The encrypted data is already hacked and gone. And adversaries don’t need a quantum computer to steal it. They just need one to eventually read it. That’s the threat model the White House made official Monday when President Trump signed two executive orders setting the first binding federal deadlines for migrating government systems to quantum-resistant encryption.
Agencies must complete the shift for key establishment by December 31, 2030, and digital signatures by December 31, 2031. Federal contractors and critical infrastructure operators face the same clock.
“Cybersecurity is now a moving target across two fronts at once: the agentic AI era unfolding today, and the post-quantum world arriving next,” said Anup Kumar, CEO of Optiv Consulting. “Read past the 2028 quantum computer headline and you find the line that changes enterprise behavior: the government just set hard deadlines to move off today’s encryption. That’s not a forecast. It’s a clock.”
The threat that’s already here
The technical name is “harvest now, decrypt later.” Nation-state adversaries can’t break today’s encryption — but they don’t need to. They collect and store encrypted data now, then decrypt it retroactively once a sufficiently powerful quantum computer arrives. Executive Order 14409 states explicitly that adversaries “may already be collecting” encrypted U.S. government data.
The exposure extends well beyond federal walls. Kumar said every encrypted file an adversary harvests today — be it in your control or a third-party holding your data — becomes readable once quantum computing becomes an everyday reality. “The breach radius isn’t your perimeter anymore,” he said.
Data with long confidentiality lifespans — diplomatic cables, defense archives, health records, financial transactions — become exposure liabilities. Kumar asserts the window to protect is not what the government mandates (2030), it is now.
Two orders, two problems
Trump signed both orders June 22 in the Oval Office with Google and IBM executives present. The first, EO 14409 addresses the defensive problem: hardening federal systems before Q-Day arrives. It directs the Office of Management and Budget and the National Cyber Director (PDF) to lead a government-wide migration to NIST-approved post-quantum standards, requires every covered agency to designate a PQC migration lead within 30 days, and mandates a Commerce Department pilot migration to be completed by December 31, 2027.
The second order, EO 14411, addresses the offensive opportunity: building quantum machines capable of extraordinary computation. It establishes a national program at the Department of Energy to deliver at least one advanced quantum computer capable of meaningful scientific calculations by 2028.
The hard part is operational
The algorithms are no longer the problem. NIST finalized its first three post-quantum standards in August 2024, producing FIPS 203, FIPS 204, and FIPS 205 — all available at the NIST Post-Quantum Cryptography project page. What remains unsettled is the operational reality of finding everywhere an organization uses cryptography — and replacing it.
Chris Hickman, CSO at Keyfactor — a company currently working directly with federal agencies on PQC migration — puts the odds of hitting the first deadline in stark terms. For an agency that already has a complete cryptographic inventory today, he estimates a 60/40 chance of making 2030. For agencies starting from zero now, he puts success odds at roughly 25%.
“This is not just a change to one thing like a certificate or an OS upgrade,” Hickman said. “It’s a complete cryptographic ecosystem migration, and that has complexity and risk if only approached from a single component perspective.”
The biggest mistake organizations make, he said, is underestimating the number of interdependencies involved — or starting with only a single view of cryptography, such as a network layer scan, while missing everything else. “There are a series of co-dependencies that make up the cryptographic ecosystem in any agency, and making a change of one layer can cause disruption across the agency.”
Jeff Williams, founder of OWASP and CTO of Contrast Security, frames the same problem from the inventory side. Most cryptography isn’t visible in source code — it lives inside APIs, libraries, drivers, protocols, and cloud services, potentially hundreds of distinct implementations inside a single application. “The hard part is finding every place cryptography is used, figuring out what it’s being used for, understanding what data it protects, prioritizing the systems that matter, and changing them without breaking the software,” Williams said.
The CBOM race against time
EO 14409 gives CISA 270 days to define minimum elements for a cryptographic bill of materials — a standardized inventory template for cryptographic assets embedded in hardware and software. Williams calls the CBOM (Cryptographic Bill of Materials) concept the most important idea in the order. Hickman is more cautious about the timeline.
A comprehensive CBOM can be generated in 270 days, he said — but only if the clock started the moment the order was signed. More critically, a CBOM is only as good as the inventory process behind it. “If you are focused only on the CBOM then it will be outdated before the time is up,” Hickman said. “Most organizations need a continuous inventory and monitoring cycle so they can analyze risk on an ongoing basis — not just at one point in time. Cryptography will change dramatically between now and 270 days from now, and organizations will need to track those changes.”
Aggressive timeline, thin funding
The orders set an ambitious five-year sprint — without providing the capital to run it.
“The directives lack necessary funding mechanisms for supply-chain vendors and fail to provide a practical workforce development plan for specialized engineering talent,” said Dan Wilbricht, President of Optiv + ClearShark. “This will force the cybersecurity sector to compress decade-long modernization initiatives into five years.”
Hickman goes further. A July 2024 White House report (PDF) estimated the total government-wide migration cost at roughly $7.1 billion through 2035 — and Hickman argues the EO does nothing to close that gap. “Without direct and dedicated funding it will be nearly impossible to meet the timelines,” he said, “and this could result in a systematic failure of security in the USA and potentially globally.”
He expressed hope that funding mechanisms will emerge as program elements take shape over the next 90 to 180 days — but framed it as hope, not expectation.
The contractor compliance path adds another layer of friction. The EO extends the 2030 deadline to covered federal contractors — but post-quantum cryptography is not yet a formal CMMC or FedRAMP requirement. Those updates depend on revisions to NIST SP 800-171 and NIST SP 800-53, neither of which has a firm timeline. Organizations are being asked to plan against a hard deadline inside a regulatory framework that hasn’t caught up.
What next?
For agencies and contractors that haven’t started a cryptographic inventory, the window to plan calmly is closing fast. A full migration — discovery, prioritization, hybrid deployment, legacy decommissioning — takes three to seven years under optimistic scenarios. Hickman’s 25% odds for agencies starting today aren’t a critique of the mandate. They’re a description of the math.
The White House has drawn the line. The funding, the tooling, and the talent pipeline remain unsettled. That’s the story the next five years will tell.
Photo by A Chosen Soul on Unsplash
