up:: The Mandates MOC

Executive Order 14144

Executive Order 14144 is the cybersecurity executive order signed by President Biden on January 16, 2025 that first wrote post-quantum cryptography deadlines into United States federal policy, and it was later amended and narrowed by Executive Order 14306 in June 2025. Its full title is “Strengthening and Promoting Innovation in the Nation’s Cybersecurity,” and it was published in the Federal Register on January 17, 2025 at 90 FR 6755. Its post-quantum section turned the high-level goal of NSM-10 into a set of concrete agency tasks, ordering a CISA product list, a federal TLS 1.3 readiness requirement, a procurement trigger, and an allied-adoption push. Five months later EO 14306 went back over that section, kept two of those tasks and pinned them to fixed dates, and struck the rest, so the two orders are read together today.

The short version:

  • EO 14144 is a Biden order signed January 16, 2025 and published at 90 FR 6755. Its cybersecurity provisions were the first federal policy to attach dated actions to the post-quantum transition.
  • On post-quantum specifically it ordered five moves, a CISA product-categories list, a PQC requirement in agency solicitations, an allied-adoption engagement by State and Commerce, a federal TLS 1.3 support requirement no later than January 2, 2030, and PQC or hybrid key establishment as soon as practicable.
  • Executive Order 14306, signed June 6, 2025, amended EO 14144 rather than replacing it, so the operative federal PQC text today is EO 14144’s cybersecurity section as edited by EO 14306.
  • EO 14306 kept two of the five provisions and hard-dated them (the CISA list and the TLS 1.3 requirement, both pinned to a December 1, 2025 issuance) and pared back three (the procurement trigger, the hybrid push, and the international engagement).
  • The binding federal migration clocks were never in this order. They live in NSM-10, OMB M-23-02, and NIST IR 8547, so read EO 14144 as the order that started the federal PQC actions and always read it alongside EO 14306.

Think of EO 14144 as the first full blueprint a new owner draws up for a house, ambitious and detailed. A later revision keeps the two structural walls everyone agrees on, the buyer’s reference list and the network-readiness wiring, and erases several of the more aggressive rooms before construction starts. What actually gets built today is that original blueprint with the revision marks applied.

What is Executive Order 14144?

Executive Order 14144 is a presidential executive order titled “Strengthening and Promoting Innovation in the Nation’s Cybersecurity,” signed by President Biden on January 16, 2025 and published in the Federal Register on January 17, 2025 at 90 FR 6755 (document number 2025-01470). It was the outgoing administration’s broad cybersecurity order, and it covered software supply-chain security, federal systems, identity, artificial intelligence, and, in the section that matters here, the transition to post-quantum cryptography. On the quantum threat it echoed the same reasoning the rest of the federal stack uses, that a sufficiently capable quantum computer will break much of the public-key cryptography in use today, and it pointed back to NSM-10 as the directive that first told the government to prepare.

Source: The White House, Executive Order 14144, “Strengthening and Promoting Innovation in the Nation’s Cybersecurity,” January 16, 2025, 90 FR 6755, federalregister.gov.

A few points about its standing are worth being exact on:

  1. It’s a real, signed executive order, not a proposal. It carried the force of an executive order from the day it was signed, and its post-quantum provisions were the first to translate the 2035 goal into specific dated agency tasks.
  2. It’s been amended and remains in force. Executive Order 14306 (June 6, 2025) edited EO 14144’s cybersecurity provisions in place, so the current operative text is EO 14144 as modified by EO 14306. Reading EO 14144 on its own overstates what is still live.
  3. The post-quantum provisions sit in the emerging-technology section. They name no ciphers, key sizes, or deprecation years. Those specifics live in the NIST FIPS standards and in NIST IR 8547. [OPERATOR VERIFY: the exact section and subsection number of the PQC provisions, cited here as Section 4, against the Federal Register text before quoting a paragraph letter.]

