On June 22, 2026, President Trump signed Executive Order 14409, titled “Securing the Nation Against Advanced Cryptographic Attacks.” The directive establishes a December 31, 2030, cutoff for federal agencies to shift their most sensitive systems to post-quantum encryption, and a December 31, 2031, cutoff for post-quantum authentication. The order also instructs federal contractors to align with post-quantum Federal Information Processing Standards (FIPS) by the close of 2030.
We applaud this executive order. The U.S. government has a well-established history of leveraging federal leadership and procurement power to accelerate the adoption of emerging technologies across the private sector. We’ve witnessed this approach succeed with IPv6, with routing security and the Resource Public Key Infrastructure (RPKI), and with DNSSEC, and we’re pleased to see this pattern extended to post-quantum cryptography.
The EO is particularly timely because the projected timeline for Q-Day—the point at which quantum computers can break the public-key cryptography that underpins the Internet—has moved closer. In April 2026, Cloudflare revised its own target for achieving full post-quantum security to 2029, prompted by research breakthroughs from Google and Oratomic. This EO supersedes earlier guidance from 2024, when the National Institute of Standards and Technology (NIST) recommended that the classical public-key cryptography used across the Internet (specifically RSA and Elliptic Curve Cryptography, both of which will be vulnerable once sufficiently powerful quantum computers emerge) should be phased out by 2030 and prohibited by 2035.
The Internet’s shift to post-quantum encryption is already well in progress, whereas the move to post-quantum authentication has only recently started. Currently, more than two-thirds of browser traffic flowing to Cloudflare’s network is shielded by post-quantum encryption, and the majority of our products already support post-quantum key agreement. Our SASE platform, Cloudflare One, delivers post-quantum encryption across all major on-ramps and off-ramps, including TLS, MASQUE, and IPsec. We’ve recently begun rolling out post-quantum authentication and intend to reach full post-quantum security by 2029. The EO provides a strong foundation and builds upon efforts from the prior two Administrations. We’ve been carrying out the very work the EO is directing federal agencies to undertake since 2019, and we have insights on what the order gets right, we see areas where the Office of Management and Budget (OMB) could reinforce and streamline cost-effective agency migration, and we offer a roadmap for how organizations and agencies can most effectively advance their transition.
The EO’s requirements for federal systems
The majority of the EO’s binding mandates are directed at two categories of federal systems: High Value Assets (HVAs) and high impact systems. HVAs are federal information systems or assets designated by OMB as the government’s most critical holdings—systems whose compromise would have a major impact on national security, foreign relations, or public trust. These encompass databases containing millions of federal employee records, systems handling classified intelligence, and platforms managing federal financial transactions. High impact systems, on the other hand, are those rated “high” for confidentiality, integrity, or availability under FIPS 199, meaning a breach could result in catastrophic consequences including loss of life, substantial financial harm, or a serious decline in an agency’s ability to fulfill its mission.
The EO has the authority to compel federal agencies, but not other entities (such as critical infrastructure operators, state, local, tribal, and territorial governments, academia, or civil society). For this reason, the deadlines apply exclusively to federal agencies:
Date | Requirement |
July 2026 | Each federal agency head designates a PQC migration lead and submits their name and contact information to OMB and the National Cyber Director. |
September 2026 | OMB issues guidance requiring each agency to: (1) audit their inventory of HVAs and high impact systems; (2) develop a PQC migration plan; and (3) submit that plan to OMB and the National Cyber Director. |
December 2030 | All HVAs and high impact systems must complete their transition to PQC for key establishment. |
December 2031 | All HVAs and high impact systems must complete their transition to PQC for digital signatures. |
National Security Systems are explicitly exempt from these deadlines. They follow a separate, classified track overseen by the NSA, with deadlines spanning 2030 to 2033 that were already established in 2022.
Two migrations: encryption and authentication. Both should begin now.
The EO divides the PQC migration into two distinct phases: post-quantum key establishment (encryption) by 2030, and post-quantum digital signatures and certificates (authentication) by 2031. This structure accurately mirrors the current state of post-quantum encryption availability across the Internet. Our own target for full post-quantum readiness (including authentication) is 2029, though we are among the earliest adopters in the industry.
