{"id":361669,"date":"2026-06-23T16:30:57","date_gmt":"2026-06-23T23:30:57","guid":{"rendered":"https:\/\/www.paloaltonetworks.com\/blog\/?p=361669"},"modified":"2026-06-23T17:19:36","modified_gmt":"2026-06-24T00:19:36","slug":"new-executive-order-accelerates-post-quantum-readiness-amid-the-cryptographic-reset","status":"publish","type":"post","link":"https:\/\/www2.paloaltonetworks.com\/blog\/2026\/06\/new-executive-order-accelerates-post-quantum-readiness-amid-the-cryptographic-reset\/","title":{"rendered":"New Executive Order Accelerates Post-Quantum Readiness Amid the Cryptographic Reset"},"content":{"rendered":"

The <\/span>White House Executive Order<\/span><\/a> on securing the nation against advanced cryptographic attacks accelerates the mandatory timeline for post-quantum readiness.<\/span><\/p>\n

For years, post-quantum cryptography has been discussed as an important, yet abstract future technical migration. Because of the uncertain timeline for quantum computing, it has been difficult for most organizations to prioritize quantum readiness against more immediate security demands.<\/span><\/p>\n

That is changing.<\/span><\/p>\n

Signed on June 22, 2026, the Executive Order mandates the transition of federal information systems to post-quantum cryptography and establishes a national policy to migrate them to NIST-approved standards. It also extends the urgency beyond government by directing support for critical infrastructure owners and operators, advancing requirements for federal contractors, and calling for cryptographic bill of materials guidance.<\/span><\/p>\n

The order directly addresses harvest now, decrypt later risk and sets transition milestones for federal high-value assets and high-impact systems: 2030 for key establishment and 2031 for digital signatures.<\/span><\/p>\n

While the order directly applies to U.S. Federal civilian agencies, it should be seen as a signal of broader policy and procurement momentum. Organizations that do business with the government, support critical infrastructure, or operate in regulated industries such as energy, financial services, and healthcare should expect post-quantum readiness expectations to accelerate.<\/span><\/p>\n

Quantum risk has shifted from a long-term research concern to a national cybersecurity priority tied to sensitive data, critical infrastructure, federal systems, procurement, and the broader digital economy. For security teams, the challenge now is turning that urgency into an operational plan.<\/span><\/p>\n

Operationalizing the quantum mandate<\/b><\/h2>\n

As quantum computing advances, widely used public-key cryptography will become vulnerable to future attacks. Even before a cryptographically relevant quantum computer exists, adversaries can capture encrypted data now with the goal of decrypting it later.<\/span><\/p>\n

This \u201charvest now, decrypt later\u201d risk is especially concerning for organizations that protect sensitive information with a long shelf life. The response cannot wait until the threat fully materializes.<\/span><\/p>\n

The broader ripple effect matters because compliance alone will not equal readiness. As requirements flow into federal acquisition rules and contractor obligations, the vendor ecosystem will be pushed to support quantum-safe capabilities in the products and services that enterprises, critical infrastructure organizations, and regulated industries rely on.<\/span><\/p>\n

Adding support for post-quantum algorithms is not the same as safely migrating to them. Support means a system can use new algorithms. Readiness means the organization knows where cryptography exists, which systems are exposed, which dependencies matter most, and how to execute changes without creating disruption or new risk.<\/span><\/p>\n

That matters because post-quantum migration can affect more than cryptographic libraries. Larger cryptographic objects, new protocol behaviors, hybrid modes, hardware acceleration requirements, interoperability constraints, and legacy system limitations can create real performance, availability, and compatibility challenges if changes are made blindly.<\/span><\/p>\n

This is why cryptographic visibility must lead to actionable migration planning.<\/span><\/p>\n

Security teams cannot migrate what they cannot see. But visibility by itself is not enough. They also need to classify exposure, prioritize high-value systems and long-lived data, understand operational dependencies, and plan changes in a way that avoids disruption, downgrade risk, or incomplete migration.<\/span><\/p>\n

Cryptographic bill of materials guidance will be an important step toward mapping cryptographic assets. But a CBOM should be the starting point, not the finish line. An inventory can show where cryptography exists, but readiness requires understanding business impact, migration complexity, interoperability risk, ownership, and the order in which changes should happen.<\/span><\/p>\n

Post-quantum readiness is not just an algorithm swap. It is an operating model for managing cryptographic change at scale.<\/span><\/p>\n

Five actions for post-quantum readiness<\/b><\/h2>\n

The path forward starts with five practical actions.<\/span><\/p>\n