Who does EO 14144 apply to?

EO 14144 directs specific federal agencies to take specific actions, and it reaches the private sector only indirectly, the same way most of the federal PQC stack does. It is not a broad inventory-and-migration mandate like OMB M-23-02.

  1. CISA, within the Department of Homeland Security, was directed to publish and maintain the PQC product-categories list.
  2. Federal agencies generally were directed to include a PQC-support requirement in their solicitations once a product category appeared on that list, and to support TLS 1.3 on the timeline below.
  3. The Secretary of Defense and the Director of OMB were each directed to issue the TLS 1.3 support requirement, the Secretary of Defense for National Security Systems (NSS) and the OMB Director for non-NSS.
  4. The Secretary of State and the Secretary of Commerce were directed to engage foreign governments and industry groups to encourage adoption of the NIST-standardized post-quantum algorithms.
  5. Vendors and the commercial sector carry no direct binding obligation from the order. They feel it through federal procurement, since the product-categories list and the solicitation requirement shape what the government buys, which is exactly the propagation mechanism that carries federal mandates into the supply chain.

The order’s other sections (software supply chain, identity, AI, and more) sit outside this note, which covers only the post-quantum provisions.

What post-quantum requirements did EO 14144 set?

EO 14144 set five post-quantum actions. The order’s text is the primary source for each, and the White House and Federal Register versions carry them.

  1. A CISA product-categories list. Within 180 days of the order, the Secretary of Homeland Security, acting through the Director of CISA, was to release and regularly update a list of product categories in which products supporting post-quantum cryptography are widely available.
  2. A procurement trigger. Within 90 days of a product category being placed on that list, agencies were to take steps to include, in solicitations for products in that category, a requirement that the products support PQC.
  3. Allied adoption engagement. The Secretary of State and the Secretary of Commerce were to identify and engage foreign governments and industry groups in key countries to encourage their transition to the PQC algorithms standardized by NIST.
  4. A federal TLS 1.3 support requirement. Within 180 days, the Secretary of Defense (for NSS) and the Director of OMB (for non-NSS) were each to issue requirements for agencies to support TLS 1.3 or a successor version, as soon as practicable and no later than January 2, 2030.
  5. PQC or hybrid key establishment. Agencies were to implement PQC key establishment, or hybrid key establishment that includes a PQC algorithm, as soon as practicable.

Source: The White House, Executive Order 14144, January 16, 2025, federalregister.gov.

The list and the solicitation trigger together were a procurement lever, meant to pull PQC-capable products into federal purchasing as soon as the market could supply them. The TLS 1.3 requirement was a network-readiness step, since TLS 1.3 is the handshake that carries post-quantum and hybrid key establishment, so requiring it government-wide was a precondition for deploying ML-KEM in agency traffic at scale.

What is the EO 14144 PQC timeline?

As originally written, EO 14144 used mostly relative deadlines measured from the signing date, with one fixed calendar date for TLS 1.3 support. These are the original figures, before EO 14306 changed several of them.

Original deadlineWho actsWhat EO 14144 required
Within 180 days (about July 2025)CISA (DHS)Release and regularly update the PQC product-categories list
Within 90 days of a category being listedFederal agenciesInclude a PQC-support requirement in solicitations for that category
Within 90 daysState and CommerceEngage foreign governments and industry to adopt NIST PQC
Within 180 daysSecretary of Defense (NSS), OMB Director (non-NSS)Each issue requirements for agencies to support TLS 1.3
As soon as practicable, no later than January 2, 2030Federal agenciesSupport TLS 1.3 or a successor version
As soon as practicableFederal agenciesImplement PQC or hybrid key establishment

Source: The White House, Executive Order 14144, January 16, 2025, federalregister.gov.

Because the order was amended in June 2025, these original relative deadlines are mostly historical now. The current live dates come from EO 14306, which replaced the two surviving relative deadlines with a fixed December 1, 2025 issuance date and preserved the January 2, 2030 TLS 1.3 support target. The next section walks that edit.

