The executive order “Securing the Nation against Advanced Cryptographic Attacks,” signed Monday, sets December 31, 2030 as the deadline for “high-value assets” and FIPS 199 high-impact systems to shift to post-quantum key establishment, with digital signatures required quantum-safe by December 31, 2031.
I read the EO this week. The gap between old and new is four to five years. NSM-10, signed in May 2022, set 2035 as the transition target for most organizations. NSA’s CNSA 2.0 advisory from September 2022 gave National Security Systems until 2030-2033. This EO collapses both windows to a single hard date for any system carrying FIPS 199 high-impact ratings.
The acceleration isn’t arbitrary. Recent research found the cost of building a cryptographically relevant quantum computer is far lower than the 2022 consensus. The EO cites “harvest now, decrypt later” attacks: adversaries collecting today’s encrypted government data to decrypt once large-scale quantum computers arrive. Google and Cloudflare already moved internal timelines to 2029. Brian LaMacchia, who led Microsoft’s post-quantum transition from 2015 to 2022 and now consults at Farcaster Consulting Group, called the new government deadline “a significant shortening” that mirrors recent private-sector revisions.
The contractor exposure is coming fast. The EO directs the FAR Council to publish a proposed compliance rule within 180 days, potentially before year-end 2026. Any vendor on a federal program touching HVAs should check now whether their crypto stack supports NIST FIPS 203, 204, and 205, because “we are assessing the root cause” won’t hold once that rule publishes.
Worth reviewing your crypto inventory before that FAR comment window opens.
Rebecca Lauren