Why CISOs Must Rethink Cryptography Before 2026
Whether you're a federal agency, a regulated enterprise, or a private-sector company in the federal supply chain, Executive Order 14144 will impact how you manage cybersecurity. Issued in January and amended in June 2025, the order shifts the focus from regulatory box-checking to measurable control, especially in cryptography management.
What Changed
Post-Quantum Cryptography (PQC) Timeline Adjusted
The 2030 deadline for agency-wide adoption of quantum-resistant cryptography still stands, but the original 90-day procurement requirement has been removed. Instead, the Cybersecurity and Infrastructure Security Agency (CISA) will publish a list of PQC-ready vendors by December 1, 2025, setting a clear deadline for planning migrations. These changes build on the foundation set by National Security Memorandum 10 (2022) and OMB Memo M-23-02, which first required agencies to inventory cryptographic systems and plan for PQC migration. While the timeline has shifted, the strategic direction, crypto agility, and quantum-safe readiness remain unchanged.
Digital ID and Software Attestation Requirements Paused
Plans to pilot government-backed digital ID’s (e.g. mobile driver’s licenses) have been shelved. Requirements for SBOMs and signed attestations have also been removed from near-term procurement. Instead, NIST will lead a public-private consortium to release updated secure software guidance by year’s end.
IoT Security Standards Accelerated
Meanwhile, IoT standards are accelerating. By January 2027, all consumer IoT devices purchased by the federal government must carry the FCC’s Cyber Trust Mark. Expect large enterprise buyers to follow that lead.
Cyber Sanctions Narrowed, but Enforcement is Tightened
The order also narrows the U.S. government’s cyber sanctions policy. EO 13694 now targets only foreign entities. That change may reduce the scope of concern, but it increases the consequences for vendor missteps.
AI Oversight Requirements Scaled Back
Finally, AI oversight requirements have been scaled back. Agencies must now surface existing datasets and fold AI vulnerability assessments into cybersecurity planning by November 1, 2025.
Why It Matters Now
For CISOs in regulated industries or any organization in the federal supply chain, these changes are not theoretical. They redefine how auditors evaluate control, how regulators interpret risk, how procurement officers screen vendors, and how customers judge readiness.
NIST Will Set the New Security Baseline
Even without immediate mandates, the secure software guidance NIST is developing will likely become the default expectation for what “secure by design” means. Customers, regulators, and partners will increasingly expect your systems to align—even if procurement rules haven’t caught up yet. If you can’t demonstrate cryptographic visibility, vulnerability management, or identity governance, your organization will be seen as a risk.
Quantum Threats Are Already in Play
The 2030 deadline feels far off, but data theft is already underway. Adversaries are stockpiling your data now, working to decrypt it in real time. If your systems hold long-lived data, like customer records, IP, or financial transactions, waiting until 2029 is too late.
Procurement Standards Are Moving Faster Than Regulations
Contract clauses evolve slowly, but enterprise RFPs don’t. Buyers across industries are already aligning to federal standards, including PQC-readiness and IoT labeling. Expect to see Cyber Trust Mark and NIST-aligned requirements show up in private-sector procurement well before official deadlines.
Vendor Risk is Becoming Buyer Responsibility
The updated EO narrows sanctions to foreign actors, but it increases the risk for U.S.-based buyers. If your vendors are even indirectly connected to flagged entities, your organization may face penalties or lose contracts. That’s why non-human identity and cryptographic asset visibility is critical.
Compliance is No Longer a Checklist
EO 14144 marks a shift away from one-time audits and toward real-time control verification. The new question isn’t “Did we comply last year?” but “Can we prove we’re secure now?” Expect a growing emphasis on live inventories, continuous monitoring, and automated audits through updated NIST frameworks like SP 800-53 and SSDF. (See quick-ref below).
What You Can Do Today
1. Map your cryptographic infrastructure
Start with visibility. Identify all cryptographic assets across your environment: machine-to-machine certificates, TLS configurations, code signing keys, and more. Most organizations do not know where their weakest keys live. If you cannot see it, you cannot secure it.
2. Prioritize the highest risk systems
Focus your efforts on systems that protect long-lived secrets or critical operations. Begin piloting quantum-safe cryptographic replacements in those areas. You do not need to wait for CISA’s vendor list to start taking meaningful action.
3. Move to continuous monitoring
Point-in-time audits are no longer enough. Certificates expire, misconfigurations happen, and static spreadsheets quickly become outdated. You need a live, always current view of your cryptographic security posture.
4. Align to NIST standards
Review NIST’s post-quantum standards and monitor upcoming guidance. Building your roadmap around these evolving standards will give you a defensible strategy and a head start when mandates arrive.
Review NIST SP 800-208 and the 2024-finalized Building your roadmap around these evolving standards gives you a defensible strategy and a head start when mandates arrive.
5. Secure executive sponsorship
Cryptographic modernization requires budget and leadership buy-in. The biggest blocker is rarely technical. Educate your board and CFO on the cost of delay and the value of staying ahead.
Take the Next Step To Secure Your Cybersecurity Systems
The mandates may have narrowed, but the need to demonstrate measurable resilience has never been greater. The next 18 months will define whether your organization is preparing or playing catch-up.
With AQtive Guard, you can gain cryptographic visibility, automate cryptography management, and stay ahead of federal and industry requirements. Schedule a short demo to see how your team can start securing critical assets today.
