EO-14412
Securing the Nation Against Advanced Cryptographic Attacks
- Signed
- Jun 22, 2026
- Published
- Jun 25, 2026
Federal Register: 2026-12909
Source: Federal Register.
Federal Switch to Quantum-Resistant Encryption by 2030-2031
What it does
This order directs all federal agencies to replace their current encryption systems with new "post-quantum cryptography" (PQC) standards — encryption methods designed to resist attacks from both today's computers and future quantum computers. Agencies must upgrade their most sensitive systems by December 31, 2030 (for key exchange) and December 31, 2031 (for digital signatures). The order also requires government contractors to meet the same standards and directs agencies to help private critical infrastructure owners — such as power grids, water systems, and financial networks — make the same transition.
Who benefits
Federal agencies and their employees whose data would be better protected against future quantum-enabled decryption attacks. Private citizens whose personal data is held in federal systems (e.g., Social Security, tax, health records). Critical infrastructure operators (energy, water, finance, transportation) who receive federal guidance and support for their own upgrades. U.S. cybersecurity and quantum-technology companies that would gain new government contracts for PQC tools and services. Allied foreign governments and international partners encouraged to adopt compatible encryption standards, strengthening shared digital security. Smaller federal contractors who benefit from shared procurement and centralized technical support.
Who is affected
Federal contractors and vendors who must invest in new PQC-compliant systems by 2030 or risk losing government contracts — a potentially significant compliance cost, especially for small businesses. Federal agencies facing tight migration deadlines and the need to reprogram or replace legacy IT infrastructure, which could strain existing budgets. Private critical infrastructure operators (e.g., hospitals, utilities, banks) who, while not legally mandated by this order, face strong pressure to comply with new federal guidance. Legacy hardware and software vendors whose non-PQC products may become ineligible for federal procurement. Foreign technology companies that do not adopt NIST-standardized PQC algorithms, potentially losing access to U.S. government markets.
Supporters argue
Supporters argue that adversaries are already collecting encrypted U.S. government data today with the intent to decrypt it once quantum computers become powerful enough — a strategy known as "harvest now, decrypt later" — making immediate action essential rather than premature. They contend that NIST spent nearly a decade vetting and standardizing these PQC algorithms, so the technical foundation is sound, and that setting firm deadlines with clear agency accountability is the only way to overcome the institutional inertia that has historically slowed federal cybersecurity upgrades. Supporters also argue that leading the international transition to NIST-standardized PQC strengthens U.S. technological influence and makes allied nations' systems more interoperable and secure.
Opponents argue
Opponents argue that the 2030–2031 deadlines are unrealistically aggressive given the scale and complexity of federal IT infrastructure, risking rushed, error-prone implementations that could introduce new vulnerabilities rather than eliminate old ones. They contend that the PQC standards themselves are still relatively new and insufficiently battle-tested in large-scale deployments, meaning a government-wide mandate could lock agencies into algorithms that are later found to have weaknesses. Opponents also argue that extending compliance requirements to contractors and pressuring critical infrastructure operators creates substantial unfunded costs for private entities, disproportionately burdening smaller businesses and operators with limited IT resources, without a clear statutory authorization for those private-sector obligations.
Constitutional basis
Executive orders rest on constitutional authority or statutory delegation. This summary describes the legal grounding cited or implied by the order.
The order rests on the President's Article II authority as Commander in Chief and chief executive to direct the operations of the federal executive branch, including the security of federal information systems. It also draws on statutory authority under the Federal Information Security Modernization Act (FISMA, 44 U.S.C. § 3551 et seq.), which grants the executive branch broad authority to set cybersecurity standards for federal agencies, and the Homeland Security Act (6 U.S.C. § 1526(c)), explicitly cited in Section 4(b). The FAR Council rulemaking directed in Section 6 proceeds under the statutory authority of the Federal Acquisition Regulation (41 U.S.C. § 1121), which governs procurement standards for federal contractors. A future president could reverse or modify this order, though contractor rules finalized through notice-and-comment rulemaking would require a separate rulemaking process to undo.