.
The mandated transition deadlines, particularly for digital signatures (2031), may prove overly ambitious given the complexity of updating legacy high-value assets and securing appropriate appropriations for necessary upgrades.
Imposing new cryptographic requirements on private sector contractors through the Federal Acquisition Regulation (FAR) increases compliance costs, which may be passed on to the government or ultimately consumers.
The exclusion of National Security Systems from the initial mandatory OMB deadlines shifts a significant portion of the highest-level migration oversight to the NSA mechanisms, potentially leading to fragmented or less transparent implementation schedules for those specific systems.
Presidential Actions
By the authority vested in me as President by the Constitution and the laws of the United States of America, it is hereby ordered:
Section 1. Background and Policy. The advent of large-scale quantum computers, particularly in the hands of adversaries, will pose a significant threat to widely used cryptographic security systems. Ongoing cyber activity against our Nation also presents the risk of adversaries collecting United States information now, and decrypting it later once large-scale quantum computers are operational. In light of these threats, the United States must take steps to strengthen cryptographic protections for the Nation’s sensitive data, critical infrastructure, and digital economy.
It is the policy of the United States to safeguard national security and maintain technological leadership by responsibly and effectively executing the transition of Federal information systems to National Institute of Standards and Technology (NIST)-approved Federal Information Processing Standards (FIPS) for Post-Quantum Cryptography (PQC), and to assist critical infrastructure owners and operators with their transitions.
Sec. 2. Definitions. For purposes of this order:
(a) the term “agency” has the same meaning as it has in 44 U.S.C. 3502(1);
(b) the term “critical infrastructure” has the same meaning as it has in section 1016(e) of the USA Patriot Act of 2001 (42 U.S.C. 5195c(e));
(c) the term “high impact system” means an information system in which at least one security objective (i.e., confidentiality, integrity, or availability) is assigned a FIPS 199 potential impact value of “high”;
(d) the term “high value asset” or “HVA” means Federal information or a Federal information system designated as a high value asset under Office of Management and Budget (OMB) Memorandum M-19-03, “Strengthening the Cybersecurity of Federal Agencies by Enhancing the High Value Asset Program,” or any successor document;
(e) the term “information systems” has the same meaning as it has in 6 U.S.C. 650(14);
(f) the term “National Security Systems” has the same meaning as it has in 44 U.S.C. 3552(b)(6);
(g) the term “post-quantum cryptography” or “PQC” means those cryptographic algorithms or methods that are designed to be resistant to attack by both a quantum computer and a classical computer;
(h) the term “PQC migration lead” means the agency employee or detailee who reports to the agency’s chief information officer and is responsible for overseeing agency-wide cryptographic inventory management, developing a prioritized PQC migration plan, and coordinating cross-agency efforts in PQC;
(i) the term “Cryptographic Module Validation Program” has the same meaning as it has in FIPS 140-3, “Security Requirements for Cryptographic Modules,” or any successor policy;
(j) the term “digital signature” has the same meaning as it has in FIPS 186-5, “Digital Signature Standard (DSS),” or any successor policy; and
(k) the term “key establishment” has the same meaning as it has in FIPS 203, “Module-Lattice-Based Key-Encapsulation Mechanism Standard,” or any successor policy.
Sec. 3. Coordinating the PQC Transition. (a) The Director of OMB and the National Cyber Director, in consultation with the Assistant to the President for National Security Affairs and the Administrator of the Office of Electronic Government, OMB, shall lead the strategic coordination and oversight of the national PQC migration policy and strategy set forth in this order, ensuring its alignment with broader cybersecurity goals.
(b) The Secretary of Commerce, through the Director of NIST, and in consultation with the Director of the National Security Agency (NSA) and the Secretary of Homeland Security, through the Director of the Cybersecurity and Infrastructure Security Agency (CISA), shall provide agencies on an ongoing basis with comprehensive technical guidance on PQC implementation, including best practices in implementation and risk management strategies.
Sec. 4. Accelerating the PQC Transition. (a) Within 30 days of the date of this order, each agency head shall identify its PQC migration lead and provide the name and contact details of the PQC migration lead to the Director of OMB and the National Cyber Director.