We are also encouraged that the EO focuses on NIST-standardized post-quantum cryptographic algorithms rather than Quantum Key Distribution (QKD), since QKD cannot operate at Internet scale due to its reliance on specialized hardware and dedicated physical connections between sender and receiver.
Let’s now take a closer look at the two migrations the EO calls for: post-quantum encryption and post-quantum authentication.
Post-quantum encryption is needed today to counter harvest-now-decrypt-later attacks, in which an adversary captures encrypted traffic now and decrypts it in the future once quantum computers become powerful enough. Post-quantum encryption is especially critical for organizations managing data that will remain sensitive to adversaries 3–10 years from now, such as government agencies, banks, healthcare organizations, defense contractors, and telecommunications providers.
Post-quantum authentication prevents an adversary equipped with a quantum computer from forging certificates to impersonate servers, generating malicious code signatures, or gaining unauthorized access to systems. Post-quantum authentication becomes necessary only once Q-Day risk materializes, because it defends against attacks that are feasible only after a cryptographically-relevant quantum computer (CRQC) exists.
It’s essential to place the migration timelines in
Amid the backdrop of rapid progress in quantum computing, alongside yesterday’s executive order on post-quantum security, President Trump also signed an EO aimed at speeding up the rollout and commercialization of quantum computing, sensing, and networking technologies. The fact that this executive order establishes a 2031 target for post-quantum authentication reveals a key insight: the U.S. government considers it a real possibility that a cryptographically relevant quantum computer (CRQC) could become functional around that timeframe.
| PQ Encryption (Key Agreement) | PQ Authentication (Digital Signatures) | |||
|---|---|---|---|---|
| NIST Algorithm | ML-KEM (FIPS 203) | ML-DSA (FIPS 204), SLH-DSA (FIPS 205) | ||
| Performance | Minimal | Hybrid ML-KEM over TLS 1.3 actually outperforms traditional TLS 1.2 setups. | May have impact | Certain short-lived connections and resource-constrained protocols may suffer from reduced performance due to the larger signature sizes. |
| IETF Standards | Good progress | Fully standardized for production TLS and IPsec deployments. | In Progress | TLS certificates are nearing completion; many other protocols are just getting started. |
| Deployment | High Adoption | Already protecting two-thirds of browser traffic heading to Cloudflare and numerous core product services. | Early Stages | Restricted to initial Cloudflare pilots at this point. Widespread ecosystem adoption isn’t anticipated until 2027 or later. |
| EO Deadline | December 31, 2030 | December 31, 2031 | ||
| Threat Actor | Harvest-now-decrypt-later | Attackers capture encrypted traffic today with the intent to crack it once quantum capabilities arrive. | Active quantum attack | Threat actors forge trusted certificates or digitally sign malicious payloads in real time using a quantum computer. |
| Urgency Level | Immediate | Information intercepted today is compromised indefinitely. The shift needs to begin right away, particularly for organizations managing data that could hold value to adversaries within a 3-to-10-year window. | Q-Day Target | Poses an active exploitation risk solely once a working, operational quantum machine comes into existence. |
So where do these two technologies currently stand? Migrating to post-quantum authentication presents a greater challenge than transitioning to post-quantum encryption, for several reasons:
Post-quantum ML-DSA digital signatures are substantially larger than their classical counterparts, which can affect the performance of certain systems—short-lived TLS connections, for example. That’s why efforts are underway with Google Chrome on Merkle Tree Certificates to address this performance bottleneck for TLS.
The dependency chain for post-quantum authentication is considerably longer, demanding synchronized upgrades across clients, servers, certificate authorities, certificate transparency logs, root certificate stores, and web browsers.
Ecosystem deployment remains limited at this stage.
It’s notable that post-quantum authentication has seen significantly less adoption compared to the far more widespread deployment of post-quantum encryption.
Interestingly, the Executive Order establishes a one-year gap between the encryption and authentication deadlines. An additional year on the calendar is a narrow window, so these efforts cannot be tackled one after the other. The community needs to begin addressing both goals at the same time, or the 2031 target will be missed.
