up:: The Mandates MOC
Executive Order 14412
Executive Order 14412 is the cybersecurity executive order signed by President Trump on June 22, 2026 that sets the first binding, dated deadlines for the United States federal government to migrate its most sensitive systems to post-quantum cryptography. Its full title is “Securing the Nation Against Advanced Cryptographic Attacks.” Where the earlier Executive Order 14306 mostly kept a product list and a network-readiness requirement alive, EO 14412 puts real transition dates on the calendar, requiring federal high value assets and high impact systems to use PQC for key establishment by December 31, 2030 and for digital signatures by December 31, 2031, and extending the reach to federal contractors and, through CISA, to critical infrastructure.
The short version:
- EO 14412 is a standalone order, not an amendment. It was signed June 22, 2026 and published in the Federal Register on June 25, 2026, and it stands on its own rather than editing EO 14306 or EO 14144.
- It sets two headline federal transition deadlines. High value assets (HVAs) and high impact systems, excluding National Security Systems, use PQC for key establishment by December 31, 2030 and for digital signatures by December 31, 2031.
- It reaches federal contractors. The FAR Council is directed to propose a rule requiring covered contractors to meet NIST FIPS, including the ones that carry PQC algorithms, by December 31, 2030.
- It puts a Cryptographic Bill of Materials into a federal directive for the first time. Within 270 days, CISA, with NIST, releases public guidance on the minimum elements of a CBOM.
- It leans on the existing standards stack. Key establishment is defined by reference to FIPS 203, and the migration targets are the NIST FIPS PQC standards, while the binding algorithm-deprecation years still live in NIST IR 8547.
Think of EO 14412 as the moment the federal post-quantum program moved from “get ready” to “be done by this date.” The prior orders told agencies to inventory their cryptography and to make their networks capable of carrying the new algorithms. This one names the systems that matter most, the HVAs and high impact systems, and writes down the years by which they actually have to be running post-quantum key establishment and post-quantum signatures. It also hands agencies a migration lead, a plan, a pilot, and a set of procurement levers to get there.
What is Executive Order 14412?
Executive Order 14412 is a presidential executive order signed June 22, 2026 and published in the Federal Register on June 25, 2026, titled “Securing the Nation Against Advanced Cryptographic Attacks.” It sets the policy that the United States will “safeguard national security and maintain technological leadership by responsibly and effectively executing the transition of Federal information systems” to NIST-approved FIPS for post-quantum cryptography, and it frames the threat plainly, “The advent of large-scale quantum computers, particularly in the hands of adversaries, will pose a significant threat to widely used cryptographic security systems.”
Source: The White House, “Securing the Nation Against Advanced Cryptographic Attacks,” presidential action, June 22, 2026, whitehouse.gov.
Source: Executive Order 14412, “Securing the Nation Against Advanced Cryptographic Attacks,” 91 FR 38483, June 25, 2026, federalregister.gov. [OPERATOR VERIFY the exact Federal Register page range; the June 25, 2026 publication date and the 91 FR 38483 starting page are confirmed across the White House PDF header and the Federal Register listing, the closing page was not read directly.]
A few points about its standing are worth being precise on:
- It’s a final, in-force executive order, signed June 22, 2026, and its directions to agencies are mandatory.
- It’s a new order, not an amendment. Unlike EO 14306, which edited the post-quantum section of EO 14144, EO 14412 does not amend a prior order. It builds on the existing federal stack and stands on its own, so it’s read alongside the earlier directives rather than as a revision of them.
- It points at the standards rather than naming ciphers. The order defines “key establishment” by reference to FIPS 203 and directs migration to NIST FIPS for PQC. The specific deprecation and disallowance years for the old algorithms are set separately, in NIST IR 8547.
The order is organized into seven sections: background and policy, definitions, coordinating the PQC transition, accelerating the PQC transition, leading the PQC transition, procurement, and general provisions. The post-quantum obligations that carry weight sit in sections 4, 5, and 6.
Who does EO 14412 apply to?
EO 14412 binds federal agencies directly, reaches federal contractors through procurement, and extends a support role to critical infrastructure through CISA. It’s broader than EO 14306, because it names concrete systems inside agencies and pulls the contractor base in by name.
