On June 22, 2026, President Trump signed Executive Order 14409 , "Securing the Nation Against Advanced Cryptographic Attacks." The order sets a December 31, 2030, deadline for federal agencies to transition their most sensitive systems to post-quantum encryption , and a December 31, 2031, deadline for post-quantum authentication . The EO also directs federal contractors to comply with post-quantum Federal Information Processing Standards ( FIPS ) by the end of 2030.
We welcome this executive order. The U. S.
government has a long track record of using federal leadership and procurement to drive adoption of new technologies across the broader industry. We've seen this work with IPv6 , with routing security and the Resource Public Key Infrastructure ( RPKI ), and with DNSSEC , and we’re glad to see this tradition continue with post-quantum cryptography. The EO is especially important at this moment because the timeline for Q-Day , the day that quantum computers can break the public-key cryptography used across the Internet, has been accelerated.
In April 2026, Cloudflare moved our own target for full post-quantum security to 2029 , following research breakthroughs from Google and Oratomic . This EO updates guidance from 2024, when the National Institute of Standards and Technology (NIST) stated that the classical public key cryptography used across the Internet (namely RSA and Elliptic Curve Cryptography, which can be broken once powerful quantum computers become available) should be deprecated by 2030 and disallowed by 2035.
The Internet’s transition to post-quantum encryption is well underway, while the transition to post-quantum authentication has only just begun. Today, over two-thirds of browser traffic to Cloudflare's network is protected with post-quantum encryption, and most of our products support post-quantum key agreement. Our SASE platform, Cloudflare One , provides post-quantum encryption across all major on-ramps and off-ramps, including TLS , MASQUE , and IPsec .
We've recently started deploying post-quantum authentication and aim to be fully post-quantum secure by 2029. The EO is an excellent foundation and builds on work from the previous two Administrations. We've been doing the work the EO is asking federal agencies to do since 2019 , we have some thoughts on what the order gets right, we see opportunities for the Office of Management and Budget (OMB) to strengthen and facilitate cost-effective agency migration, and we provide a roadmap for how organizations and agencies can advance their transition most effectively.
The EO’s requirements for federal systems The bulk of the EO's binding requirements are aimed at two categories of federal systems: High Value Assets (HVAs) and high impact systems. HVAs are federal information or systems designated by OMB as the government's crown jewels: systems whose compromise would significantly affect national security, foreign relations, or public confidence.
These include databases that hold millions of federal employee records, systems that process classified intelligence, or platforms that manage federal financial transactions. Meanwhile, high impact systems are those where confidentiality, integrity, or availability is rated "high" under FIPS 199 , meaning a breach could cause severe harm including loss of life, major financial damage, or significant degradation of an agency's ability to carry out its mission.
The EO has the power to bind federal agencies, but not other organizations (i. e. , critical infrastructure, state, local, tribal and territorial governments, academia, civil society).
That’s why the EO only gives these deadlines to federal agencies: Date Requirement July 2026 Each federal agency head identifies a PQC migration lead and provides their name and contact details to OMB and the National Cyber Director. September 2026 OMB issues guidance requiring each agency to: (1) review their inventory of HVAs and high impact systems; (2) plan for PQC migration; and (3) submit that plan to OMB and the National Cyber Director.
December 2030 All HVAs and high impact systems must be transitioned to PQC for key establishment. December 2031 All HVAs and high impact systems must be transitioned to PQC for digital signatures. National Security Systems are explicitly excluded from these deadlines.
They are on a separate, classified track managed by the NSA with deadlines between 2030 and 2033 already set in 2022 . Two migrations: encryption and authentication. Both should begin now.
The EO splits the PQC migration into two phases: post-quantum key establishment (encryption) by 2030, and post-quantum digital signatures and certificates (authentication) by 2031. This accurately reflects the availability of post-quantum encryption across the Internet today. Our own deadline for full post-quantum readiness (including authentication) is 2029, but we are amongst the earliest adopters in the industry.
We are also happy to see the EO focusing on NIST-standardized post-quantum cryptographic algorithms and not Quantum Key Distribution (QKD), since QKD does not operate at Internet scale due to its need for specialized hardware and dedicated physical links between sender and receiver. Now let’s have a deeper look at the two migrations called for and required in the EO: post-quantum encryption and post-quantum authentication.
Post-quantum encryption is needed today to stop harvest-now-decrypt-later attacks , where an adversary collects encrypted traffic today and decrypts it later once quantum computers are powerful enough. Post-quantum encryption is especially valuable for organizations handling data that will still have value to adversaries 3-10 years from now, like government agencies, banks, healthcare organizations, defense contractors, and telecom providers.
Originally published at blog.cloudflare.com
