The PQC Executive Order: What it requires and what it reveals

Executive Order 14409 mandates cryptographic inventory and PQC migration by all federal agencies and contractors. The vulnerabilities it targets are already being exploited.

On June 22, 2026, the President signed Executive Order 14409. This is the first federal mandate to set hard deadlines for post-quantum cryptography migration. "Securing the Nation Against Advanced Cryptographic Attacks" requires every agency to inventory its cryptographic assets, submit migration plans, and transition to NIST-approved PQC standards.

The directive names the threat driving this urgency: adversaries are "collecting United States information now, and decrypting it later" once quantum capabilities emerge. This is the harvest-now-decrypt-later (HNDL) threat, and the EO acknowledges it as active and ongoing. Every day without PQC migration is another day of exposure to collection that is already happening.

PQC Executive Order requirements: timelines, enforcement, and market signals

The federal government has drawn a line in the sand with Executive Order 14409. Agencies now face stringent timelines.

Executive Order Migration Timelines

But these are not just for the public sector. The FAR Council's proposed rules extend these requirements beyond federal agencies. This means that companies selling to the government  – defense contractors, systems integrators, cloud providers, etc. – will also need to demonstrate NIST compliance by 2030. 

The private sector is already mobilizing on this exact urgency. Google and Cloudflare have set a 2029 PQC migration deadline, ahead of NIST’s 2030 and Microsoft’s 2033 targets. Recent research suggests that the threshold to break RSA-2048 could be achieved with as few as 10,000 to 14,000 qubits using neutral-atom architectures, shattering previous assumptions of a 20-million-qubit requirement. Yet 91% of businesses still lack a formal PQC roadmap. The EO signals that American policy has caught up to the science.

The cryptographic visibility gap the EO exposes

The EO requires agencies to conduct a comprehensive inventory of their cryptographic assets and assess the cryptographic debt accumulated across their IT networks.

That requirement reveals something most organizations already know but haven't addressed: they do not know what cryptography they are running, where it exists within their infrastructure, or whether it is still viable. With the Q-Day countdown accelerating and HNDL collection actively underway, this visibility gap is indefensible.

Most organizations only see their cryptographic estate through a certificate lifecycle manager (CLM) that tracks what it issued. That approach misses the shadow cryptography, the deprecated algorithms embedded in legacy applications, hardcoded keys in container images, and certificates issued outside the CLM's scope. You cannot migrate what you cannot see.

The EO also requires DHS to release cryptographic bill of materials (CBOM) guidance within 270 days. A CBOM makes the cryptographic equivalent of a software bill of materials, a machine-readable inventory of every algorithm, key, certificate, and dependency in a given system. This moves cryptographic inventory from a best practice to an auditable deliverable.

What the EO mandates and what it takes to comply

The EO outlines four capability requirements for federal agencies (and contractors): 

1. Discovery and inventory. The EO requires agencies to review their cryptographic inventories across high-value assets and high-impact  systems, and to submit migration plans within 90 days of OMB guidance.

2. Dependency mapping and prioritization. Agencies must identify and prioritize their high-value assets (HVAs) and high-impact systems for migration. Knowing what cryptography exists is not enough. 

3. Cryptographic agility. Key establishment by 2030 and digital signatures by 2031 require migration designed for algorithm updates without infrastructure overhauls.

4. Accountability and compliance evidence. The EO mandates agency PQC Migration Leads, annual NSA status reports on National Security Systems migration, and CISA-issued CBOM guidance. 

AQtive Guard: cryptographic posture management for the PQC mandate

AQtive Guard seeks to address what the Executive Order requires. “This Executive Order marks a new era in America’s cyber defense posture,” said Jack Hidary, CEO of SandboxAQ. “The United States government is drawing a clear line in the sand: We must harden our defenses against quantum threats now. SandboxAQ is committed to partnering with federal agencies, including the Department of War and NIST in the Department of Commerce, to modernize our nation’s cryptography at speed and scale, and ensure that adversaries never hold the keys to our critical infrastructure or national defense as Q-Day approaches.” Read the full press release.

 "Cybersecurity must advance with quantum capabilities," said Ron Ash, CEO of Accenture Federal Services. "Our work with SandboxAQ  ensures America's critical infrastructure will outpace future technological threats."

How to start your PQC migration

The EO gives federal agencies until 2030 to achieve what most organizations don't have today: a complete, continuously updated inventory of every cryptographic asset in production. The FAR Council's proposed rules extend that same deadline to every contractor, integrator, and cloud provider selling to the government. 

The science moved first. The policy just caught up. Your migration plan is next.

Start your cryptographic inventory aqtiveguard.com