- Federal civilian agencies carry the core obligation. Each agency names a PQC migration lead, submits a migration plan, and transitions its HVAs and high impact systems on the dated schedule.
- High value assets and high impact systems are the specific scope inside those agencies. An HVA is federal information or a system designated as a high value asset under OMB Memorandum M-19-03, and a high impact system is one where at least one security objective (confidentiality, integrity, or availability) carries a FIPS 199 potential impact value of “high.”
- National Security Systems are excluded from the HVA and high impact transition requirement. NSS continue under NSA authority and CNSA 2.0, and the order separately directs NSA, as National Manager for NSS, to report on NSS migration status.
- Federal contractors are reached through the Federal Acquisition Regulation. The order directs the FAR Council to propose a rule requiring covered contractors to comply with NIST FIPS, including the PQC-carrying ones, by December 31, 2030.
- Critical infrastructure owners and operators get assistance rather than a direct mandate. Sector Risk Management Agencies, defined under National Security Memorandum 22, work through CISA to help operators build their PQC migration plans.
Commercial organizations outside those groups carry no direct binding obligation from EO 14412. They feel it the way federal cybersecurity policy usually propagates, through the contractor FIPS rule, through the CBOM guidance that becomes a market reference, and through sector regulators that follow the federal lead.
What does EO 14412 require?
The order’s operative requirements are a set of dated migration and procurement obligations, plus a coordination scaffold to carry them out. The White House text carries the core deadlines directly.
The two headline transition requirements sit in the acceleration section:
“all HVAs and high impact systems to use PQC for key establishment by December 31, 2030”
“all HVAs and high impact systems to use PQC for digital signatures by December 31, 2031”
Source: The White House, presidential action of June 22, 2026, whitehouse.gov.
Around those two dates, the order builds the machinery to reach them:
- A named owner in every agency. Within 30 days, each agency head identifies its PQC migration lead and gives the name to the Director of OMB and the National Cyber Director.
- OMB implementing guidance. Within 90 days, OMB issues the guidance that requires agencies to hit the 2030 key-establishment and 2031 signature deadlines for HVAs and high impact systems.
- A NIST pilot. Within 180 days, NIST initiates a PQC migration pilot project, to be completed no later than December 31, 2027, so the government tests the migration on real systems before the deadlines land.
- The contractor FIPS rule. Within 180 days, the FAR Council publishes a proposed rule requiring covered contractors to comply by December 31, 2030 with NIST FIPS, “including all applicable FIPS incorporating PQC compliant algorithms.”
- Faster module validation. Within 180 days, NIST revises the Cryptographic Module Validation Program to accelerate validations, since a product cannot ship a FIPS-validated PQC module faster than the queue allows.
- CBOM minimum elements. Within 270 days, CISA, coordinating with NIST, releases public guidance on the minimum elements of a cryptographic bill of materials.
The order also directs the Secretary of State to engage foreign governments and industry to encourage adoption of the NIST-standardized PQC algorithms, and it tasks OMB, GSA, and other agencies with finding cost-saving opportunities in the transition. Those sections shape the effort without setting a system-level compliance date.
What is the EO 14412 timeline?
The dates are the load-bearing content of this order, and they fall into two groups: the near-term actions that stand up the program, keyed to days after the June 22, 2026 signing, and the fixed calendar deadlines the whole thing drives toward.
| Deadline | Who acts | What is required |
|---|---|---|
| Within 30 days (about July 2026) | Each federal agency | Name a PQC migration lead to OMB and the National Cyber Director |
| Within 90 days (about September 2026) | OMB | Issue guidance requiring the HVA and high-impact PQC transition |
| Within 180 days (about December 2026) | NIST | Initiate the PQC migration pilot, and revise the CMVP to speed validations |
| Within 180 days (about December 2026) | FAR Council | Propose a rule requiring covered contractors to meet NIST FIPS by December 31, 2030 |
| Within 180 days, then annually | NSA (National Manager for NSS) | Report NSS PQC migration status to the President through the CNSS |
| Within 270 days (about March 2027) | CISA, with NIST | Release public guidance on CBOM minimum elements |
| Within 270 days (about March 2027) | FAR Council | Propose a rule on contractor vulnerability disclosure programs |
| December 31, 2027 | NIST | Complete the PQC migration pilot project |
| December 31, 2030 | Federal agencies | HVAs and high impact systems use PQC for key establishment |
| December 31, 2030 | Covered federal contractors | Comply with NIST FIPS, including the PQC standards (per the FAR rule) |
| December 31, 2031 | Federal agencies | HVAs and high impact systems use PQC for digital signatures |
Source: The White House, presidential action of June 22, 2026, whitehouse.gov.
