EO 14409 sets 2030 contractor deadline for post-quantum FIPS
The advisory phase is over, and OMB now has to turn crypto inventory work into procurement evidence.
TL;DR
Executive Order 14409, signed June 22, 2026, gives agencies until Dec. 31, 2030, to move their most sensitive systems to post-quantum cryptography for encryption and until Dec. 31, 2031, for authentication. Federal contractors must meet post-quantum Federal Information Processing Standards by the end of 2030 or risk procurement ineligibility. The hard part is the evidence: the Office of Management and Budget still has to say how compliance gets verified.
Cloudflare has an obvious reason to like Executive Order (EO) 14409: it sells post-quantum-capable network services and uses the blog post to say it has been doing the work since 2019. The policy move President Trump signed on June 22, 2026, is still real. EO 14409 is the first binding post-quantum mandate that reaches federal contractors, and its deadlines now sit where procurement teams can see them.
The binding track starts inside government. Agencies have until December 31, 2030, to transition their most sensitive systems to post-quantum encryption and until December 31, 2031, to move authentication. Cloudflare says the order’s federal system requirements focus on High Value Assets and high impact systems, with National Security Systems on a separate NSA track. Contractors get the sharper procurement sentence: comply with post-quantum Federal Information Processing Standards (FIPS) by the end of 2030 or risk being unable to sell into federal work.
The near-term work is less cinematic. In July 2026, agency heads must identify a post-quantum cryptography (PQC) migration lead for the Office of Management and Budget and the National Cyber Director. In September 2026, OMB is expected to issue guidance requiring agencies to review their inventories, plan migration, and submit those plans. CISA had already told organizations to procure only PQC-capable products in categories where such products are widely available (https://www.cisa.gov/resources-tools/resources/product-categories-technologies-use-post-quantum-cryptography-standards). EO 14409 adds a clock.
The practical split matters. Encryption addresses harvest-now-decrypt-later risk, where traffic captured today becomes useful after a cryptographically relevant quantum computer exists. Authentication addresses live impersonation, including forged certificates and malicious code signatures. Cloudflare is right to separate them, and its own product claims should not distract from the federal contracting problem: no one has yet explained how OMB will verify contractor compliance across inventories, suppliers, and certificates. The deadline is 2030. The evidence work starts now.
Published ·Deep Fathom