Quantum computing will eventually break the public-key cryptography that secures most internet traffic today. The first international standards for post-quantum cryptography were approved in 2024, and well-resourced cyber criminals and nation states are already capturing encrypted data, expecting to use quantum computing to decrypt it later. The transition to quantum-resilient systems is now an operational planning problem rather than a theoretical one.
Every transaction on the modern internet (such as a bank login, online purchase, or private message) depends on encryption. Before data leaves your device, it is mathematically scrambled in a way that only the intended recipient can reverse. This process is what makes the internet safe to use at scale. The security of ‘scrambling’ rests on a specific class of math problems that are, in practice, irreversible. Cracking the encryption protecting a typical secure connection would require more computational time than the age of the universe. For thirty years, this has been a reliable foundation.
A quantum computer is not simply a faster version of existing hardware. It operates on fundamentally different physical principles, using quantum mechanical effects to evaluate many possible solutions simultaneously. For most computing tasks this confers no advantage. For the specific mathematical problems that underpin modern encryption, however, the advantage is decisive. In 1994, mathematician Peter Shor demonstrated that a sufficiently large quantum computer could factor the numbers encryption relies on in hours rather than millennia, rendering today's key exchanges insecure and unsafe.
This is where the risk is often misunderstood as a challenge for the future. Encrypted data can be intercepted, stored at low cost, and decrypted retroactively once the necessary capability exists. A well-resourced adversary does not need a working quantum computer to begin accumulating value from this approach. It needs only the patience to archive traffic now and the expectation that the capability will arrive within a relevant time horizon. Any information transmitted today that must remain confidential into the 2030s is therefore already exposed in a meaningful sense. That category is not narrow: it encompasses medical and financial records, legal communications, intellectual property, and sensitive government data.
New cryptographic standards exist that are resistant to quantum attack, and standards bodies have been finalizing them in recent years. Organizations that delay migration until a quantum computer demonstrably breaks encryption will have already lost the window to protect data currently in circulation. The exposure is accumulating now, which is why governments and large enterprises have begun planning, migrating and securing their information today.
Most quantum-readiness guidance is framed for an enterprise securing its own records. A communications provider's exposure differs along three dimensions. Two of them, notably the provider's position in the path of third-party traffic, and the structural constraints of its physical network, fall outside the data-inventory model that most guidance assumes, and are correspondingly under-represented in conventional migration planning.
The bulk interception this report describes takes place on infrastructure that operators own and run: internet exchange points, submarine and terrestrial backbone, and aggregation points within the access network. An enterprise secures its own data; a carrier additionally operates the medium through which third-party traffic is exposed to collection.
Traffic transiting the network carries confidentiality requirements that the operator neither defines nor observes. The shelf-life assessment an enterprise applies to its own files, a carrier applies implicitly across its subscriber base and the downstream organisations whose communications cross its network.
Telecommunications networks rely on extensive fleets of embedded equipment (e.g., optical transport, routing, and customer-premises devices) with replacement cycles measured in a decade or more and cryptography frequently fixed in hardware. The crypto-agility constraint identified in this report is most pronounced in this class of asset.
A regulatory dimension applies that does not bear on an ordinary enterprise. Communications is a designated critical-infrastructure sector. NSM-10 directs CISA to engage critical-infrastructure operators on quantum readiness, and CISA's Post-Quantum Cryptography Initiative is mandated to support network owners and operators directly. Federal migration deadlines do not bind private carriers, but they establish the vendor roadmaps, procurement expectations, and reference timelines against which operators are assessed. The operative question for an operator is therefore not whether the transition applies, but when external expectations will arrive, and whether the procurement leverage a large network holds over its suppliers is exercised while the timeline remains favourable.
The destabilisation of today’s encryption would alter all activities across cyberspace. Quantum technology will impact the day-to-day use of the internet in equal measure to the sensitive data of state and corporate actors. Select a card to reveal what is at stake for each activity.
Two distinct approaches exist for defending against quantum attack. Post-Quantum Cryptography replaces vulnerable algorithms with new mathematical problems believed to be quantum-resistant; it runs on existing hardware and is the path the broader internet is taking. Quantum Key Distribution uses the physical properties of light to detect eavesdropping, but requires dedicated optical infrastructure and cannot scale beyond point-to-point links. For most organisations, PQC is the primary migration path; QKD remains a specialist tool for high-value, fixed links.