(b) Within 90 days of the date of this order, the Director of OMB shall, in consultation with the Secretary of Homeland Security through the Director of CISA and the National Cyber Director, and consistent with 6 U.S.C. 1526(c), issue guidance requiring each agency to:
(i) review their inventory of HVAs and high impact systems, excluding National Security Systems;
(ii) transition all HVAs and high impact systems to use PQC for key establishment by December 31, 2030;
(iii) transition all HVAs and high impact systems to use PQC for digital signatures by December 31, 2031; and
(iv) develop and submit to the Director of OMB and the National Cyber Director a plan to accomplish this directive.
(c) Within 180 days of the date of this order, the Secretary of Commerce, through the Director of NIST, shall initiate a pilot project for PQC migration on an appropriate subset of information systems owned or operated by NIST, to be completed no later than December 31, 2027.
Sec. 5. Leading the PQC Transition. (a) All agencies that serve as Sector Risk Management Agencies, as defined by the National Security Memorandum 22 of April 30, 2024 (Critical Infrastructure Security and Resilience) or its successor, shall work with the Department of Homeland Security through the Director of CISA to assist critical infrastructure owners and operators in developing their PQC migration plans.
(b) The Secretary of State shall work with the Director of NIST, the Secretary of Homeland Security, the National Cyber Director, the Secretary of War, and the Director of National Intelligence (DNI) to identify and engage foreign governments and industry groups in key countries to encourage their transition to PQC algorithms standardized by NIST.
(c) Within 180 days of the date of this order and annually thereafter until PQC migration is complete, the Director of the NSA, in his capacity as the National Manager for National Security Systems, shall submit a report to the President, through the Committee on National Security Systems, on the status of PQC migration for agencies that own or operate National Security Systems.
(d) Within 270 days of the date of this order, the Secretary of Homeland Security, through the Director of CISA, and in coordination with the Director of NIST, shall release public guidance describing the agencies’ considered view as to the minimum elements for a cryptographic bill of materials. These elements shall enable the automated assessment of the cryptographic assets utilized by a hardware or software element.
Sec. 6. Procurement. (a) The Director of OMB, the Secretary of War, the Administrator of National Aeronautics and Space Administration, and the Administrator of General Services, in consultation with the Secretary of Homeland Security, the DNI, and the Director of NIST, shall coordinate efforts to identify cost-saving opportunities in implementing the national PQC migration policy and strategy, such as migration of cloud-based technologies, shared procurement of PQC tools, joint training programs, and centralized technical support.
(b) Within 180 days of the date of this order, the Secretary of Commerce, through the Director of NIST, shall, to the extent appropriate and consistent with applicable law, revise the processes used by the Cryptographic Module Validation Program to accelerate validations of cryptographic modules.
(c) Within 180 days of the date of this order, the Federal Acquisition Regulatory Council (FAR Council), in consultation with the Secretary of Homeland Security through the Director of CISA and the Director of NIST, shall publish a proposed rule amending the Federal Acquisition Regulation (FAR) to require covered contractors to comply by December 31, 2030, with NIST’s FIPS, including all applicable FIPS incorporating PQC compliant algorithms.
(d) Within 270 days of the date of this order, the FAR Council, in consultation with the Secretary of Homeland Security through the Director of CISA and the Director of NIST, shall publish a proposed rule amending the FAR requirements and contract clauses for contractor vulnerability disclosure programs to ensure that covered contractors implement vulnerability disclosure policies (VDPs), consistent with NIST guidelines, and that VDPs incorporate reports of cryptographic vulnerabilities, including testing for lack of encryption and the use of non-FIPS approved algorithms.
Sec. 7. General Provisions. (a) Nothing in this order shall be construed to impair or otherwise affect:
(i) the authority granted by law to an executive department or agency, or the head thereof; or
(ii) the functions of the Director of the Office of Management and Budget relating to budgetary, administrative, or legislative proposals.
(b) This order shall be implemented consistent with applicable law and subject to the availability of appropriations.
(c) This order is not intended to, and does not, create any right or benefit, substantive or procedural, enforceable at law or in equity by any party against the United States, its departments, agencies, or entities, its officers, employees, or agents, or any other person.
(d) The costs for publication of this order shall be borne by the Department of Commerce.
DONALD J. TRUMP
THE WHITE HOUSE,
June 22, 2026.
The post Securing the Nation Against Advanced Cryptographic Attacks appeared first on The White House.
The document begins by using the standard legal preamble to assert the President's constitutional and statutory authority to issue the order.