Cryptographic upgrades across the Internet can’t move forward without standards established by the Internet Engineering Task Force (IETF). They are actively working to adapt their protocols for post-quantum cryptography. The TLS space is further along, with the IETF PLANTS group making solid headway on post-quantum certificates for TLS. There’s still considerable ground to cover, and we’re eager to support the IETF in this work.
Supply chain pressure that helps everyone
The Executive Order also imposes obligations on federal contractors, which could end up being its most consequential provision.
Specifically, the FAR Council is required to issue proposed regulations mandating that “covered contractors” meet NIST FIPS standards incorporating PQC algorithms by December 31, 2030 (Sec. 6(c)). The FAR Council must also propose rules requiring contractors to adopt vulnerability disclosure programs that address cryptographic weaknesses (Sec. 6(d)). These proposed regulations must go through the notice-and-comment process, but the EO’s December 31, 2030 target date remains a key milestone. This deadline is one year ahead of when federal agencies themselves must finish their post-quantum authentication migration, ensuring that contractors are prepared before agencies reach their own deadlines.
Federal agencies can only move to PQC if the products they purchase already support it. To put this into action, CISA published its Product Categories for Technologies That Use Post-Quantum Cryptography Standards, clearly distinguishing between technologies where PQC is already “widely available” and those still “transitioning.” The “widely available” category covers cloud platforms (IaaS, PaaS), web browsers and servers, chat and messaging applications, and endpoint security solutions like full disk encryption. For these areas, CISA’s direction is straightforward: organizations should only acquire PQC-ready products. The “transitioning” category—where PQC isn’t yet broadly available—includes networking equipment (routers, firewalls, switches), identity and access management tools (HSMs, certificate authorities, identity providers), email servers and clients, and database systems.
By requiring contractors to deliver PQC-compliant products by 2030 and instructing agencies to immediately favor PQC-capable vendors in mature markets, the federal framework compels the vendor ecosystem to ship PQC-ready products on a defined schedule. Products built to meet federal requirements will ultimately be adopted by hospitals, banks, universities, and small businesses, broadening PQC availability across the board. Cloudflare is among the many vendors subject to these requirements, and since networking software and cloud services are already classified by CISA as widely available PQC categories, we’ve already rolled out post-quantum encryption across most of our offerings at no additional charge.
Critical infrastructure and PQ for everyone
The Executive Order also addresses critical infrastructure: energy, financial services, water, transportation, telecommunications, healthcare, and other systems whose disruption would have severe or far-reaching consequences for the nation. While the EO doesn’t impose a hard migration deadline for critical infrastructure operators, it directs specific federal agencies to “assist” these entities with their PQC migration strategies (Sec. 5(a)).
Although the EO concentrates primarily on federal agencies and critical infrastructure within the U.S., post-quantum cryptography matters to every connected person and organization. Harvest-now-decrypt-later attacks pose a real threat today. And once Q-Day arrives, the danger of unauthorized access by an adversary equipped with a quantum computer will affect organizations of every size. When we introduced free universal SSL in 2014, our CEO Matthew Prince stated:
Having cutting-edge encryption may not seem important to a small blog, but it is critical to advancing the encrypted-by-default future of the Internet. Every byte, however seemingly mundane, that flows encrypted across the Internet makes it more difficult for those who wish to intercept, throttle, or censor the web.
We hold the same conviction about post-quantum cryptography. That’s why every post-quantum enhancement we develop is available to all customers, on every plan, at no extra cost.
Opportunities for OMB’s implementation guidance
The Executive Order sets the overall direction, and now OMB has 90 days to deliver critical clarifications and operational guidance to ensure the most effective PQC migration across federal agencies (Sec. 4(b)). Drawing on lessons from our own PQC migration experience, here are several elements we recommend the guidance should address:
Clarify what it means to “transition.” The EO directs agencies to “transition” their systems to PQC, but it never defines what “transition” actually entails. Does it mean the system supports PQC algorithms? That it prefers them? Or that traditional cryptography has been completely turned off?
These represent very different security postures. A system that supports ML-KEM but still permits a classical-only TLS handshake remains susceptible to downgrade attacks. An adversary
An attacker able to manipulate network traffic could push the connection back toward traditional key exchange. The system would have nominally “moved” to post-quantum cryptography, yet it would remain exposed to the very quantum attacks the policy aims to thwart.