A bank vault heist where the thief takes the safe in 2026 and opens it in 2034. The defender's window to act is during the manufacture of the safe, not during the heist.U.S. Cybersecurity and Infrastructure Security Agency (CISA)
A quantum-driven cyberattack does not unfold like a typical breach. The five phases below trace the attack from initial targeting through eventual exploitation. Select a card to expand its detail. Use the arrows or dots to move along the timeline.
Sources: NSA Cybersecurity Advisory U/OO/194427-21 (August 2021); CISA, "Quantum-Readiness: Migration to Post-Quantum Cryptography" (August 2023); ENISA, "Post-Quantum Cryptography: Current State and Quantum Mitigation" (May 2021); Mosca (2018).
Migration planning requires understanding not just what needs to change, but when. The risk is frequently treated as a future problem, one to address once a quantum computer demonstrably arrives. That framing misidentifies the timeline: the risk to long-lived encrypted data has been accumulating since interception of that data began.
Cryptographer Michele Mosca formalised a test for migration urgency. Take the period over which data must remain confidential (its shelf life) and add the time required to migrate the systems that protect it. If that sum exceeds the estimated quantum horizon, the data is already at risk, regardless of when a quantum computer actually arrives.
The arithmetic resolves against most large organisations. Medical records, legal correspondence, intellectual property, and government communications routinely carry confidentiality requirements of fifteen years or more. Migration programmes at organisations with mature cryptographic inventories still require five to eight years from start to completion. Adding those two figures produces a combined window that exceeds even optimistic estimates of the quantum horizon.
For organisations carrying long-lived sensitive data, migration planning is already a present obligation. The window to protect data currently in transit is bounded by the quantum horizon, and for some asset classes it is narrowing. The inequality below provides a framework for assessing that exposure.
For any system protecting data with a confidentiality requirement past 2035, this inequality resolves against organisations that have not yet begun migration planning.
If the shelf life of your data plus migration time exceeds the quantum horizon, that data is already exposed, regardless of when a working quantum computer arrives.
The verdict. For any data with a confidentiality requirement beyond about a decade, including medical records, legal files, intellectual property, and government communications, shelf life plus migration time already exceeds the quantum horizon. That data is at risk today, regardless of when a working quantum computer actually arrives.
Adapted from Mosca, M. (2018), "Cybersecurity in an Era with Quantum Computers: Will We Be Ready?", IEEE Security & Privacy.
The three patterns and migration sequence below describe what a serious quantum-resilience programme looks like in practice. The work is multifaceted: a complete cryptographic inventory, disciplined vendor engagement, hybrid deployments where possible, and a phased plan that respects each asset's data lifecycle.
Production rollouts combine a classical key-exchange algorithm with a post-quantum equivalent so that the resulting session is secure as long as either underlying scheme holds. Hybridisation hedges against two distinct risks: undiscovered classical attacks on a recently standardised post-quantum scheme, and faster-than-expected progress on quantum hardware.
Organisations with mature key management and a current cryptographic inventory can swap algorithms in weeks. Organisations that do not know which systems use which cryptography cannot meaningfully begin. Both NIST and the U.S. National Cybersecurity Center of Excellence sequence inventory as the prerequisite step.
Few organisations write their own cryptographic libraries, operating systems, or device firmware. The practical task is to require credible PQC roadmaps from vendors and align procurement and refresh cycles with those roadmaps.
The deployments below are running in production today, each pairing a classical algorithm with a post-quantum one in hybrid mode.
The administration has issued two executive orders redefining federal engagement on quantum migration. Executive Order 14412, signed June 22, 2026, carves out new agency migration mandates and directs CISA to extend such obligations to federal contractors. While obligations have yet to be formalized by directed agencies, the orders establish the development of future vendor roadmaps, procurement expectations, and reference timelines against which network operators are to be assessed.
EO 14412 demonstrates that the U.S. Government recognizes the quantum threat and the work that must be done to migrate to quantum-resistant cryptography. The order directs federal agencies to inventory their cryptographic assets, designate PQC migration leads, and transition high-value systems to NIST-approved post-quantum cryptographic standards, with key establishment completed by December 31, 2030 and digital signatures by December 31, 2031. It also extends requirements to federal contractors via the Federal Acquisition Regulation, tasks NIST with running a pilot migration by 2027, and directs CISA to release guidance on cryptographic bills of materials. Taken together, the EO operationalizes the federal PQC transition from policy aspiration into enforceable timelines.
