Draft EO sets 2030-2031 federal PQC migration deadlines for agencies and contractors

The draft order, described to NextGov/FCW by a person familiar with its development, would give OMB authority to issue compliance guidance and audit requirements against two hard dates. Agencies must complete PQC key establishment migration (the process of generating and exchanging cryptographic keys) by Dec. 31, 2030, and must transition digital signatures on high-impact systems and high-value assets by Dec. 31, 2031. National security systems are excluded from the mandatory deadlines, consistent with NSA's separate 2035 target established in a December 2024 FAQ.

Why this is different from 2022

The NSA issued quantum-resistant algorithm requirements for national security systems in 2022, recommending a 2030 migration target for software signing, firmware, and networking equipment. That guidance carried no enforcement mechanism. The draft EO would be the first federal instrument to attach compliance consequences to PQC migration for civilian agencies and their contractors. Per the source, the document is expected to publish this week.

What contractors need to watch

The "covered contractors" definition is the operative unknown. If the final order follows recent CMMC and DFARS precedent, coverage will likely extend below the prime layer, but the source did not confirm whether a contract-value threshold or a data-sensitivity trigger governs inclusion. Primes and their subs should assume coverage until OMB's implementing guidance narrows the scope.

The compliance audit framework is equally unresolved. NIST finalized its first three PQC standards in August 2024 (FIPS 203, 204, and 205). Those standards exist; the question is how agencies will verify contractor implementation against them. CMMC's third-party assessment model via C3PAOs is one available template, but the draft order does not, per the source, specify an assessment path.

What practitioners should do now

The 2030 deadline for key establishment is roughly 42 months out. That sounds long; cryptographic migration at enterprise scale rarely is. Contractors holding federal contracts should begin now with a cryptographic inventory: catalog every system using RSA, elliptic-curve Diffie-Hellman (ECDH), or legacy key exchange, and map each to the contract and data classification it supports. NIST SP 800-171 Rev. 3, finalized in 2024, already references the need to plan for algorithm agility under control 3.13.10. The draft EO, if signed as described, converts that planning requirement into a dated obligation.

The digital signature deadline (Dec. 31, 2031) gives contractors and agencies a one-year buffer after the key establishment cutover. That sequencing is deliberate: key establishment is the higher-priority exposure vector for "harvest now, decrypt later" attacks, where adversaries are already collecting encrypted federal traffic on the assumption that a cryptographically-relevant quantum computer will eventually exist to break it.

The draft order is separate from a February quantum EO draft that focused on U.S. quantum computing leadership and National Quantum Strategy updates. The PQC migration effort and the broader quantum competitiveness agenda appear to be proceeding on parallel tracks under distinct executive actions.