Securing the Nation Against Advanced Cryptographic Attacks
- Executive Order Number
- 14412
- President
- Donald Trump
- Signed
- June 22, 2026
- Published
- June 25, 2026
- Source
- Federal Register
- Original Document
- https://www.govinfo.gov/content/pkg/FR-2026-06-25/pdf/2026-12909.pdf
AI-Generated Summary
Executive Order 14409: Post-Quantum Cryptography Transition
Purpose The order establishes a national policy to protect sensitive data, critical infrastructure, and the digital economy against future quantum-computing threats by directing the federal government to migrate to NIST-approved post-quantum cryptography (PQC) standards and to support similar transitions by critical-infrastructure owners and operators.
Key Actions or Directives
- Leadership and coordination: The Director of OMB and the National Cyber Director, in consultation with the Assistant to the President for National Security Affairs, lead strategic oversight; NIST (with NSA and CISA) provides ongoing technical guidance.
- Agency requirements: Within 30 days, agency heads must designate a PQC migration lead; within 90 days, OMB must issue guidance requiring agencies to inventory high-value assets (HVAs) and high-impact systems (excluding National Security Systems), develop migration plans, and complete PQC transitions for key establishment by 31 December 2030 and for digital signatures by 31 December 2031.
- Pilot and technical support: NIST must launch a PQC migration pilot on selected systems by 31 December 2027.
- Critical infrastructure and international engagement: Sector Risk Management Agencies, working with CISA, must assist owners and operators; the Department of State must promote global adoption of NIST PQC standards.
- National Security Systems: NSA must submit annual migration status reports.
- Procurement and supply-chain measures: The FAR Council must issue rules requiring covered contractors to adopt PQC-compliant algorithms by 2030 and to maintain vulnerability-disclosure programs that address cryptographic weaknesses; NIST must accelerate Cryptographic Module Validation Program processes.
- Cryptographic bill of materials: CISA, in coordination with NIST, must publish minimum elements for automated cryptographic-asset assessment within 270 days.
Significant Changes to Policy or Law
- Introduces mandatory, date-certain PQC migration timelines for federal HVAs and high-impact systems.
- Amends the Federal Acquisition Regulation to impose new PQC and vulnerability-disclosure obligations on contractors.
- Creates the new position of agency “PQC migration lead” and formalizes interagency coordination structures.
Potential Impacts
- Federal agencies must conduct inventories, develop plans, and budget for cryptographic replacements.
- Critical-infrastructure sectors receive federal assistance but face eventual pressure to migrate.
- Government contractors will incur compliance costs and must update systems and disclosure programs.
- International partners are encouraged to align with U.S. standards, potentially affecting global supply chains and diplomatic technology cooperation.
Main Stakeholders Affected Federal agencies (especially those operating HVAs or high-impact systems), OMB, NIST, CISA, NSA, Sector Risk Management Agencies, the Department of State, government contractors, and owners/operators of critical infrastructure.
Notable Legal, Constitutional, or Political Implications The order is implemented subject to existing legal authorities and appropriations; it expressly creates no enforceable private rights. It centralizes executive-branch cybersecurity policy under OMB and the National Cyber Director while preserving agency autonomy within statutory limits.
This summary was generated by AI and may contain inaccuracies. Refer to the official source document for the authoritative text.