The order lays out a selection of deadlines for agencies and organisations to adopt the order's new obligations. Duration deadlines run from the June 22, 2026 signing date; firm calendar deadlines mark the migration end-states.
| Deadline | Approx. Date | Requirement | Who |
|---|---|---|---|
| 30 days | JULY 22 2026 | Identify and report Post-Quantum Cryptography (PQC) migration lead to the Office of Management and Budget (OMB) and National Cyber Director. | All agency heads |
| 90 days | SEPT 20 2026 | Issue guidance requiring agencies to review High Value Asset (HVA)/high-impact system inventories and develop Post-Quantum Cryptography (PQC) migration plans. | Office of Management and Budget (OMB) |
| 180 days | DEC 19 2026 | Initiate National Institute of Standards and Technology (NIST) pilot Post-Quantum Cryptography (PQC) migration project (to be completed by Dec. 31, 2027). | Secretary of Commerce / NIST |
| 180 days | DEC 19 2026 | Revise Cryptographic Module Validation Program (CMVP) processes to accelerate cryptographic module validations. | National Institute of Standards and Technology (NIST) |
| 180 days | DEC 19 2026 | Publish proposed Federal Acquisition Regulation (FAR) rule requiring contractor Post-Quantum Cryptography (PQC) compliance by Dec. 31, 2030. | Federal Acquisition Regulatory (FAR) Council |
| 180 days | DEC 19 2026 | Submit annual National Security Systems (NSS) Post-Quantum Cryptography (PQC) migration status report to the President (and annually thereafter). | National Security Agency (NSA) Director |
| 270 days | MAR 19 2027 | Release public guidance on minimum elements of a Cryptographic Bill of Materials (CBOM). | Cybersecurity and Infrastructure Security Agency (CISA) / NIST |
| 270 days | MAR 19 2027 | Publish proposed Federal Acquisition Regulation (FAR) rule on contractor Vulnerability Disclosure Programs (VDPs) covering cryptographic vulnerabilities. | Federal Acquisition Regulatory (FAR) Council |
| Dec. 31, 2027 | DEC 31 2027 | Complete National Institute of Standards and Technology (NIST) pilot Post-Quantum Cryptography (PQC) migration project. | NIST |
| Dec. 31, 2030 | DEC 31 2030 | Transition all High Value Assets (HVAs) and high-impact systems to Post-Quantum Cryptography (PQC) for key establishment. | All agencies |
| Dec. 31, 2030 | DEC 31 2030 | Covered contractors must comply with NIST Federal Information Processing Standards (FIPS), including Post-Quantum Cryptography (PQC) algorithms. | Federal contractors |
| Dec. 31, 2031 | DEC 31 2031 | Transition all High Value Assets (HVAs) and high-impact systems to Post-Quantum Cryptography (PQC) for digital signatures. | All agencies |
The order distributes responsibility across coordinating, technical, enforcement, and sector-facing bodies.
The full text of Executive Order 14412, with added definitions and context. Select a section to expand it; hover any underlined term for its definition, and use the context controls to expand background.
The advent of large-scale quantum computers, particularly in the hands of adversaries, will pose a significant threat to widely used cryptographic security systems. Ongoing cyber activity against our Nation also presents the risk of adversaries collecting United States information now, and decrypting it later once large-scale quantum computers are operational.
The threat being described here is referred to as the Harvest Now, Decrypt Later (HNDL) threat — an adversary strategy of collecting encrypted data today and storing it for decryption once a sufficiently capable quantum computer becomes available.
HNDL is the central reason organizations are beginning their migration now rather than waiting for quantum computers to mature. Any data that must remain confidential beyond the late 2030s is already exposed in this sense.
In light of these threats, the United States must take steps to strengthen cryptographic protections for the Nation's sensitive data, critical infrastructure, and digital economy.
It is the policy of the United States to safeguard national security and maintain technological leadership by responsibly and effectively executing the transition of Federal information systems to National Institute of Standards and Technology (NIST)-approved Federal Information Processing Standards (FIPS) for Post-Quantum Cryptography (PQC), and to assist critical infrastructure owners and operators with their transitions.
In August 2024, NIST finalized three landmark post-quantum cryptographic standards: FIPS 203 (ML-KEM, for key encapsulation), FIPS 204 (ML-DSA, for digital signatures), and FIPS 205 (SLH-DSA, an alternative signature scheme). These are the algorithms this EO directs agencies to adopt. They are based on mathematical problems — lattices and hash functions — believed to be resistant to both classical and quantum computers.
