The Identity Risk Metric CISOs Have Been Missing
June 25, 2026
Post-Quantum Cryptography: Migrate by Risk, Not by Checkbox
BLOG
5 min.
The post-quantum clock just started in earnest for both civilian and national-security systems. This pair of executive orders is different. I have seen many “whole-of-government” directives arrive with ambition and leave with a distant horizon. Here is why I am genuinely energized by EO 14412 and OMB M-26-15.
BLUF – On June 22, 2026, the President signed two Executive Orders (EOs) that should be read as one.
- EO 14413 accelerates the offense, building the quantum computers, sensors and networks that will define the next era.
- EO 14412 accelerates the defense, moving Federal systems to post-quantum cryptography (PQC) before those machines mature. The more successful the first order is, the more urgent the second becomes.
- OMB M-26-15 is an operational mandate requiring all U.S. federal civilian agencies to transition their IT systems to PQC.
For agency CISOs, EO 14412 is the one with your name on it and the clock started the day it was signed.
An Intro to PQC Mandates
Let’s start by looking at how we got to where we are today.
In May 2022, the National Security Memorandum (NSM)-10 established two parallel tracks around post-quantum cryptography (PQC): the civilian track is executed by M-26-15, the NSS / DoW / IC track by NSA under Network Security Policy Management (NSPM)-12 and CNSA 2.0 (full NSS migration targeted for 2035).
These newest Executive Orders, EO 14412 (“Securing the Nation Against Advanced Cryptographic Attacks”) and EO 14413 (“Ushering in the Next Frontier of Quantum Innovation”), were released as a dual-pronged national strategy to accelerate the quantum era.
- EO 14412 is defensive, focusing on immediate cybersecurity upgrades to protect existing data from future quantum computers.
- EO 14413 is offensive, focusing on accelerating the research, growth and manufacturing of American quantum technologies.
Why EO 14412 is Different
EO 14412 trades a soft, distant target for urgent, hard, near-term deadlines. Federal agencies and contractors must fully transition key establishment to PQC by December 31, 2030 and PQC for digital signatures by December 31, 2031, for High Value Assets (HVAs) and high-impact systems.
EO 14413 focuses on building out long-term infrastructure. It requires agencies to submit technology roadmaps, workforce development plans and supply chain security frameworks over the next few years.
Hard deadlines like you see in EO14412 force discipline. They convert “we should inventory our cryptography someday” into “we owe the Office of Management and Budget (OMB) and the National Cyber Director a plan and that plan has dates.” This is the kind of pressure that moves a posture forward.
The Clock Started June 22, 2026
How Big is This When Everything is Encrypted?
These directives (EOs and memo) have the potential to be bigger than almost any program a CISO has run.
Cryptography is not a system you can point to; it becomes a property of nearly every system. Public-key cryptography (today, Rivest–Shamir–Adleman (RSA) and elliptic-curve) is woven into Transport Layer Security (TLS) sessions, Virtual Private Networks (VPN), public key infrastructure and certificate chains, code and firmware signing, secure boot, machine and workload identities and third-party software you do not control. You do not “swap” it; you find every place it lives and re-engineer the dependency.
And the threat clock is already running. Harvest now, decrypt later (HNDL) means adversaries are recording encrypted traffic today to decrypt once a cryptanalytically relevant quantum computer (CRQC) exists, and this is not handwaving about the far future.
The expert survey federal risk committees cite, the Global Risk Institute / evolutionQ Quantum Threat Timeline Report, now puts a CRQC capable of breaking RSA-2048 at 28–49 percent within ten years, up from 14–34 percent a year earlier (chart below). Run that against Mosca’s inequality, if a secret’s shelf-life plus your migration time exceeds the time until a CRQC, you are already exposed. The math is unforgiving for long-lived data.
The survey also lags reality. The sharpest recent jumps trace to AI entering the hardest part of the problem (DeepMind’s AlphaQubit decoder now runs inside Google’s Willow chip). AI can only pull the threat earlier, so a risk-based planner budgets to the aggressive end of the band and turns that same automation on the defense to keep migration time from blowing the budget.
