Trump orders agencies into post-quantum cryptography transition

The order is less a surprise than a change in legal temperature. Federal agencies have been told for years to inventory vulnerable public-key cryptography and plan for a post-quantum replacement cycle. Trump’s executive order makes that direction harder to treat as a research project, especially for contractors and managed service providers whose products, services and hosted environments sit inside federal systems.

The practical work starts with inventory, not algorithm shopping. Agencies and their suppliers need to know where public-key cryptography appears in identity systems, VPNs, certificates, code signing, messaging, storage, hardware security modules and managed platforms before they can replace anything safely. CISA’s later product-category guidance, issued pursuant to Executive Order 14306, says organizations should plan acquisitions in listed categories around PQC-capable products where those products are widely available, a procurement signal as much as a cryptography signal: https://www.cisa.gov/resources-tools/resources/product-categories-technologies-use-post-quantum-cryptography-standards.

The open question is the part that matters to contracting officers and CISOs: the order does not, on the supplied record, say who pays, when each class of system must move, or what happens to an agency or contractor that misses a milestone. That is where federal cyber mandates usually become real. Until deadlines and contract language arrive, the Monday task is preparation: build the cryptographic asset inventory, map vendor dependencies, test PQC-capable replacements and stop buying products that will have to be ripped out in the next cycle.