On June 22, 2026, the White House issued a new executive order (EO), Securing the Nation Against Advanced Cryptographic Attacks. While it has direct implications for federal agencies, there are parts that are worth paying attention to for enterprise security and risk leaders. Here’s what’s worth your attention, whether or not you hold a federal contract.
You Now Have A Clear Operating Assumption With An Accelerated Timeline
The order opens with the concept of harvesting now, decrypting later as its rationale — referring to adversaries collecting encrypted sensitive data today to decrypt it once large-scale quantum computers exist. It commits the US government to migrating to the National Institute of Standards and Technology’s (NIST’s) post-quantum cryptography (PQC) standards by the end of 2030 for key establishment and by the end of 2031 for digital signatures for high-value assets and high-impact systems. This is a notable departure from the previous target of 2035 across federal systems overall.
What this means: The “Should we start now?” debate is settled for any organization sitting on data with a long confidentiality shelf life. The order generates greater urgency surrounding this risk. Data exfiltrated today is exposed the day a cryptographically relevant quantum computer arrives (Q-day!) — and you don’t control when that is. Determine the shelf life of your sensitive data. What holds longer-term value is specific to your organization — from source code and health and biometric records to authentication credentials and trade secrets. Identify where long-lived sensitive data intersects with vulnerable public-key cryptography, external exposure, and third-party dependencies.
The FAR Rule Has Takeaways For Noncontractors, Too
Section 6 directs the Federal Acquisition Regulatory Council to publish a proposed rule to amend the Federal Acquisition Regulation (FAR) within 180 days, requiring covered contractors to comply by December 31, 2030 with NIST’s Federal Information Processing Standards (FIPS) — including the PQC-compliant algorithms. This deadline isn’t unique: Other governments internationally have mandated similar timelines for PQC migration.
What this means: Even if you don’t sell to the federal government, you should treat 2030 (for key establishment) and 2031 (for digital signatures) as the de facto benchmark for your own security program. Named deadlines for PQC migration from governments will influence regulatory and sector-specific deadlines, as well as third-party partner requirements and technology vendor roadmaps. If you sell to the federal government, PQC becomes a contract term with a date attached. The proposed rule — not the final rule — is the thing to watch, because that’s where scope and definitions get set. File your comments while they still count.
CBOMs Will Be SBOMs’ Sequel
Section 5 directs the Cybersecurity and Infrastructure Security Agency (CISA) and NIST to publish, within 270 days, the minimum elements for a cryptographic bill of materials (CBOM), which is a structure designed to let you automatically assess the cryptographic assets inside a piece of hardware or software. This starts us down the path for a new vendor risk management and procurement requirement.
What this means: You can’t migrate what you can’t see, and most enterprises have no current inventory of where and how cryptography is used across their environment. The CBOM will help. Even more important to note: The software bill of materials (SBOM) made after the 2021 cybersecurity EO went from being a niche artifact to a procurement expectation. If you sell hardware or software, stay tuned for the published elements to come so that you’ll be able to produce a CBOM for buyers. Today, we see open-source solutions like CBOMkit from IBM Research leading CBOM creation. Your own third-party risk management processes must include revising SLAs and procurement agreements to ask vendors to disclose their own products’ CBOMs. CBOMs for legacy hardware will likely be unobtainable and will either require a waiver, hardware replacement, or firmware upgrade.
Your Vulnerability Disclosure Now Covers Weak Cryptography
Section 6 also directs the Federal Acquisition Regulatory Council to propose, within 270 days, rules that require covered contractors’ vulnerability disclosure programs (VDPs) to capture cryptographic vulnerabilities — explicitly including testing for the absence of encryption and the use of non-FIPS-approved algorithms.
What this means: “We didn’t encrypt that” and “We used a non-approved algorithm” move from being audit findings to reportable vulnerability classes. Cryptographic hygiene is now a continuous vulnerability-management best practice rather than a periodic compliance check. If you run a VDP or a bug bounty, your scope, intake, and triage logic need to account for cryptographic findings and your remediation SLAs need a place to put them. This raises the bar for your security vendors, as well; begin to assess this as a part of your procurement due diligence going forward. These disclosures will likely extend to areas including identity access management, customer identity access management, tokenization, data protection, unified messaging, and other domains.
Critical Infrastructure Gets A Partner, Not A Mandate — Yet
Section 5 directs every federal agency that serves as a Sector Risk Management Agency to work through CISA to help critical infrastructure owners and operators build their PQC migration plans.
What this means: If you’re a security leader for a utility, hospital system, bank, pipeline, wastewater system, or any other critical infrastructure operator, take note. Your sector agency and CISA are now tasked with assisting you in developing your PQC migration plans. Watch to see if any assistance in the form of “voluntary” sector guidance comes through, which may eventually turn into a baseline that regulators and insurers later expect. Engage early so you have greater input in shaping your migration plan. Start with identifying and prioritizing critical and high-consequence functions: remote access into OT environments, identity and certificate infrastructure, encrypted data flows between operators and third parties, firmware and software signing, backup and recovery systems, and communications tied to incident response or safety operations.
Assemble Your Team For PQC Migration
The federal government is treating PQC as an execution program, not a standards update. Enterprises should do the same. The hardest parts will be ownership, sequencing, validation, and dependency management. Cryptographic discovery and inventory will be uncomfortable for many organizations because cryptography is often embedded in products, protocols, libraries, APIs, certificates, hardware security models, identity systems, and vendor-managed services that security teams don’t fully own. Including more PQC questions in RFPs and contract renewals, third-party risk reviews, cyber insurance discussions, and board-level risk conversations also requires coordination with other internal stakeholders.
Ensure that stakeholders recognize that timelines can change. We’ve seen deadlines become progressively more aggressive in the last 18 months, and teams must be prepared for that to continue. Forrester clients can check out the full initiative blueprint to help drive their PQC migration or schedule a guidance session or inquiry with us.
-1024x683.jpg "Strait Outta Hormuz: Getting the Iran Oil Story Straight")