History offers a valuable lesson. After the POODLE attack in 2014 led to SSLv3’s deprecation, many servers continued enabling it for backward compatibility, which let attackers downgrade connections and then exploit SSLv3’s flaws. It took years before the ecosystem actually disabled SSLv3. To avoid repeating this cycle, we need a precise definition of “finished” that explicitly includes turning off quantum-vulnerable cryptography so downgrade attacks become impossible.
Crypto agility: Crypto agility refers to the capacity to switch out cryptographic algorithms without overhauling your entire infrastructure. The Executive Order requires adopting specific NIST cryptographic standards, yet it says nothing about engineering systems that can readily swap algorithms when future needs arise. Crypto agility doesn’t mean supporting every algorithm simultaneously. It means designing systems so that, when the community settles on a superior algorithm down the line, upgrading amounts to a configuration change rather than a full rebuild. The OMB should incorporate this principle into its guidance.
CBOM or quantum impact inventory? The Executive Order instructs CISA and NIST to issue guidance on the minimum components of a cryptographic bill of materials (CBOM) within 270 days (Sec. 5(d)). A CBOM catalogs the cryptographic algorithms, protocols, and implementations present in a given hardware or software product, much like a software bill of materials (SBOM).
In principle, CBOMs are sound. In practice, however, we would warn against treating exhaustive cryptographic inventories as a prerequisite for action. A thorough CBOM covering every algorithm in every library across every product demands significant time to compile; federal agencies may need an entire procurement cycle of discovery tools and consulting, and by the time the inventory is finished it may already be outdated. Moreover, a CBOM does not capture systems that ought to be using cryptography but aren’t. And a CBOM enumerates keys without context about their purpose, which limits their usefulness for organizations trying to gauge the risk tied to a quantum-vulnerable key.
We believe a quantum impact inventory is a more practical framing. What would happen if the system or its data were compromised? How probable is that scenario? What steps could reduce the risk—whether a drop-in replacement, a software patch, or a compensating control such as routing traffic over a bulk post-quantum connection or isolating it from the Internet? How practical is each option, and what dependency chain does it introduce? Pinpointing these factors reveals where to focus first. You can always flesh out a comprehensive CBOM over time if it suits your organization, but the priority should be discovering your most exposed and consequential systems.
Making post-quantum cryptography affordable to all. Genuine national resilience falls apart if post-quantum cryptography is treated as a premium add-on rather than a universal floor. OMB policy must push back against vendor lock-in or paywalls that leave underfunded critical infrastructure behind or pile on technical debt across federal agencies.
What to do now: don’t wait for 2030
You don’t need to hold off until 2030 or until you’ve compiled a full cryptographic inventory before starting your migration. History demonstrates that updating cryptography is difficult and can take a long time; other organizations should begin planning their migrations now as well. So while we await OMB guidance for federal agencies, here is what we recommend for all organizations:
Protect your Internet traffic now. Begin with traffic that traverses the public Internet, since that is the easiest for adversaries to harvest today and carries the most immediate risk. If your web traffic passes through Cloudflare, your connections are largely shielded with post-quantum encryption. If your enterprise network runs on Cloudflare One, your private network traffic is covered as well. If your provider does not yet support post-quantum encryption, move to one that does. Even if individual applications inside your network haven’t been upgraded yet, start routing your traffic through post-quantum encrypted infrastructure to protect it in bulk, even before every system has been catalogued and updated.
Update procurement. Make “post-quantum encryption enabled by default, at no extra cost, with a clear roadmap for post-quantum authentication and crypto agility” a mandatory requirement in every technology purchase. If a vendor charges a premium for post-quantum security or lacks a roadmap or plan, demand an explanation or look for a different vendor.
Quantum impact inventory. For traffic that remains within your private network perimeter and never touches the public Internet, the harvest-now-decrypt-later risk is lower because an adversary would need access to your network to intercept it. Still, you need to understand what cryptography your internal systems rely on so you can chart your migration path. Use a quantum impact inventory as a tool to prioritize your efforts—for instance, zeroing in on systems or connections that handle sensitive data or face the public Internet.
