up:: The Mandates MOC
Executive Order 14306
Executive Order 14306 is the cybersecurity executive order signed by President Trump on June 6, 2025 that amends the post-quantum-cryptography provisions of the prior order EO 14144, keeping two federal PQC mechanisms alive and pinning them to fixed dates. Its full title is “Sustaining Select Efforts to Strengthen the Nation’s Cybersecurity and Amending Executive Order 13694 and Executive Order 14144.” Rather than launching a new post-quantum program, it edits the existing one, preserving the CISA product-categories list and the government-wide TLS 1.3 support requirement while paring back several other PQC provisions the January 2025 order had attached.
The short version:
- EO 14306 is an amendment, not a fresh mandate. It edits the PQC section of EO 14144 (signed January 16, 2025) and also touches Executive Order 13694.
- It keeps two PQC obligations and hard-dates them: CISA, with NSA, publishes a list of product categories where PQC products are widely available, and NSA plus OMB require agencies to support TLS 1.3 or a successor.
- Both agency actions carried a December 1, 2025 issuance deadline. Federal agencies then have to support TLS 1.3 as soon as practicable and no later than January 2, 2030.
- CISA published its product-categories list on January 23, 2026, referencing the FIPS 203, FIPS 204, and FIPS 205 standards.
- The TLS 1.3 date is an enabling milestone, not a complete migration deadline. The binding migration clocks still live in NSM-10, OMB M-23-02, and NIST IR 8547.
Think of EO 14306 as a revision mark on an existing law rather than a new law. The January 2025 order had drafted an ambitious post-quantum push. This one goes back over that draft, keeps the two lines that turn “we should adopt PQC” into a dated procurement reference and a network-readiness requirement, strikes several of the more aggressive lines, and signs the result. What survives the edit is exactly what a federal buyer and a federal network team can act on this year.
What is Executive Order 14306?
Executive Order 14306 is a presidential executive order signed June 6, 2025 that revises two earlier orders: EO 14144 (“Strengthening and Promoting Innovation in the Nation’s Cybersecurity,” January 16, 2025) and Executive Order 13694 (the 2015 cyber-sanctions order). Its post-quantum content lives in the section that amends EO 14144’s cybersecurity provisions, and it recognizes the same underlying threat the earlier orders did, describing “a quantum computer of sufficient size and sophistication, also known as a cryptanalytically relevant quantum computer (CRQC),” as something that “will be capable of breaking much of the public-key cryptography used on digital systems across the United States and around the world.”
Source: The White House, “Sustaining Select Efforts to Strengthen the Nation’s Cybersecurity and Amending Executive Order 13694 and Executive Order 14144,” presidential action, June 6, 2025, whitehouse.gov.
A few points about its standing are worth being precise on:
- It’s a final, in-force executive order, not a draft. It was signed June 6, 2025 and published in the Federal Register on June 11, 2025 [OPERATOR VERIFY: exact Federal Register volume and page citation, reported as 90 FR 24727; the June 11, 2025 publication date is confirmed, the precise FR page was not read directly].
- It amends rather than replaces. The operative federal PQC text today is EO 14144’s cybersecurity section as edited by EO 14306, so the two are read together. EO 14306 tells you which of the earlier order’s PQC provisions are still live.
- It threatens no algorithm and sets no parameters. EO 14306 points at the NIST FIPS standards and the CISA list rather than naming ciphers, key sizes, or deprecation years. Those specifics live in NIST IR 8547 and the FIPS documents.
Who does EO 14306 apply to?
EO 14306 directs specific federal agencies to take specific actions, and it reaches the private sector only indirectly. It’s a targeted amendment, not a broad inventory-and-migration mandate like OMB M-23-02.
- CISA, within the Department of Homeland Security and in consultation with NSA, has to publish and maintain the PQC product-categories list.
- NSA has to issue the TLS 1.3 support requirement for National Security Systems (NSS).
- OMB has to issue the TLS 1.3 support requirement for non-NSS federal systems.
- Federal agencies generally are covered downstream. Once NSA and OMB issue their requirements, agencies operating NSS and non-NSS systems have to support TLS 1.3 or a successor by January 2, 2030.
- Vendors and the commercial sector carry no direct binding obligation from this order. The product-categories list shapes federal procurement preferences and puts market pressure on vendors to ship FIPS-validated PQC in the named categories, and it’s a useful public reference for which technology classes already have PQC-capable products.
The order also addresses AI cybersecurity, secure software development, routing and border-gateway security, and the cyber-sanctions authority under Executive Order 13694. Those sections sit outside this note, which covers the PQC-relevant provisions.
What does EO 14306 require?
The order keeps two PQC machinery items from EO 14144 alive and attaches a firm date to each. The White House text carries both verbatim.