How did EO 14306 change EO 14144?

Executive Order 14306, signed June 6, 2025, amends the post-quantum section of EO 14144 instead of revoking it, so the net effect on federal PQC is a set of edits. It kept two provisions and hard-dated them, and it pared back the other three.

EO 14144 provisionFate under EO 14306
CISA PQC product-categories listKept, with the deadline changed from within 180 days to a fixed December 1, 2025
Federal TLS 1.3 support requirementKept, with the NSS-side authority moved from the Secretary of Defense to the Director of NSA, the issuance deadline fixed at December 1, 2025, and the January 2, 2030 support target preserved
PQC requirement in agency solicitationsPared back
PQC or hybrid key establishment as soon as practicablePared back
State and Commerce allied-adoption engagementPared back

Source: The White House, “Sustaining Select Efforts to Strengthen the Nation’s Cybersecurity and Amending Executive Order 13694 and Executive Order 14144,” June 6, 2025, whitehouse.gov. [OPERATOR VERIFY: the three pared-back provisions are reported consistently across legal and industry analyses of EO 14306 and are consistent with the surviving amended text; confirm against a clean EO 14144 versus EO 14306 redline before asserting the specific strike-throughs verbatim.]

The plain read is that the federal government still wants PQC-ready products identified and TLS 1.3 deployed, and it stepped back from forcing PQC into procurement language, from pushing hybrid adoption on an ASAP clock, and from leading an international adoption campaign. On implementation, CISA published its product-categories list on January 23, 2026, referencing the FIPS 203, FIPS 204, and FIPS 205 standards, a little after the December 1, 2025 issuance date EO 14306 had set.

Source: CISA, “CISA Releases Product Categories List to Propel Post-Quantum Cryptography Adoption Pursuant to President Trump’s Executive Order 14306,” cisa.gov.

Is EO 14144 still in effect?

Yes, in amended form. EO 14144 remains a valid executive order, and its cybersecurity provisions are still operative as edited by Executive Order 14306, so the correct way to cite the current federal position is EO 14144 as amended by EO 14306. The edit changed the content of the post-quantum section while the order itself stands. The two surviving PQC obligations, the CISA product list and the federal TLS 1.3 requirement, live on with fixed December 1, 2025 issuance dates and the January 2, 2030 TLS support target. EO 14306 struck the three pared-back provisions, so they sit inactive today.

For a program manager the practical rule is simple. Treat EO 14144 as the order that started the federal PQC actions, treat EO 14306 as the document that tells you which of those actions survived and on what dates, and anchor any real migration schedule to the durable authorities that neither order changed, NSM-10, OMB M-23-02, NSA CNSA 2.0, and NIST IR 8547.

How does EO 14144 relate to the other mandates and standards?

EO 14144 sits inside the U.S. federal PQC stack, and its most useful role now is as the origin document for two of the actions that survived into EO 14306.

  1. NSM-10 (National Security Memorandum 10, May 4, 2022) is the higher-level directive that set the 2035 risk-mitigation goal. EO 14144’s PQC section was one attempt to operationalize that goal, and NSM-10 is untouched by either EO 14144 or EO 14306.
  2. Executive Order 14306 is the order that amends EO 14144. The two are always read together, and 14306 is the one that carries the current dates.
  3. OMB M-23-02 remains the binding civilian-agency cryptographic-inventory directive, and neither EO 14144 nor EO 14306 changed it.
  4. NSA CNSA 2.0 governs National Security Systems. Under the amended order NSA now issues the NSS-side TLS 1.3 requirement, consistent with CNSA 2.0 timelines.
  5. NIST IR 8547 carries the deprecation and disallowance schedule for quantum-vulnerable algorithms. EO 14144’s TLS 1.3 milestone is an enabling step toward the migration IR 8547 dates, and it names no algorithms itself.
  6. The FIPS standards (FIPS 203, FIPS 204, FIPS 205) are what the resulting CISA product-categories list points in-scope products at implementing.