The preliminary navigation elements indicate this is housed within the 'Presidential Actions' section of the White House website, relating to official executive directives.
Section 1 establishes the background and stated policy.
The President identifies the threat posed by the development of large-scale quantum computers capable of breaking current cryptographic security systems.
The central policy directive is to secure national security and technological leadership by transitioning all Federal information systems to Post-Quantum Cryptography (PQC) standards approved by the National Institute of Standards and Technology (NIST), and to aid critical infrastructure entities in making similar transitions.
Section 2 provides definitions for key terms used throughout the order.
This clarifies the scope, defining 'agency,' 'critical infrastructure,' 'high impact system,' 'High Value Asset (HVA),' 'information systems,' 'National Security Systems,' and specific cryptographic terms like 'post-quantum cryptography (PQC),' 'PQC migration lead,' and standards related to cryptographic modules, digital signatures, and key establishment.
Section 3 outlines the coordination structure for implementing the PQC transition strategy.
The Director of the Office of Management and Budget (OMB) and the National Cyber Director are tasked with the overall strategic oversight and coordination, consulting with the National Security Advisor.
The Secretary of Commerce (via NIST), in coordination with the Director of the National Security Agency (NSA) and the Secretary of Homeland Security (via CISA), must provide agencies with ongoing technical guidance and risk management best practices for PQC implementation.
Section 4 focuses on accelerating the transition process within agencies.
Agency heads must designate a PQC migration lead within 30 days.
Within 90 days, OMB must issue guidance requiring agencies to review their inventories of HVAs and high impact systems (excluding National Security Systems) and set deadlines: PQC for key establishment by December 31, 2030, and for digital signatures by December 31, 2031.
Agencies must submit migration plans accordingly.
Furthermore, NIST must start a PQC migration pilot project on its own systems, completing it by December 31, 2027.
Section 5 covers leadership responsibilities extending beyond direct federal systems.
Sector Risk Management Agencies must work with CISA to help critical infrastructure owners develop their PQC migration plans.
The Secretary of State must engage foreign governments and industry to promote adoption of NIST-standardized PQC algorithms.
The NSA Director, acting as the National Manager for National Security Systems, must report annually on the PQC migration progress for those excluded systems.
Additionally, DHS/CISA, in coordination with NIST, must release public guidance defining the minimum elements necessary for a 'cryptographic bill of materials' within 270 days to allow automated assessment of cryptographic assets.
Section 6 focuses on procurement and contracting mechanisms.
OMB, the Secretary of War, NASA, and GSA must coordinate cost-saving measures for the national PQC transition, such as shared procurement.
NIST must revise the Cryptographic Module Validation Program processes to accelerate validations within 180 days.
Crucially, the Federal Acquisition Regulatory Council (FAR Council) must propose amendments to the FAR within 180 days requiring covered contractors to comply with NIST FIPS PQC requirements by December 31, 2030.
Within 270 days, the FAR Council must also amend contract clauses for contractor vulnerability disclosure programs (VDPs) to ensure they specifically cover cryptographic vulnerabilities, including detecting lack of encryption or use of non-FIPS algorithms.
The final Section 7 establishes general provisions.
This ensures the order does not interfere with existing departmental legal authorities or OMB's budgetary/legislative functions.
Implementation must follow applicable law and be subject to appropriations.
It explicitly states the order does not create any new enforceable legal rights for any private party.
The Department of Commerce is assigned the cost for publishing the order, which is signed June 22, 2026.
Related
Nominations Sent to the Senate
The President transmitted several nominations to the Senate for confirmation across bodies including the Farm Credit Administration, Office of Government Ethics, IRS, and the International Monetary Fund.
Read MoreUshering in the Next Frontier of Quantum Innovation
* The Administration issued an order to solidify U.S. leadership in Quantum Information Science and Technology (QIST) by focusing on research acceleration (QC-ADDS), supply chain strengthening, workforce development, and national security protection.
Read MoreNominations Sent to the Senate
* The President formally sent nominations for judicial positions within the District of Columbia Court of Appeals and the U.S. District Court for the Southern District of Ohio to the Senate for confirmation.
Read MoreNational Homeownership Month, 2026
* The President proclaimed June 2026 as National Homeownership Month, detailing actions taken to address housing affordability, including curbing institutional investors and lowering borrowing costs.
Read More