The first is the CISA product-categories list:
“By December 1, 2025, the Secretary of Homeland Security, acting through the Director of the Cybersecurity and Infrastructure Security Agency (CISA), and in consultation with the Director of the National Security Agency, shall release and thereafter regularly update a list of product categories in which products that support post-quantum cryptography (PQC) are widely available.”
The second is the federal TLS 1.3 support requirement:
“By December 1, 2025, to prepare for transition to PQC, the Director of the National Security Agency with respect to National Security Systems (NSS), and the Director of OMB with respect to non-NSS, shall each issue requirements for agencies to support, as soon as practicable, but not later than January 2, 2030, Transport Layer Security protocol version 1.3 or a successor version.”
Source: The White House, presidential action of June 6, 2025, whitehouse.gov.
The list is a buyer-facing reference, not an algorithm mandate. It tells federal purchasers which classes of technology already have PQC-capable products on the commercial market. The TLS 1.3 requirement is a network-readiness step: TLS 1.3 is the handshake that carries post-quantum and hybrid key establishment, so requiring agencies to support it government-wide is a precondition for deploying ML-KEM in agency traffic at scale, which is why the order frames it as preparation for the PQC transition.
What is the EO 14306 timeline?
The dates are the load-bearing content of this order. There are three that matter for PQC.
| Deadline | Who acts | What is required |
|---|---|---|
| December 1, 2025 | CISA, with NSA | Release the PQC product-categories list, and regularly update it thereafter |
| December 1, 2025 | NSA (for NSS) and OMB (for non-NSS) | Each issues requirements for agencies to support TLS 1.3 or a successor |
| As soon as practicable, no later than January 2, 2030 | Federal agencies | Support TLS 1.3 or a successor version |
Source: The White House, presidential action of June 6, 2025, whitehouse.gov.
On implementation, CISA published “Product Categories for Technologies That Use Post-Quantum Cryptography Standards” on January 23, 2026, a little after the December 1, 2025 issuance date. The resource sorts technology by how mature PQC-capable products are in each category and references the FIPS 203, FIPS 204, and FIPS 205 standards as the algorithms in-scope products should implement.
Source: CISA, “CISA Releases Product Categories List to Propel Post-Quantum Cryptography Adoption Pursuant to President Trump’s Executive Order 14306,” cisa.gov. [OPERATOR VERIFY: the exact tier or category names CISA uses on the list, and the per-category counts, against the live CISA resource page before quoting them.]
What did EO 14306 change from EO 14144?
EO 14306 amends the post-quantum section of EO 14144 instead of revoking it, so the net effect on PQC is a set of edits, not a clean sweep.
What it kept, and hard-dated:
- CISA’s obligation to publish and regularly update the PQC product-categories list, with the deadline pinned to December 1, 2025.
- The federal TLS 1.3 support requirement, with the January 2, 2030 target preserved.
- The recognition that a cryptographically relevant quantum computer threatens public-key cryptography.
What it pared back from the January order:
- The mandatory procurement trigger that would have required federal solicitations to specify PQC.
- The explicit push to adopt hybrid PQC as soon as practicable.
- The mandate to promote post-quantum adoption internationally among allies and partners.
[OPERATOR VERIFY: the three pared-back provisions are reported consistently across legal and industry analyses of EO 14306 and are consistent with the amended text, which carries only the two retained provisions above; confirm against a clean EO 14144 versus EO 14306 redline before asserting the specific strike-throughs verbatim.]
The plain read is that the federal government still wants PQC-ready products identified and TLS 1.3 deployed, and it stepped back from forcing PQC into procurement language and from leading an international adoption campaign. The migration of federal systems to PQC still proceeds under the authorities EO 14306 didn’t touch, namely NSM-10, OMB M-23-02, CNSA 2.0, and NIST IR 8547.
How does EO 14306 relate to the other mandates and standards?
EO 14306 is one piece of a stack, and it’s a narrow one. It’s most useful as the document that tells you which of the earlier order’s PQC provisions are still operative.
- EO 14144 is the order EO 14306 amends. The PQC provisions in force today are EO 14144’s cybersecurity section as edited by EO 14306, so they’re always read together.
- NSM-10 (National Security Memorandum 10, May 4, 2022) remains the highest-level federal PQC policy directive and is untouched by EO 14306. The 2035 risk-mitigation goal and the agency inventory and migration-plan tasking come from there.
- OMB M-23-02 remains the binding civilian-agency cryptographic-inventory and funding-assessment directive. EO 14306 doesn’t change it.
- NSA CNSA 2.0 governs National Security Systems. NSA issues the NSS-side TLS 1.3 requirement under EO 14306, consistent with CNSA 2.0 timelines.
