What happened
President Trump signed Executive Order 14409 on 22 June 2026, establishing the first enforceable federal deadlines for migrating US government information systems to NIST-approved post-quantum cryptography (PQC) FIPS standards. Key provisions: (1) All federal High Value Assets and high-impact systems must complete PQC key-establishment migration by 31 December 2030 and digital-signature migration by 31 December 2031; (2) OMB must issue binding agency migration guidance within 90 days; (3) Each agency must appoint a PQC migration lead within 30 days; (4) FAR Council must propose a rule within 180 days requiring federal contractors to comply with NIST FIPS PQC by 2030; (5) CISA and NIST must publish guidance on minimum elements of a cryptographic bill of materials (CBOM) within 270 days; (6) NIST must revise the CMVP to accelerate PQC validations within 180 days. The order supersedes Biden-era NSM-10 and OMB M-23-02.
Why it matters
This is the strongest US government cryptographic security mandate in over a decade and directly governs the cryptographic foundations protecting all AI systems, models, and data pipelines in federal and contractor environments. The CBOM requirement is directly analogous to the SBOM movement and will force visibility into cryptographic dependencies across AI infrastructure. Federal contractors — including all major AI cloud providers serving government — face hard 2030 procurement deadlines. The EO also directs the State Department to promote NIST PQC standards internationally, accelerating global adoption.
Action needed
Federal agencies: appoint PQC migration lead within 30 days; begin HVA and high-impact system cryptographic inventory immediately. Federal contractors: initiate NIST FIPS PQC gap analysis now ahead of FAR rule; plan for 2030 compliance deadline. All organisations: begin cryptographic bill of materials (CBOM) scoping to align with forthcoming CISA/NIST guidance.