For a private-sector CISO, a new US executive order (EO), Securing the Nation Against Advanced Cryptographic Attacks, is an additional signal and call to action. For federal security leaders, it’s an order with your name on it. The recap on what to do is short: Inventory your cryptography, name someone to run the migration, and move your priority systems to the National Institute of Standards and Technology’s (NIST’s) post-quantum standards by the deadline. The challenge is whether you can execute fast enough without losing control of scope, dependencies, and mission risk.
Treat Your PQC Migration Lead As More Than A Contact
Section 4 requires that within 30 days, each agency head must name a post-quantum cryptography (PQC) migration lead and send the name and contact details to the Office of Management and Budget (OMB) and the National Cyber Director.
What this means: The job is really a multiyear program-office function, and the person needs authority to compel participation and action. This person owns agencywide cryptographic inventory management, a prioritized migration plan, and cross-agency coordination. Treat the 30-day deadline as a forcing function to decide who has the authority required to own this, identify cross-functional key contributors that will support the migration lead, and establish governance and escalation paths.
Cryptographic Inventory Is Where You’ll Gain Or Lose Time
Within 90 days, OMB will issue guidance requiring each agency to review its inventory of high-value assets and high-impact systems; move them to PQC for key establishment by December 31, 2030 (for digital signatures, by December 31, 2031); and submit a plan.
What this means: The 2030 and 2031 dates live in the EO itself, not the forthcoming OMB guidance. The guidance will tell you how to report — not whether the clock runs. Waiting for it spends 90 days of your scarcest resource. You have a head start: Your high-value asset (HVA) designations under OMB memorandum M-19-03 and your FISMA (Federal Information Security Modernization Act) high-impact categorizations already give you the system list to start from. Gaining the required visibility of where cryptography is used across applications, infrastructure, identity systems, certificates, APIs, embedded systems, vendor products, cloud services, and managed services is foundational to your PQC migration. The coordinated efforts for procurement outlined in the EO, including any shared procurement of PQC tools, will help, but you may not need to wait. Use this window of time to assess whether you already have existing technologies in your environment with built-in capabilities for cryptographic algorithm discovery and inventory. If you have already started cryptographic discovery activities, use the time to validate and consolidate your existing inventories.
Key Establishment And Digital Signatures Are Different Migration Efforts
The EO separates deadlines for key establishment and digital signatures, in recognition of the complexity involved. This is by design.
What this means: Protecting encrypted data in transit and replacing signature mechanisms are related, but they create different operational problems. Key establishment affects protocols and communications paths. Digital signatures touch software integrity, identity, certificates, authentication flows, document signing, firmware validation, and other trust mechanisms.
This distinction matters for sequencing. Agencies may be able to pilot hybrid or PQC-ready key establishment in some environments sooner than they can unwind signature dependencies — and potentially conduct resigning for documents, contracts, code, etc. — across software, devices, and vendor ecosystems.
CBOMs Will Expose Vendor And System Blind Spots
The EO requires the Cybersecurity and Infrastructure Security Agency (CISA), in coordination with the NIST, to release public guidance within 270 days describing minimum elements for a cryptographic bill of materials (CBOM). The purpose is to enable automated assessment of cryptographic assets used by hardware or software elements.
What this means: Agencies can’t migrate what they can’t see — and they can’t manage vendor risk if vendors can’t explain what cryptography their products use. A CBOM makes weak visibility harder to excuse, as cryptographic transparency will become part of federal supply chain security. Revise SLAs and procurement agreements to ask vendors to disclose their own products’ CBOMs. CBOMs for legacy hardware will likely be unobtainable and either require a waiver, hardware replacement, or firmware upgrade. Because of SBOMs and self-attestation work by CISA and the General Services Administration, there’s already a centralized portal and process that can be reused to collect CBOMs cross-agency.
Take Note If Owning Or Operating National Security Systems
Section 5 of the order explicitly calls for the National Security Agency (NSA) to submit a report to the president through the Committee on National Security Systems (CNSS) within 180 days and annually after that on the status of PQC migration for agencies that own or operate national security systems.
What this means: If your agency runs both systems under FISMA and national security systems, you now have two migration regimes with different owners, deadlines, and reporting chains. NSA’s Commercial National Security Algorithm Suite 2.0, published in 2022, already drives national security systems on a timeline of legacy gear phased out by 2030 and full migration by 2035. The danger is the seam between them: duplicated inventory work, inconsistent tooling, and cryptographic dependencies that cross the boundary and go unmanaged because each side assumes that the other owns them. Stand up coordination for your migration plans.
Lessons To Come From The NIST Pilot Will Shape Expectations
The EO directs NIST to initiate a PQC migration pilot within 180 days on an appropriate subset of NIST-owned or NIST-operated information systems and complete it no later than December 31, 2027.
What this means: This pilot will likely influence how agencies understand feasible scope, migration sequencing, validation methods, and implementation risks. Federal security leaders should track the pilot closely because it may become an important reference point for what good execution looks like.
There Are Deadlines And Not Necessarily Dollars To Match
The order is to be implemented “subject to the availability of appropriations,” and its procurement section leans on cost savings through cloud migration, shared procurement of PQC tools, joint training, and centralized technical support rather than new funding.
What this means: In the absence of a dedicated funding stream, the migration will compete against everything else in your security budget. Plan to draw on the shared procurement and training vehicles the order sets up rather than standing up your own. Understand where your vendors’ quantum migration work will reduce what you need to do yourselves.
The Clock Has Started
Forrester clients can check out the full initiative blueprint to help drive their quantum security migration or schedule a guidance session or inquiry with us.
-1024x683.jpg "Strait Outta Hormuz: Getting the Iran Oil Story Straight")