For purposes of this order:
the term "agency" has the same meaning as it has in 44 U.S.C. 3502(1);
the term "critical infrastructure" has the same meaning as it has in section 1016(e) of the USA Patriot Act of 2001 (42 U.S.C. 5195c(e));
the term "high impact system" means an information system in which at least one security objective (i.e., confidentiality, integrity, or availability) is assigned a FIPS 199 potential impact value of high;
the term "high value asset" or "HVA" means Federal information or a Federal information system designated as a high value asset under Office of Management and Budget (OMB) Memorandum M-19-03, "Strengthening the Cybersecurity of Federal Agencies by Enhancing the High Value Asset Program," or any successor document;
the term "information systems" has the same meaning as it has in 6 U.S.C. 650(14);
the term "National Security Systems" has the same meaning as it has in 44 U.S.C. 3552(b)(6);
the term "post-quantum cryptography" or "PQC" means those cryptographic algorithms or methods that are designed to be resistant to attack by both a quantum computer and a classical computer;
the term "PQC migration lead" means the agency employee or detailee who reports to the agency's chief information officer and is responsible for overseeing agency-wide cryptographic inventory management, developing a prioritized PQC migration plan, and coordinating cross-agency efforts in PQC;
the term "Cryptographic Module Validation Program" has the same meaning as it has in FIPS 140-3, "Security Requirements for Cryptographic Modules," or any successor policy;
the term "digital signature" has the same meaning as it has in FIPS 186-5, "Digital Signature Standard (DSS)," or any successor policy; and
the term "key establishment" has the same meaning as it has in FIPS 203, "Module-Lattice-Based Key-Encapsulation Mechanism Standard," or any successor policy.
(a) The Director of OMB and the National Cyber Director, in consultation with the Assistant to the President for National Security Affairs and the Administrator of the Office of Electronic Government, OMB, shall lead the strategic coordination and oversight of the national PQC migration policy and strategy set forth in this order, ensuring its alignment with broader cybersecurity goals.
(b) The Secretary of Commerce, through the Director of NIST, and in consultation with the Director of the National Security Agency (NSA) and the Secretary of Homeland Security, through the Director of the Cybersecurity and Infrastructure Security Agency (CISA), shall provide agencies on an ongoing basis with comprehensive technical guidance on PQC implementation, including best practices in implementation and risk management strategies.
(a) Within 30 days of the date of this order, each agency head shall identify its PQC migration lead and provide the name and contact details of the PQC migration lead to the Director of OMB and the National Cyber Director.
(b) Within 90 days of the date of this order, the Director of OMB shall, in consultation with the Secretary of Homeland Security through the Director of CISA and the National Cyber Director, and consistent with 6 U.S.C. 1526(c), issue guidance requiring each agency to:
review their inventory of HVAs and high impact systems, excluding National Security Systems;
transition all HVAs and high impact systems to use PQC for key establishment by December 31, 2030;
transition all HVAs and high impact systems to use PQC for digital signatures by December 31, 2031; and
develop and submit to the Director of OMB and the National Cyber Director a plan to accomplish this directive.
(c) Within 180 days of the date of this order, the Secretary of Commerce, through the Director of NIST, shall initiate a pilot project for PQC migration on an appropriate subset of information systems owned or operated by NIST, to be completed no later than December 31, 2027.
Per OMB Memorandum M-26-15, each agency's PQC Migration Plan should be treated as a dynamic document that will mature over time and should treat migration as a multi-year effort executed in phases:
Agencies establish governance, designate PQC migration leads, complete cryptographic inventories, and develop prioritized migration plans.
Agencies begin piloting PQC implementations on select systems, gather lessons learned, and refine migration approaches.
Agencies migrate High Value Assets (HVAs) and high-impact systems to PQC for key establishment, meeting the December 31, 2030 deadline.
Agencies complete migration of HVAs and high-impact systems to PQC for digital signatures, meeting the December 31, 2031 deadline.
All remaining federal information systems complete their transition to post-quantum cryptographic standards.
(a) All agencies that serve as Sector Risk Management Agencies, as defined by the National Security Memorandum 22 of April 30, 2024 (Critical Infrastructure Security and Resilience) or its successor, shall work with the Department of Homeland Security through the Director of CISA to assist critical infrastructure owners and operators in developing their PQC migration plans.
