Trump PQC order compresses contractor deadline to 2030
The operative problem is procurement: vendors now need measurable crypto migration plans before FAR clauses make quantum readiness a bid gate.
TL;DR
President Trump’s executive order requires agencies to move high-value assets and high-impact systems to post-quantum cryptographic keys by Dec. 31, 2030, with PQC digital signatures due by the end of 2031, Federal News Network reports. The Federal Acquisition Regulatory Council must develop rules requiring contractor compliance by Dec. 31, 2030. Primes, subcontractors and C3PAOs now have a procurement problem, not a research horizon: the Biden-era planning target was 2035.
Federal News Network reports that President Trump’s new post-quantum cryptography order turns a long federal migration into a dated mandate. Agencies must name lead PQC transition officials within 30 days, move high-value assets and high-impact systems to post-quantum cryptographic keys by Dec. 31, 2030, and move PQC digital signatures by the end of 2031. The Office of Management and Budget is due to issue implementing guidance within 90 days.
The contractor hook is the Federal Acquisition Regulatory Council. The order directs the FAR Council to develop rules requiring contractors to comply with PQC requirements by Dec. 31, 2030. That is where the story stops being a CIO planning exercise and starts becoming a bid-readiness issue for primes, suppliers, cloud providers, managed service shops and assessment organizations that will have to explain what their systems, products and supply chains actually support.
There is a legitimate policy reason for the compression. NIST finalized the first post-quantum encryption standards in 2024, and federal agencies have been inventorying sensitive cryptographic assets for several years. CISA has also told agencies that, where PQC-capable product categories are widely available, organizations should plan acquisitions to buy only PQC-capable products from those categories, according to its product-category guidance (https://www.cisa.gov/resources-tools/resources/product-categories-technologies-use-post-quantum-cryptography-standards). The risk is not theatrical: adversaries can steal encrypted data now and wait for quantum capability later.
The hard part is not naming the risk. It is finding the money, the definitions and the dependency map. Federal News Network reports that OMB previously estimated the governmentwide PQC transition at roughly $7.1 billion over 10 years, and that most agencies have not budgeted for the work. OMB’s 90-day guidance will have to decide what counts as a high-value asset or high-impact system for this purpose. Contractors should not wait for that answer to start inventorying public-key cryptography, long-lived sensitive data and vendor dependencies. By 2030, a missing roadmap may read less like immaturity and more like noncompliance.
Published ·Deep Fathom