The day-count actions convert to approximate calendar dates, so treat the “about” months as guides and the four fixed December dates (2027, 2030, 2030, 2031) as the hard ones. The contractor FIPS obligation is still a proposed rule at signing, so its final form and effective terms settle when the FAR rulemaking closes.
How does EO 14412 differ from EO 14306?
EO 14412 goes considerably further than EO 14306, and the cleanest way to hold the two apart is by what each one actually forces. EO 14306 (June 2025) amended the prior order and kept two mechanisms alive: the CISA product-categories list and a federal requirement to support TLS 1.3 by January 2, 2030. Those are readiness steps, not a migration. EO 14412 (June 2026) is the migration order, and it stands on its own.
| Dimension | EO 14306 (June 2025) | EO 14412 (June 2026) |
|---|---|---|
| Form | Amends EO 14144 and EO 13694 | Standalone order, amends nothing |
| Core requirement | Support TLS 1.3, maintain a product-categories list | Migrate HVAs and high impact systems to PQC |
| Hard dates | TLS 1.3 by January 2, 2030 | Key establishment by December 31, 2030, signatures by December 31, 2031 |
| Contractors | No direct FIPS mandate | Proposed FAR rule, covered contractors meet NIST FIPS by December 31, 2030 |
| CBOM | Not addressed | CISA and NIST publish CBOM minimum elements within 270 days |
| Nature | Network-readiness and procurement reference | Dated migration of named systems |
Source: The White House, EO 14306, June 6, 2025, whitehouse.gov; The White House, EO 14412, June 22, 2026, whitehouse.gov.
Read together, EO 14306 got federal networks ready to carry post-quantum key exchange, and EO 14412 requires the highest-impact federal systems to actually be using it by a date. A program that treated the 2030 TLS date as its finish line has more work ahead, because EO 14412’s key-establishment and signature deadlines reach the systems themselves, past the transport layer.
How does EO 14412 relate to the other mandates and standards?
EO 14412 is now the sharpest dated pressure in the U.S. federal post-quantum stack, and it sits on top of a set of authorities it doesn’t replace. It’s most useful as the order that tells agencies which systems to migrate first and by when.
- NSM-10 (National Security Memorandum 10, May 2022) remains the top-level federal PQC policy directive and the 2035 whole-of-government goal. EO 14412’s 2030 and 2031 dates land well inside that horizon and give the mid-term goal teeth.
- OMB M-23-02 remains the binding annual cryptographic-inventory directive for civilian agencies. The inventory it requires is the raw material EO 14412’s HVA and high-impact migration plans depend on, since an agency cannot migrate systems whose cryptography it has not mapped.
- EO 14306 supplied the TLS 1.3 readiness step and the CISA product-categories list, both of which feed the migration EO 14412 now dates.
- NSA CNSA 2.0 governs National Security Systems, which EO 14412 excludes from the HVA and high-impact requirement. NSA reports separately on NSS migration under this order.
- NIST IR 8547 carries the deprecation and disallowance schedule for RSA, ECDSA, and ECDH. EO 14412 sets when the priority federal systems adopt PQC, and IR 8547 sets when the old algorithms are retired.
- The FIPS standards (FIPS 203, FIPS 204, FIPS 205) are the migration targets. EO 14412 defines “key establishment” by reference to FIPS 203, and the contractor FIPS rule points at the FIPS suite that carries the PQC algorithms.
What does the CBOM tasking mean for the transition?
The most quietly significant piece of EO 14412 is section 5’s CBOM tasking, because it’s the first time a cryptographic bill of materials appears in a federal directive with a named owner and a due date. The order gives CISA, coordinating with NIST, 270 days to publish public guidance on the minimum elements of a CBOM, an inventory of the cryptographic algorithms, protocols, and implementations inside a hardware or software product, built to be read by machines the way a software bill of materials is.