(b) The Secretary of State shall work with the Director of NIST, the Secretary of Homeland Security, the National Cyber Director, the Secretary of War, and the Director of National Intelligence (DNI) to identify and engage foreign governments and industry groups in key countries to encourage their transition to PQC algorithms standardized by NIST.
(c) Within 180 days of the date of this order and annually thereafter until PQC migration is complete, the Director of the NSA, in his capacity as the National Manager for National Security Systems, shall submit a report to the President, through the Committee on National Security Systems, on the status of PQC migration for agencies that own or operate National Security Systems.
(d) Within 270 days of the date of this order, the Secretary of Homeland Security, through the Director of CISA, and in coordination with the Director of NIST, shall release public guidance describing the agencies' considered view as to the minimum elements for a cryptographic bill of materials. These elements shall enable the automated assessment of the cryptographic assets utilized by a hardware or software element.
A PQC migration cannot begin until the organization knows where its cryptography lives. In most large estates, cryptography is embedded in applications, network appliances, third-party services, firmware, and operating systems that have changed hands many times. Producing a complete cryptographic inventory is typically the longest and least visible part of the transition.
Both NIST and the U.S. National Cybersecurity Center of Excellence sequence inventory as the prerequisite step in their published migration guidance.
A current Cryptographic Bill of Materials covers every production system, with named owners for each entry. The inventory distinguishes the algorithms in use, the data each protects, and the confidentiality lifetime of that data. The inventory is treated as a living document, with a defined cadence for refresh and a path for new systems to be added at the point of procurement.
(a) The Director of OMB, the Secretary of War, the Administrator of National Aeronautics and Space Administration, and the Administrator of General Services, in consultation with the Secretary of Homeland Security, the DNI, and the Director of NIST, shall coordinate efforts to identify cost-saving opportunities in implementing the national PQC migration policy and strategy, such as migration of cloud-based technologies, shared procurement of PQC tools, joint training programs, and centralized technical support.
(b) Within 180 days of the date of this order, the Secretary of Commerce, through the Director of NIST, shall, to the extent appropriate and consistent with applicable law, revise the processes used by the Cryptographic Module Validation Program to accelerate validations of cryptographic modules.
(c) Within 180 days of the date of this order, the Federal Acquisition Regulatory Council (FAR Council), in consultation with the Secretary of Homeland Security through the Director of CISA and the Director of NIST, shall publish a proposed rule amending the Federal Acquisition Regulation (FAR) to require covered contractors to comply by December 31, 2030, with NIST's FIPS, including all applicable FIPS incorporating PQC compliant algorithms.
(d) Within 270 days of the date of this order, the FAR Council, in consultation with the Secretary of Homeland Security through the Director of CISA and the Director of NIST, shall publish a proposed rule amending the FAR requirements and contract clauses for contractor vulnerability disclosure programs to ensure that covered contractors implement vulnerability disclosure policies (VDPs), consistent with NIST guidelines, and that VDPs incorporate reports of cryptographic vulnerabilities, including testing for lack of encryption and the use of non-FIPS approved algorithms.
(a) Nothing in this order shall be construed to impair or otherwise affect:
the authority granted by law to an executive department or agency, or the head thereof; or
the functions of the Director of the Office of Management and Budget relating to budgetary, administrative, or legislative proposals.
(b) This order shall be implemented consistent with applicable law and subject to the availability of appropriations.
(c) This order is not intended to, and does not, create any right or benefit, substantive or procedural, enforceable at law or in equity by any party against the United States, its departments, agencies, or entities, its officers, employees, or agents, or any other person.
(d) The costs for publication of this order shall be borne by the Department of Commerce.
Considerations in a domain this new are rarely about which specific technology to choose. Encryption standards will be revised, vendors will pivot, and new quantum algorithms will change the landscape. Below are five standards-neutral and technology-neutral considerations drawn from vendor and technology company engagements. Select any consideration to expand its detail and the questions to ask your team.
Key terms used throughout this report, defined in plain language. Each entry notes why the concept matters for organisations preparing for the post-quantum transition. Select any term to expand its definition.
Below is a compiled list of standards, frameworks, and policies surrounding migration to post-quantum cryptography. This includes practices at the federal, industry and international levels.
Each entry links directly to the primary source. The NIST and NSA standards define the algorithms to adopt; the federal policies and CISA frameworks set the timelines and readiness expectations operators are measured against; and the industry deployments show how organisations have already put post-quantum cryptography into production.