Commentary

What the post-quantum executive order really demands of CISOs

ith federal PQC deadlines set for 2030 and 2031, CISOs face a multi-year transformation program that most organizations have not yet started. The window for orderly execution is narrowing fast.

By Ellen Boehm

June 29, 2026

Listen to this article

0:00

This feature uses an automated voice, which may result in occasional errors in pronunciation, tone, or sentiment.

US President Donald Trump holds a singed executive order about quantum computing in the Oval Office of the White House in Washington, DC, on June 22, 2026. President Trump signed two orders on quantum computing. (Photo by Mandel NGAN / AFP via Getty Images)

Post-quantum cryptography didn’t sneak up on the industry.

For years, security teams, standards bodies, hyperscalers, and governments have been pointing at the same horizon: a cryptographically relevant quantum computer will, eventually, dismantle the public-key algorithms underpinning today’s enterprise security. The latest executive order doesn’t introduce a new threat. It codifies what the field has long understood, and attaches deadlines to it.

For CISOs, the framing shift matters. PQC is fundamentally a readiness problem, not a cryptography problem. Watching Google accelerate its quantum roadmap, or seeing federal agencies restructure their security architecture around PQC, makes the stakes impossible to ignore.” Boards are already asking: “How are we thinking about post-quantum transition today?” For most organizations, the gap between that question and a credible answer is wider than it should be.

The EO is unambiguous on scope. PQC has moved from a research effort to real policy, with deadlines, accountability structures, and direct consequences for federal agencies, contractors, critical infrastructure operators, and the broader private sector that supports them.

Federal high-value systems must transition key establishment to PQC by Dec. 31, 2030. Digital signatures will follow by Dec. 31, 2031.

Those dates may appear distant, but for anyone who has navigated an enterprise-scale security transformation, with the procurement cycles, architecture reviews, and organizational change management that entails, 2030 sits squarely inside current planning horizons. The window for orderly execution is already narrowing.

What makes that window even tighter is that the most immediate risk has nothing to do with deadlines. “Harvest Now, Decrypt Later” attacks are already operational. Nation-state adversaries are collecting encrypted data today and storing it until quantum capabilities are sufficient to decrypt it: intellectual property, health records, financial transactions, source code, government communications, and more. The encryption protecting that data right now is, functionally, a time-delayed vulnerability. Long-lived sensitive data may already be compromised in ways that won’t become visible for years.

The first step for CISOs is shifting from awareness to ownership.

PQC readiness cannot be delegated to individual application teams or treated as a future compliance checkbox. That approach will not survive given the EO’s accountability requirements. Every organization needs a point person: a program lead, a cross-functional steering committee, or a dedicated cryptographic risk office. Whatever the structure, it needs authority and a seat at the leadership table.

That ownership must span security, IT, infrastructure, engineering, product, legal, compliance, procurement, and business stakeholders. Cryptography is embedded across the entire enterprise: certificates, keys, protocols, APIs, hardware, cloud services, code-signing systems, identity infrastructure, third-party platforms. No single team has the bandwidth to address this alone. A cross-functional working group or Center of Excellence should be an organizational prerequisite as we move into the future.

Visibility is going to be critical, and this is where most organizations will find the largest gaps.

CISOs need a clear picture of where cryptography exists across their environment: which algorithms are in use, which systems depend on vulnerable cryptography, what data requires long-term confidentiality, and which business processes would be disrupted by migration. Without that inventory, risk assessment is guesswork, remediation is impossible, and demonstrating progress to regulators or boards becomes an exercise in speculation.

The principle is straightforward: you cannot protect what you cannot see.

Furthermore, a cryptographic inventory cannot be a static spreadsheet updated annually and then filed away. It needs to function as a living view of the organization’s trust infrastructure, covering certificates, keys, algorithms, libraries, protocols, signing systems, certificate authorities, HSMs, workloads, devices, and third-party dependencies.

Once that visibility exists, prioritization follows from business impact. Systems protecting long-lived sensitive data, critical infrastructure, customer trust, software integrity, and regulated environments move first, with everything else sequenced accordingly.

Beyond visibility, CISOs need a roadmap aligned to the order’s milestones rather than aspirational planning documents that never translate into funded programs.

The 2030 key establishment deadline requires understanding every point where encryption and key exchange mechanisms operate across critical systems. The 2031 digital signatures deadline extends that challenge to software integrity, code signing, document signing, authentication, identity infrastructure, and long-term verification. This is a multi-year transformation program, and it warrants the same organizational rigor as any other enterprise-wide initiative of comparable scope.

That means three categories of dedicated resources. First, funding: PQC readiness cannot be absorbed into existing security budgets without displacing other priorities. It requires multi-year investment in discovery tooling, testing, migration execution, automation, and governance. Second, talent: organizations need cryptography expertise, enterprise architecture capability, PKI experience, risk management, compliance support, and program leadership, a combination already in short supply across the industry. Third, technology: discovery tools, certificate and key lifecycle automation, policy enforcement, reporting infrastructure, and the architectural capability for crypto-agility.

Crypto-agility is the long-term objective that makes this transition worth doing properly.

Organizations that treat PQC as a one-time algorithm swap will find themselves back in the same position when standards shift again. The quantum transition is occurring in parallel with the rise of AI, machine identities, autonomous systems, and increasingly complex digital ecosystems, all of which depend on cryptographic trust. Organizations that do not actively govern that trust infrastructure will struggle with AI security, software supply chain integrity, identity governance, and the compliance mandates that follow.

The order functions as a forcing mechanism, converting PQC from a future technical concern into a present-day leadership accountability. Three questions now define where an organization stands:

Do we have a clear picture of where our cryptographic risk lives?
Do we have a funded, sequenced migration plan that meets the order’s deadlines?
Can we demonstrate that our trust infrastructure is agile enough to adapt as standards and threats continue to evolve?

The debate over precisely when quantum computing will be a reality is a distraction. Building the visibility, governance, funding, and automation required to move with confidence is where we need to be spending our collective time and effort.

CISOs have moved past the question of whether to act. The operative question is how far behind the organization already is, and how quickly it can transform cryptography from an invisible dependency into a managed, measurable, and adaptive system of trust. The organizations that begin that work now will be the ones with options when the deadlines arrive.