The breach window is open now for anything that must stay confidential into the 2030s and beyond, including classified material, PII, health data, source code, intellectual property. That is why the confidentiality deadline (key establishment by the end of 2030) is the more time-sensitive of the two deadlines (Time to Protect vs. Time to Exploit). A signature must be forged in real time; a secret can simply be waited out.
Which Policy/Directive Will Help Agencies Close the Gap?
The civilian inventory-and-migration is not a new requirement. It runs from EO 14028 (2021) through NSM-10 (2022) to OMB M-23-02 (November 2022), which has required agencies to inventory cryptographic systems, name a lead and report annually since 2023 (see the lineage above). What that stack lacked was teeth on the timeline. EO 14412 supplies those teeth.
OMB did not wait the full 90 days the order allows to comply. Two days after the order, on June 24, 2026, OMB issued M-26-15, “Execution of the Migration to Post-Quantum Cryptography”. This execution memo operationalizes the EO on top of OMB M-23-02. The hard requirement: every agency must submit a PQC Migration Plan to OMB and the Office of the National Cyber Director (ONCD) no later than 120 days, aligned to NIST IR 8547 and spanning five phases to 2035. The headline 2030 (key establishment) and 2031 (signature) dates are the priority-system deadlines; 2035 is the backstop for the rest. This made the “wait for the 90-day guidance” posture obsolete. The guidance is here and the 120-day plan clock is running.
Two things in that memo deserve to be read out loud in a leadership meeting.
- First, this is not a CISO problem. M-26-15 makes migration the responsibility of the whole leadership team. The Chief Financial Officer is designated to ensure PQC resources are included in the budget request.
- Second, the memo is the civilian story only. It does not apply to national security systems, which run on a parallel track with earlier gates and a different chain of command.
Credit where it is due: the memo does not leave “transition” as handwaving.
Its technical appendix calls out downgrade attacks by name, a system that supports Module-Lattice-Based Key-Encapsulation Mechanism (ML-KEM) but still allows a classical-only handshake is one negotiation away from where it started. It tells agencies to configure devices to use only acceptable algorithms. It also spells out hybrid (post-quantum plus traditional) key exchange and signatures and the TLS 1.3 handshake that carries them, with a hard deadline (carried over from EO 14306) to support TLS 1.3 by January 2, 2030. What the memo still leaves to agency judgment is the risk bar. Or which data is sensitive enough to demand the strict reading. That call is yours, so make it deliberately. We recommend that you prefer PQC, disable the classical fallback for the data that matters and prove it. Anything softer is a checkbox, not a control.
Two more policy levers deserve a CISO’s attention:
- The Federal Acquisition Regulation (FAR). Within 180 days, the FAR Council proposes a rule requiring covered contractors to comply with NIST Federal Information Processing Standards (FIPS), including PQC algorithms, by December 31, 2030. Within 270 days, a second proposed rule pulls cryptographic findings, missing encryption, use of non-FIPS-approved algorithms, into contractor vulnerability disclosure programs. If you buy or build through contractors, this reaches your supply chain.
- Module validation (CMVP / FIPS 140-3). NIST is directed to accelerate Cryptographic Module Validation Program (CMVP) validations, and the timing is unforgiving. On September 21, 2026, the last FIPS 140-2 certificates move to Historical status, so only FIPS 140-3-validated modules may be used for new procurement after that date. The pipeline from “FIPS-approved algorithm” to “deployable validated module” is the real bottleneck and it tightens this fall.
The Other Track: DoW and the Intelligence Community
Everything above is the civilian story, by design, but “out of scope” does not mean “unaffected.” National Security Systems (NSS), the classified, military and intelligence systems that carry the data an adversary most wants, run on a parallel track created by the same document that started the civilian one.
NSM-10 forked federal PQC policy in 2022.
In a split that predates 2026, EO 14306 (June 2025) carved NSS out of nearly all its cyber directives except the post-quantum provision, which it applied to both tracks. Now, civilian systems fall under OMB, NIST and CISA and NSS under the National Security Agency as National Manager. M-26-15 executes the first track; the second has its own machinery. Even when Washington exempts NSS from a cyber order, it keeps NSS inside the quantum mandate, because the threat does not respect the boundary.
