Sectigo Blog
The U.S. government pushes internal PQC migration deadline from 2035 to 2031
The U.S. government has accelerated its post-quantum cryptography (PQC) migration deadline from 2035 to 2031, mandating earlier adoption for high-value and high-impact systems. The executive order aligns with NIST standards and prioritizes key establishment ahead of digital signatures to address immediate “harvest now, decrypt later” risks. Organizations must begin planning now by inventorying cryptographic assets, prioritizing sensitive systems, and building crypto agility to meet the new timeline.
On June 22, 2026, the White House issued Executive Order 14409, Securing the Nation Against Advanced Cryptographic Attacks, pushing the deadline for post-quantum cryptography (PQC) migration from 2035 to 2031. The order goes beyond prior federal guidance by setting near-term, enforceable deadlines and linking them directly to federal procurement. It effectively operationalizes NIST’s 2024 PQC standards and puts them on a defined timeline.
What does the executive order actually require?
Agencies must:
- Transition all high value assets and high impact systems to use PQC for key establishment by December 31, 2030
- Use PQC for digital signatures by December 31, 2031
Two clarifications matter:
First, these deadlines apply only to high-value assets and high-impact systems, and not all federal systems. National Security Systems remain on a separate track under the NSA with independent reporting requirements.
Second, the order does not introduce new cryptography. It codifies existing NIST standards:
- ML-KEM for key establishment
- ML-DSA and SLH-DSA for digital signatures
What happens next: immediate actions
The order sets a rapid execution timeline:
- Within 30 days: Agencies must appoint a PQC migration lead reporting to the CIO
- Within 90 days: OMB must require inventories of critical systems and formal migration plans
By end of 2027: NIST will complete a pilot migration to serve as a blueprint.
Why the sequencing matters more than the dates
The two deadlines are a year apart, and the order is right to separate them. Key establishment comes first in 2030, because the threat to confidentiality is the threat that is already underway.
Harvest now, decrypt later (HNDL) makes key establishment the urgent case. A session key protected by classical cryptography today protects data that may need to stay secret for ten, twenty, or thirty years. If that traffic is being captured and stored now, the migration is already late.
Digital signatures are different. A forged signature is a real-time attack. You cannot retroactively forge a software update that shipped in 2026. That is precisely why signatures can be sequenced second. Authentication is a signing event, and also a real time event. The order is sequencing the work so that the retroactively exploitable problem is solved first. That distinction matters, because the urgency here is real without needing to overstate what anyone actually knows about quantum timelines.
Why has the PQC deadline moved from 2035 to 2031?
Let’s be clear. The shift is not a signal of sudden quantum breakthroughs. Instead, it reflects three realities:
- PQC standards are now finalized
- Migration timelines are long and complex
- Sensitive data already exceeds safe cryptographic lifetimes
In other words, policy didn’t accelerate; it caught up to the math.
How to get started on your PQC migration journey today
- Build a cryptographic inventory; you can’t protect what you can’t see
- Identify the systems with long-lived sensitive data and prioritize them
- Push your vendors on crypto agility now, and ask them for the equivalent of a cryptographic bill of materials (CBOM)
- Start with key establishment, where HNDL risk is most concentrated
- Treat 2031 as an immediate planning horizon
Start your PQC journey with a free consultation today: https://www.sectigo.com/quantum-labs