Two Executive Orders, One Message: It's Time to Get Serious About Quantum
Jim Walker
General Manager, Service Delivery
It Finally Feels Official
I've been writing and speaking about Post-Quantum Cryptography and crypto agility for a few years now. I presented on crypto agility for post-quantum communications at AFCEA Hampton Roads. I've published pieces here on the PQC transition, building cryptographic inventories, NIST IR 8547, and why PKI is the cornerstone of Zero Trust. For a while, these felt like forward-looking conversations — important to the right people, but not yet on most organizations' radar.
June 22, 2026 changed that.
On the same day, the White House signed two executive orders that together send a message that's hard to misread: the quantum era isn't something we're preparing for anymore. It's here, and the federal government is done waiting.
EO 14409: The Defensive Mandate
Securing the Nation Against Advanced Cryptographic Attacks puts hard deadlines on federal agencies to migrate off vulnerable cryptographic algorithms and onto NIST-approved Post-Quantum Cryptography standards. No more "we'll get to it." Here's the timeline:
- 30 days — each agency head names a PQC Migration Lead and reports to OMB and the National Cyber Director.
- 90 days — OMB issues guidance requiring agencies to review High Value Assets and high-impact systems.
- December 31, 2030 — all HVAs and high-impact systems must use PQC for key establishment.
- December 31, 2031 — all HVAs and high-impact systems must use PQC for digital signatures.
Federal contractors aren't off the hook either. Within 180 days, a proposed FAR rule will require covered contractors to comply with NIST FIPS PQC algorithms by the same 2030 deadline. Vulnerability Disclosure Programs get expanded to explicitly cover cryptographic vulnerabilities — including use of non-FIPS-approved algorithms.
The EO also calls out something I've been flagging for a while now: the "harvest now, decrypt later" threat. Adversaries are already collecting encrypted data today with the intent to decrypt it once quantum capability matures. That's not a future problem. It's happening right now, and any data with a long confidentiality shelf life is already at risk.
EO 14411: The Offensive Push
Ushering in the Next Frontier of Quantum Innovation is the other side of the equation. While EO 14409 is about defense, EO 14411 is about making sure the U.S. is the one leading the quantum race — not playing catch-up.
It establishes the QC-ADDS initiative (Quantum Computer for Application Development and Discovery Science), a whole-of-government effort to develop large-scale quantum computers and get them into Department of Energy facilities for scientific and national security use. The Department of War has to field next-generation quantum sensors by September 2028. Multiple agencies get tasked with 5-year quantum sensing and networking plans. The FBI's quantum counterintelligence protection team gets expanded.
Here's the part that really stood out to me: EO 14411 explicitly directs the DNI and the Secretary of War to assess the national security implications of advancing commercial quantum computers — specifically including their effect on the PQC migration timeline.
The government isn't just setting migration deadlines in a vacuum. It's actively tracking how fast the threat is evolving and building that into policy. That's a meaningful shift.
The CBOM: The Detail Most People Will Overlook
There's a requirement buried in EO 14409 that I think deserves a lot more attention than it's getting.
Within 270 days, CISA and NIST must define the minimum elements for a Cryptographic Bill of Materials (CBOM) — a standardized inventory of every cryptographic asset in a hardware or software product, built for automated assessment.
If you've ever tried to answer "what encryption are you running and where?" across a real enterprise environment, you already know why this is hard. Cryptographic dependencies are scattered across applications, middleware, operating systems, firmware, and network devices. A lot of it isn't documented. Some of it was inherited from legacy systems. Some is buried in third-party components nobody has looked at closely in years.
The CBOM concept borrows from the Software Bill of Materials (SBOM) model that picked up traction after SolarWinds. Same logic: you can't manage what you can't see, and you can't migrate what you haven't inventoried.
I wrote about building cryptographic inventories back in November 2024. The CBOM requirement in this EO is essentially making that work a regulatory reality. If your organization hasn't started, the pressure to do so just got a lot more official.
What This Actually Means for Your Organization
Let's be real — these deadlines are aggressive, and most organizations aren't ready. Here are the questions I'd be asking right now:
- Do you know what cryptographic algorithms you're actually running? Not at a conceptual level — specifically. RSA-2048 where? ECC on which systems? TLS 1.2 still active on which endpoints? If you can't answer that confidently, a cryptographic inventory is your first move, full stop.
- Are you a federal contractor? The 2030 deadline applies to you, not just your agency customers. PQC compliance is going to be written into the FAR, and that process is now formally in motion.
- Is your organization crypto-agile? Crypto agility means your systems can swap cryptographic algorithms without having to rebuild everything that depends on them. Most enterprise environments aren't there yet — and the organizations that invested early are in a fundamentally different position than those starting from scratch today.
- What's your supply chain exposure? If your vendors and suppliers aren't thinking about this yet, their risk is your risk too.
Read Together, the Signal Is Clear
It would be easy to look at EO 14409 in isolation and treat it as another federal compliance deadline — important for government shops, less relevant for everyone else. That reading misses the bigger picture.
EO 14411 makes clear that the U.S. government intends to lead the quantum computing race. That means the timeline for "when will quantum computers be powerful enough to break today's encryption?" isn't an academic question anymore. It's a national priority with federal investment, interagency coordination, and international diplomacy behind it.
These two EOs aren't separate conversations. They're the same conversation: we're accelerating the capability that will eventually break today's cryptography, and we need to migrate before adversaries get there first.
I've been making that argument for a while. It's good to see the White House making it too.
Where to Start
If your organization is federal, the 30-day clock for naming a PQC Migration Lead started June 22nd. If you're a contractor, the FAR rule is coming and 2030 is closer than it looks when you factor in the complexity of what needs to change.
If you're in the commercial sector, the pressure will arrive differently — through customer security questionnaires, cyber insurance requirements, and competitors who started earlier being better positioned. But it's coming.
The good news is that getting started isn't as overwhelming as it might seem. A cryptographic inventory, an honest assessment of your crypto agility posture, and a prioritized migration roadmap are all achievable near-term steps. None of them require waiting for the FAR rule to be finalized.
If you want to talk through what this means for your organization, reach out. This is exactly the kind of work we're focused on at Olympus Solutions, and I'm always happy to have that conversation.
Originally published on LinkedIn.
Read the original on LinkedIn