If you operate in or alongside the Department of War (DoW) or the Intelligence Community, the governance is different, and in places, moves earlier.
NSA sets the minimum cryptographic requirements for NSS through the Committee on National Security Systems (CNSS) framework. It was refreshed by NSPM-12 (June 2026), with approved algorithms defined by CNSS Policy 15 and the Commercial National Security Algorithm Suite (CNSA) 2.0, instead of the civilian FIPS schedule. The gates land earlier (leading NSS acquisition requirements around 2027, full migration targeted for 2035). The DoW CIO’s November 2025 PQC memo put the department on notice before the orders were signed. NSA reports NSS status to the President through CNSS, a separate chain from the civilian agencies’ reporting to OMB and ONCD.
This track is harder, not easier.
The data with the longest required confidentiality, decades for some classified holdings, is the exact bullseye of harvest-now-decrypt-later. Classified enclaves, air-gapped systems and long refresh cycles make migration slower even when the will is there.
And almost no one lives purely on one side of the line. Cross-domain systems, shared identity and PKI, FedRAMP cloud with defense and IC tenants and integrators serving both communities all straddle the line. If you plan only to the civilian deadlines, you will miss the earlier NSS gates entirely.
Here is the part that should reassure any CISO who carries both: the governance differs, but the engineering does not. Inventory, prioritize by data longevity and vulnerability, migrate to the same NIST-rooted algorithms, sustain agility. Same threat, same discipline, two playbooks.
Where the Cryptographic Posture Actually Stands: Visibility and Inventory
Here is the honest part. Most agencies do not have a complete, current cryptographic inventory. The survey data is blunt: only a minority of organizations have a complete certificate inventory or have assessed their systems for quantum vulnerability.
Gartner expects most organizations will fail a compliance audit through 2027 over untracked cryptographic assets.
OMG M-23-02 has required an annual inventory since 2022, but it is largely manual and discovery tools cannot see every corner of an enterprise. Legacy protocols embedded and operational technology and third-party software all hide cryptography from the scanner. The number of cryptographic assets you are reporting today is almost certainly an undercount. That is not a criticism of any team; it is the nature of inventorying something that is everywhere and often invisible.
The federal corollary is telling. OMB’s own estimate to migrate priority systems, about $7.1 billion through 2035, carries high uncertainty precisely because agencies lack mature familiarity with their cryptographic inventories (GAO-25-107703). When the government cannot price the migration within billions because it cannot see what it has, the inventory gap is not a footnote, it is the program. NIST IR 8547 says the same: the cryptographic inventory is the essential first step.
The most important enabling provision in EO 14412 is also the quietest. Section 5(d) directs CISA and NIST, within 270 days, to publish the minimum elements for a cryptographic bill of materials (CBOM), a machine-readable record of the cryptographic assets inside a component. A CBOM is to cryptography what a software bill of materials is to software dependencies. It turns “we think we know where our crypto lives” into data you can query, score and act on. M-26-15 does not wait for the 270-day elements, it already tells agencies to populate a central CBOM through automation: software composition analysis, static and dynamic testing and network scanners. Without it, “migrate by 2030” is an aspiration; with it, an engineering plan.
The Roadmap: How Agencies Actually Move the Needle
The roadmap to follow is five phases. None are optional. The order matters and they apply on both tracks, civilian and NSS, even though the governance and the deadlines differ.
You can’t migrate what you can’t see, so discovery and prioritization must come first.
- Discover. Stand up continuous cryptographic discovery across network, host, code and certificate sources, and, where you can reach it, operational technology and embedded systems. Treat this discovery as living telemetry, not a one-time spreadsheet and adopt the CBOM format.
- Prioritize. M-26-15 mandates risk-based prioritization and names the first wave: high impact systems, High Value Assets, public-key/PKI-based access control and anything holding data still sensitive in 2030. Long-lived data riding public-key key establishment is your harvest-now-decrypt-later exposure, it goes first.
