The new post-quantum cryptography executive order. Plus: What is Q-Day, really?

· Source: IBM Technology · Field: Technology & Digital — Cybersecurity & Data Privacy, Emerging Technologies & Innovation · Depth: Intermediate, extended

Summary

A recent US Executive Order on post-quantum cryptography (PQC) mandates a government-wide acceleration of the transition to quantum-resistant encryption, setting a new deadline of end of 2030/2031. This order, signed by President Trump, establishes clear accountability for federal agencies, requiring them to appoint PQC migration leads, and extends compliance requirements to federal contractors through updated acquisition regulations. The initiative also prioritizes international collaboration on NIST standards and the protection of critical infrastructure sectors like water, power, and finance. Experts emphasize that "Q-Day," the point when quantum computers can break current public key cryptography, is a continuous process, not a single event, driven by the "harvest now, decrypt later" threat. The transition requires a risk-based approach, prioritizing sensitive, long-lived data, and fostering "crypto agility" to adapt to evolving cryptographic algorithms.

Key takeaway

For Security Engineers managing enterprise infrastructure, the accelerated post-quantum cryptography mandate means immediate action is critical. You must initiate high-level discussions and deploy discovery tools to map all cryptographic assets, especially those protecting long-lived, sensitive data. Prioritize designing crypto agility into new systems and automating certificate lifecycles to avoid costly, reactive migrations later. Failing to start this transformation now risks significant compliance issues and data exposure to future quantum attacks.

Key insights

Post-quantum cryptography transition is an urgent, continuous process requiring crypto agility to counter quantum threats and protect long-lived data.

Principles

Method

Governments should plan, act (pilots, deadlines), and motivate. Organizations must strategize, assess, modernize, govern, and remediate in a continuous cycle.

In practice

Topics

Best for: CTO, Executive, VP of Engineering/Data, Security Engineer, IT Professional, Director of AI/ML

Related on AIssential

Open in AIssential →

Editorial summary, takeaway, and curation by AIssential. Original article published by IBM Technology.