- NIST IR 8547 carries the deprecation and disallowance schedule for quantum-vulnerable algorithms. EO 14306’s TLS 1.3 milestone is an enabling step toward the migration IR 8547 dates.
- The FIPS standards (FIPS 203, FIPS 204, FIPS 205) are what the CISA product-categories list points in-scope products at implementing.
What does the TLS 1.3 deadline actually force?
A dated requirement is what turns “someday” into a scheduled program, and that’s the real work the January 2, 2030 target does. Once a specific year is written down as the date agencies have to support TLS 1.3, the readiness step stops being aspirational and becomes something with an owner and a due date. What it forces is transport readiness: TLS 1.3 is the handshake that can carry post-quantum and hybrid key establishment, so getting every agency onto it is the precondition for putting ML-KEM into agency network traffic.
What it does not force is a completed migration. Supporting TLS 1.3 everywhere by 2030 leaves PKI, code signing, data-at-rest, and non-TLS protocols untouched, and those are the bulk of a real post-quantum migration. Read against Mosca’s Theorem, a 2030 transport-readiness date only helps if the rest of the migration moves alongside it. On its own it’s a partial measure, and treating it as the finish line is the most common way to misread this order. The binding migration anchors stay the NSM-10 2035 goal and the NIST IR 8547 deprecation schedule.
Common misconceptions
- “EO 14306 is the whole federal PQC mandate.” It’s a narrow amendment. The binding inventory and migration obligations live in NSM-10, OMB M-23-02, and NIST IR 8547. EO 14306 is necessary context, not a complete compliance picture.
- “Supporting TLS 1.3 by 2030 means we’re PQC-migrated.” January 2, 2030 is a transport-readiness milestone. An agency on TLS 1.3 everywhere that hasn’t migrated its PKI, code signing, or data-at-rest still has the migration ahead of it.
- “The CISA list is a procurement mandate.” It’s a buyer reference for which product categories have PQC-capable options. EO 14306 specifically removed the procurement-trigger language, so being on or off the list doesn’t by itself bind a federal solicitation.
- “NSS and non-NSS follow the same requirement document.” The TLS requirement is issued by two authorities, NSA for NSS and OMB for non-NSS. An organization touching both worlds tracks two documents.
- “EO 14306 deprecated the old algorithms.” It deprecates nothing. The deprecation and disallowance years for RSA, ECDSA, and ECDH come from NIST IR 8547, not from this order.
Questions people ask
Does EO 14306 apply to my company? Only indirectly, unless you’re a federal agency or you sell to one. The order binds federal agencies, and it reaches vendors through the procurement preferences the CISA product-categories list shapes. Commercial organizations aren’t regulated by it, though the list is a handy public reference for which technology classes already ship PQC.
Is it law or guidance? It’s a final executive order, in force since June 6, 2025, and its directions to agencies are mandatory. The CISA product-categories list that resulted from it is informational guidance for buyers, not a binding procurement rule.
What’s the actual deadline I should care about? For the TLS piece, agencies support TLS 1.3 or a successor as soon as practicable and no later than January 2, 2030. The agency requirement documents behind that were due December 1, 2025. But 2030 is a readiness date, not a full-migration date, so don’t plan a whole program around it.
Did EO 14306 push the deadlines back? Not the ones it kept. It preserved the January 2, 2030 TLS target from the earlier order. What it changed was removing the procurement trigger, the hybrid-adoption push, and the international-promotion mandate, so the federal posture eased at the procurement layer while the dates it retained stayed put.
Where do I find the actual requirements my agency has to meet? In the NSA (for NSS) and OMB (for non-NSS) requirement documents issued under this order, not in the executive order text itself. The EO sets the December 1, 2025 issuance deadline; the issued documents carry the operational detail for a given environment.
How does it line up with the NIST standards and NSM-10? EO 14306’s TLS 1.3 step is an on-ramp that lets agency traffic carry the FIPS 203 key-establishment standard. The binding migration timeline itself comes from NSM-10 (the 2035 goal) and NIST IR 8547 (the algorithm deprecation years), which EO 14306 leaves in place.
Is EO 14306 the latest word on federal PQC? It’s the current operative amendment to EO 14144’s PQC section as of this note’s verification date. Federal cybersecurity policy moves through further orders and memos over time, so anchor a program to the durable authorities (NSM-10, OMB M-23-02, NIST IR 8547) and treat EO 14306 as the document that tells you which EO 14144 PQC provisions are still live.
Everything here is the map, given freely. When your team needs the federal PQC mandate stack translated into a migration sequenced against your own systems, that’s what an alignment briefing is for.
Last verified 2026-07-09 · Maintained by Addie LaMarr, LaMarr Labs.