- Plan. Build the PQC Migration Plan within 120 days. The memo names the contents: a risk-based prioritization strategy, milestones across all phases, the TLS 1.3 timeline, the inventory tooling, a crypto-agility architecture plan, third-party coordination, a funding and personnel estimate and governance roles. Name your lead first, the order gives you 30 days.
- Migrate. Sequence to the deadlines: key establishment (FIPS 203, ML-KEM) by the end of 2030; signatures (FIPS 204, ML-DSA and FIPS 205, SLH-DSA) by the end of 2031, with NIST IR 8547 as the guide for prioritization and hybrid deployment. Pilot in parallel before any cutover.
- Sustain. M-26-15 makes crypto-agility non-optional. Phases 3 and 4 both require it through configuration-driven algorithm selection and key management that can refuse weak algorithms. Build your roadmap so the next algorithm change is a configuration event.
This last stage is important. The program will be judged on Phase 5: agility. Therefore, the next algorithm change should be a configuration event rather than another multi-year program.
The Point I Keep Coming Back To
The chart above reinforces the argument I have made for years: compliance-based telemetry validates that controls exist; risk-based telemetry validates that controls work.
A checkbox that reads “encryption: enabled” tells you nothing about whether that encryption survives a CRQC. A cryptographic inventory, scored by data longevity and algorithm vulnerability, is risk-based telemetry in its purest form. The difference between proving you have a lock and proving the lock still holds against the tool the adversary is building.
Cybersecurity is the art and science of maintaining operations.
The PQC transition is the largest test of that idea in a generation, because the failure mode is not only a breach, done wrong, the cutover is the outage. That is why discovery and prioritization come first and why crypto-agility is not a nice-to-have.
Zero Trust is not the destination. Operational resilience is the destination.
M-26-15 makes the connection explicit: it names PQC a foundational dependency for a durable Zero Trust architecture, because “never trust, always verify” collapses the moment the cryptography doing the verifying can be broken. EO 14413 is busy making the adversary faster. EO 14412 and M-26-15 on the civilian side and NSA under CNSA 2.0 on the national-security side, are how we stay ahead of it, on both tracks.
The Call: Move on Risk, Before the Clock Decides for You
As someone who has been in your shoes and is advising agencies and mission partners today, here is where I would start:
- Name the PQC migration lead this week. The 30-day gate is the easiest deadline to hit. How you handle it tells you how the rest will go.
- Stand up automated cryptographic discovery and start the CBOM now. Do not wait for the 270-day minimum elements. You cannot prioritize, budget or plan what you cannot see.
- Score every system by data longevity and quantum vulnerability, not by control-checklist status. That single reframe – from “is the control present?” to “does the control survive a CRQC?” – is the whole difference between a compliance artifact and a risk decision.
- Write the 120-day plan as a living document, with crypto-agility in the architecture, so the next algorithm change is a configuration event, not another multi-year program.
You do not have to start from zero – even if your team is staring at a blank cryptographic inventory and a running 120-day clock.
Post-quantum migration is the largest test in a generation. Compliance proves a control exists; risk proves it works. The agencies that treat this as a risk problem rather than a compliance box are the ones whose systems will still be running and whose secrets will still be secret, when the cryptographically relevant quantum computer arrives. The quantum clock is running. Let’s move.
Don’t let the clock make decisions for you. Reach out if we can help turn this mandate into a risk-based, executable roadmap that includes discovery, prioritization, a plan and the tooling to sustain it.
Categories:
Federal Chief Information Security Officer (CISO)
GuidePoint Security
Timothy Amerson is currently the Federal Chief Information Security Officer (CISO) at GuidePoint Security. While also serving as the the President of the Board of Directors for The KEY (Keep Elevating Yourself) Community Non-Profit. He brings more than 30+ years of distinguished service in federal cybersecurity leadership. Most recently, he served as the CISO and Associate Commissioner at the Social Security Administration (SSA), where he was recognized as a 2023, 2024 and 2025 Top 100 Information Security Professional; 2024 FedScoop Top 50 Federal Leader Nominee; 2025 CyberScoop Government Leaders, FedScoop Top 50 Federal Leader Nominee and Finalist US Forces in Business Lifetime Achievement Award.