Set against Mosca’s inequality, EO 14144’s contribution was to convert part of NSM-10’s open-ended goal into dated actions, which is what a migration program can actually plan against. The dates that survived the amendment are transport and procurement readiness, not a completed migration, so a program still leans on NIST IR 8547 and NSM-10 for the binding endpoint years.

Common misconceptions

  1. “EO 14144 is the current federal PQC order.” It’s the origin order, and it’s been amended. The operative text today is EO 14144 as edited by Executive Order 14306, and 14306 is the one carrying the live dates.
  2. “EO 14144 was repealed.” It was amended and remains in force. The order still stands, its cybersecurity section was edited in place, and two of its five PQC provisions survived with fixed dates.
  3. “EO 14144 required agencies to buy PQC products.” The original order did add a PQC requirement to agency solicitations, but EO 14306 pared that procurement trigger back, so being on or off the CISA list doesn’t by itself bind a federal solicitation.
  4. “The CISA list was Trump’s idea.” The list originates in EO 14144, the Biden order. EO 14306 kept it and pinned it to December 1, 2025, and CISA published it January 23, 2026.
  5. “EO 14144 set the migration deadline.” It set enabling actions and a TLS 1.3 readiness date, not the binding migration clock. The 2035 goal is in NSM-10 and the algorithm deprecation years are in NIST IR 8547.
  6. “EO 14144 deprecated the old algorithms.” It deprecates nothing. The deprecation and disallowance years for RSA, ECDSA, and Diffie-Hellman come from NIST IR 8547, not from this order.

Questions people ask

Is EO 14144 still valid? Yes, in amended form. It remains a signed executive order, and its cybersecurity provisions are operative as modified by Executive Order 14306. Cite the current federal position as EO 14144 as amended by EO 14306.

What’s the difference between EO 14144 and EO 14306? EO 14144 (January 16, 2025, Biden) is the original order that set five post-quantum actions. EO 14306 (June 6, 2025) amends it, keeping two of those actions with fixed December 1, 2025 dates and paring back the other three. They govern together.

Does EO 14144 apply to my company? Only indirectly, unless you’re a federal agency or you sell to one. The order binds federal agencies and reaches vendors through procurement. Commercial organizations aren’t regulated by it, though the CISA product-categories list it produced is a useful public reference for which technology classes already ship PQC.

What deadline should I actually care about? For the TLS piece, agencies support TLS 1.3 or a successor no later than January 2, 2030, a date EO 14306 preserved from this order. The agency requirement documents behind it were due December 1, 2025 under the amended order. That 2030 date is a readiness milestone, not a full-migration deadline.

Why does EO 14144 point back to NSM-10? NSM-10 is the 2022 directive that set the federal government’s 2035 post-quantum goal and told agencies to prepare. EO 14144’s post-quantum section was one way of turning that goal into specific dated tasks, and NSM-10 remains the higher authority both orders operate under.

Did EO 14306 push EO 14144’s deadlines back? For the CISA list, yes in effect, since the original within-180-days deadline (about July 2025) became a fixed December 1, 2025 date. For the TLS 1.3 support target it kept January 2, 2030 unchanged. What it mainly did was remove three provisions rather than reschedule them.

Where do I find the actual requirements my agency has to meet? In the NSA (for NSS) and OMB (for non-NSS) requirement documents issued under the amended order, not in either executive order’s text. The EO sets the issuance deadline; the issued documents carry the operational detail for a given environment.


Everything here is the map, given freely. When your team needs the federal PQC mandate stack, including how EO 14144 and EO 14306 fit together, translated into a migration sequenced against your own systems, that’s what an alignment briefing is for.

Last verified 2026-07-09 · Maintained by Addie LaMarr, LaMarr Labs.