U.S. government agencies must be prepared to withstand the cyber threats posed by quantum computers by 2031. This also applies to U.S. government contractors. Through an executive order, the administration has stated that previously set deadlines need to be moved up by about four to five years.
The order requires every federal agency to designate a so-called “PQC migration lead” within 30 days. This means there must be an employee who reports directly to the Chief Information Officer and is responsible for the entire migration process.
Quantum computers do not need to be operational yet to cause damage. Adversaries can intercept encrypted government communications now and decrypt them later once the technology is advanced enough—the so-called “harvest now, decrypt later” approach. Cloudflare warned back in April that the point at which quantum computers can break existing encryption is approaching faster than previously thought. Based on its Majorana 2 chip, Microsoft expects to be able to build a scalable quantum computer by 2029. That is half the time originally projected.
Strict deadlines through 2031
In substance, the executive order sets out a clear timeline. All federal high-value assets and high-impact systems must use PQC to generate security keys by December 31, 2030. Digital signatures within those same systems must be migrated by December 31, 2031, at the latest. NIST has 180 days to launch a pilot project for PQC migration within its own systems, to be completed by the end of 2027. The NIST standards FIPS 203, 204, and 205—which were adopted in 2024 as the first official post-quantum algorithms—form the basis for this.
It is no coincidence that the 2030 deadline aligns with the EU roadmap, which requires critical infrastructure to complete the transition to quantum-resistant encryption by 2030 at the latest. Tests are already underway worldwide. In Rotterdam, for example, a consortium comprising Cisco, Eurofiber, and others is already working on a field lab to test this transition in practice for ports, energy grids, and government services.
Suppliers and international scope
As mentioned, the executive order is not limited to the U.S. government itself. The Federal Acquisition Regulatory Council must publish a proposal within 180 days to require government suppliers to comply with NIST’s FIPS standards, including PQC, by the end of 2030 at the latest. Furthermore, a cryptographic bill of materials must be established within 270 days, enabling the cryptographic status of hardware and software to be automatically assessed. Suppliers must also expand their vulnerability disclosure programs to include the reporting of cryptographic vulnerabilities.
Internationally, the U.S. aims to encourage allies and industry in key countries to adopt the NIST algorithms. The State Department will play a coordinating role in this effort.
Mature enough?
The question is whether this acceleration will actually have the desired effect. Two years ago, NIST approved three PQC standards. Two years before that, in 2022, there were still four candidates. SIKE, the one that was eliminated, was cracked by two Belgian researchers at KU Leuven within 62 minutes. This was, of course, well before quantum computers were even considered as potential super-crackers. Once they are operational—and it appears that the industry is moving that date forward—the other PQC standards can truly be put to the test.