Plan for authentication now. The 2031 deadline for post-quantum authentication will arrive sooner than expected. Start pinpointing your long-lived keys, root certificates, and code-signing infrastructure. These represent the highest-priority targets for a quantum attacker and carry the longest dependency chains to upgrade. Now is an excellent time to refresh your software libraries and automate certificate provisioning even if post-quantum certificates aren’t yet available in your ecosystem. And confirm that your vendors are preparing to meet the approaching post-quantum authentication deadline.
Aligning policy and international standards
At the same time, work should begin now on harmonizing global government policy with international standards. We were encouraged to see that Section 5(b) directs the State Department to engage foreign governments and industry groups to promote adoption of NIST-standardized PQC algorithms.
Here’s why this matters. Cryptographic migrations cannot happen in isolation, with each country operating behind its own borders. A TLS connection between a person in the U.S. and a server abroad only functions if both ends negotiate the same cryptography. NIST has been running open international
For many years, open cryptographic contests have shaped the security underpinnings of the Internet. The AES process (1997–2001) gave the world the block cipher that remains the workhorse of online encryption today, one created by Belgian researchers. The SHA-3 effort (2007–2012) delivered the most recent hashing standard, chosen from a design by a Belgian-Italian group. The Post-Quantum Cryptography competition (2016–2024) followed the same transparent approach: open submissions, public scrutiny, and winning schemes crafted by global teams. ML-KEM, the key-establishment mechanism now being rolled out across the Internet, was developed largely by European experts. These are algorithms that have been examined by the worldwide research community. NIST ran the competitions, but the outcomes are shared assets of the entire field of cryptography.
The danger now is a splintered landscape. When separate regions require different algorithms, the result is cryptographic bloat and a wider attack surface: more code to write, test, and audit, more opportunities for downgrade attacks, and slower rollout for everyone. We witnessed this directly in IPsec, where the absence of a common standard caused vendors to ship proprietary post-quantum key agreement schemes that could not talk to one another, setting migration back by years. The TLS community took the opposite path, rallying around a single hybrid key agreement (X25519MLKEM768), and adoption moved swiftly.
We hold NIST in high regard, particularly its role in evaluating standards on a global scale and harmonizing cryptography around the world. We urge the Trump Administration to collaborate with Congress to make sure NIST has the funding, personnel, and infrastructure needed to deliver on current and future mandates in this executive order and others, such as America’s AI Action Plan.
We would welcome leadership from the State Department in driving genuine alignment: the same NIST algorithms adopted across allied nations, synchronized timelines, and mutual recognition of cryptographic algorithms and modules. The Internet is a single network, and its cryptography should follow one standard.
Lastly, the executive order instructs NIST to overhaul the processes of the Cryptographic Module Validation Program (CMVP) so that validations of cryptographic modules happen faster (Sec. 6(b)). Having dealt with the CMVP process for years, we are thrilled to see this included.
CMVP serves an important purpose. Federal agencies and their contractors need assurance that the cryptography inside a product behaves as advertised: that AES is implemented correctly or that random number generators provide sufficient entropy. CMVP has been calibrated for an era where cryptographic algorithms changed infrequently.
Looking ahead, CMVP must be adapted to the realities of the coming migration. We applaud the FedRAMP update stream that permits the use of updated modules right away, ahead of final validation. This enables quicker adoption of post-quantum cryptography and the fixing of implementation flaws that slipped through validation. Comparable flexibilities for CMVP are vital.
Go forth and PQ all the things
This post-quantum executive order represents a significant step. It establishes concrete deadlines and generates supply chain momentum that will speed adoption throughout the industry.
For organizations beginning their own migration, we recommend starting by protecting your public-facing Internet traffic and updating your procurement requirements, then conducting a quantum impact inventory to identify where to focus next. Don’t let the inventory process delay you from deploying post-quantum encryption on your most critical systems right away.
Cryptographic deployment across the Internet relies on standards shaped by the IETF. The TLS community is further along, but considerable work remains across other protocol communities, and we look forward to supporting those efforts.
Let us go forth and PQ all the things, swiftly and together. Free TLS helped encrypt the web. Free post-quantum cryptography will help keep it safe for whatever comes next.
You can begin right now on Cloudflare by visiting our PQC page.
