The global push to prepare for post-quantum cryptography has entered a new phase.
For years, governments and regulators have encouraged organizations to inventory cryptography, understand exposure, and prepare for the migration to PQC. The latest U.S. executive order moves this call to action to the next stage.
The order recognizes the accelerating advances in quantum computing and the urgency to move post-quantum readiness from conceptual planning to tangible programs – with specific scope, ownership, and deadlines.
It also points to one clear conclusion: quantum readiness, crypto-agility, and Zero Trust aren’t long-term solutions to future problems. AI and quantum computing advancements make these priorities urgent, and organizations must address them now.
What Changed
An earlier U.S. policy, NSM-10, OMB M-23-02, set direction and guidance solely focused on readiness from CISA, NSA, and NIST.
Executive Order #14412 on Securing the Nation Against Advanced Cryptographic Attacks changes the operating model for moving to quantum readiness:
- Agencies must appoint PQC migration leads
- Execution is tied to shorter, defined milestones
- High-value systems must be migrated by 2030 for key establishment
- High-value systems must be migrated by 2031 for digital signatures
- A federal pilot is required by no later than 2027
- Scope has expanded from federal agencies to include contractors to those agencies and the 16 sectors of critical infrastructure
This shift marks a decisive federal move, making it clear that organizations must execute – not just prepare or plan – for initiating post-quantum migration.
Why This Moment Matters Now
This matters because cryptography is complex, and its use is constantly changing. Applications and configurations are frequently updated, keys and certificates must be rotated, and suppliers are patching more than ever. The reality is that traditional methods of managing cryptographic infrastructure can’t keep up.
This new executive order requires a shift from planning and inventory to driving execution and migration. This is no longer about preparation; it’s about execution against a timeline that is coming in faster than expected.
And this isn’t happening in isolation. Organizations are now facing multiple converging pressures. AI acceleration is introducing new threats at an unprecedented pace, regulatory and industry mandates necessitate modernization, agentic AI is driving its own demand for strong identity security, and post-quantum timelines are compressing.
As AI and cryptography converge, the principles of Zero Trust are more important than ever:
- We must encrypt all data at rest, in motion, and in use
- We need the strongest identity-secured systems for people, machines, and agents
- The foundation of all of this, cryptographically-based solutions, are the gold standard
Why This Matters for Boards and Executive Teams
Post-quantum migration is often framed as an algorithm problem. But that perspective is too narrow. Migration sits at the intersection of enterprise risk, digital resilience, supplier management, and regulatory readiness. Framing it as a simple algorithm replacement exercise underestimates both its scope and its critical importance.
Organizations that are making progress are building visibility across their cryptographic estates, establishing clear governance and accountability, and modernizing fragmented legacy PKI environments. They recognize that an intentional cryptographic foundation is the essential bedrock to today’s cybersecurity challenges: defending against a rapidly intensifying threat landscape, exploding operational complexity, and making the shift to post-quantum cryptography. The key question leaders should ask is this: can we accurately and continuously identify our cryptographic exposure today?
What Organizations Should Do Now
The priority is to move from planning to execution.
- Establish enterprise-wide cryptographic governance. Post-quantum readiness requires a coordinated operating model that aligns security, PKI, engineering, procurement, and risk teams around a common migration strategy.
- Gain continuous visibility into your cryptographic estate. Effective risk management starts with ongoing discovery of cryptographic assets, dependencies, algorithms, keys, certificates, and third-party suppliers across the enterprise.
- Modernize with a scalable cryptographic security platform. Centralize PKI, key management, certificate lifecycle management, and cryptographic policy enforcement to create a foundation for cryptographic agility.
- Prioritize migration based on risk and business impact. Focus first on high-value systems, cryptographic concentrations, and long-lived data vulnerable to harvest-now, decrypt-later threats.
Post-quantum readiness is becoming a test of whether organizations can truly see, govern, and modernize the foundation of digital trust. Cryptographic changes are hard. But this latest executive order recognizes that organizations must intentionally build in visibility, accountability, and crypto-agility before the deadlines become totally unachievable.
Migrate towards post-quantum readiness by unifying your PKI, HSMs, certificate management, and keys and secrets in a single platform designed for crypto-agility and resilience.