A federal minimum-elements definition matters because it standardizes what “know your cryptography” means. Every mandate in this section starts with a cryptographic inventory, and a common CBOM format turns that inventory from a hand-built spreadsheet into something a buyer can request, a vendor can ship, and a tool can check. Once federal procurement can ask for a CBOM against a published standard, the format propagates outward to any vendor that wants to sell into the government, the same way SBOM requirements spread. For an organization planning its own migration, the CBOM guidance is worth watching as the likely reference shape for cryptographic inventory across the market.
Source: The White House, presidential action of June 22, 2026, section 5, whitehouse.gov.
Common misconceptions
- “EO 14412 amends EO 14306.” It doesn’t. EO 14412 is a standalone order that builds on the existing federal stack. EO 14306 was the amendment, editing EO 14144; EO 14412 adds new, dated migration obligations without revising a prior order.
- “The deadlines cover every federal system.” They cover HVAs and high impact systems, the highest-priority tier, and they exclude National Security Systems. A moderate-impact system isn’t named by the 2030 and 2031 dates, though it still sits under the broader NSM-10 and NIST IR 8547 timeline.
- “December 31, 2030 is a full-migration date.” It’s the key-establishment deadline for HVAs and high impact systems. Digital signatures on those same systems have a separate December 31, 2031 date, and non-priority systems migrate under the wider federal schedule.
- “The contractor FIPS rule is already in force.” EO 14412 directs the FAR Council to publish a proposed rule. The binding obligation on contractors takes effect when that rulemaking is finalized, and its exact terms settle then.
- “EO 14412 deprecates the old algorithms.” It deprecates nothing. The deprecation and disallowance years for RSA, ECDSA, and ECDH come from NIST IR 8547. EO 14412 sets adoption dates for PQC on priority systems.
Questions people ask
Does EO 14412 apply to my company? Only if you’re a federal agency or you sell to one. Federal contractors are pulled in through the proposed FAR rule that ties NIST FIPS compliance to December 31, 2030. Critical infrastructure operators get CISA assistance rather than a direct mandate. A commercial firm with no federal ties isn’t bound, though the coming CBOM guidance and the contractor rule become market references.
What are the deadlines I should actually care about? The two fixed ones are December 31, 2030 for HVAs and high impact systems to use PQC for key establishment, and December 31, 2031 for those systems to use PQC for digital signatures. Contractors face the same December 31, 2030 FIPS date once the FAR rule is final. The earlier day-count actions (30, 90, 180, 270 days after June 22, 2026) stand up the program.
Is it law or guidance? It’s a final executive order, in force since June 22, 2026, and its directions to agencies are mandatory. Several of its outputs, like the CISA CBOM minimum-elements guidance, are informational once published, and the contractor obligation becomes binding through the FAR rulemaking it directs.
What’s a “high value asset” and a “high impact system”? An HVA is federal information or a system designated a high value asset under OMB Memorandum M-19-03. A high impact system is one where at least one security objective (confidentiality, integrity, or availability) carries a FIPS 199 potential impact value of “high.” Together they’re the priority tier the deadlines target.
How does EO 14412 fit with the 2035 goal? NSM-10 set a whole-of-government goal of mitigating quantum risk by 2035. EO 14412 puts earlier, enforceable dates on the highest-impact systems, so it’s the mid-term forcing function inside the longer NSM-10 horizon, working alongside the NIST IR 8547 algorithm-deprecation schedule.
Where do I find the requirements my agency has to meet? In the OMB implementing guidance issued within 90 days of the order, which carries the operational detail for HVAs and high impact systems, and in the agency’s own migration plan. The executive order sets the dates and the scope; the OMB guidance and agency plans carry the how.
What does EO 14412 change about CBOMs? It writes a CBOM into a federal directive for the first time, tasking CISA and NIST to publish minimum-elements guidance within 270 days. That’s likely to become the reference format for cryptographic inventory in federal procurement and, by propagation, across the vendor market.
Everything here is the map, given freely. When your team needs the federal PQC mandate stack, including EO 14412’s HVA deadlines and the coming CBOM guidance, turned into a migration sequenced against your own systems, that’s what an alignment briefing is for.
Last verified 2026-07-09 · Maintained by Addie LaMarr, LaMarr Labs.