On June 22, President Trump signed Executive Order 14409, "Securing the Nation Against Advanced Cryptographic Attacks," setting the federal government's first binding executive deadlines for moving to post-quantum cryptography (PQC). For contractors, the consequential part is not the agency timeline — it is the two rulemakings the order puts on the calendar.
What the order requires of contractors
The order directs the FAR Council, in consultation with CISA and NIST, to publish a proposed rule within 180 days requiring "covered contractors" to comply by December 31, 2030, with NIST's Federal Information Processing Standards (FIPS), including the standards that incorporate post-quantum algorithms — ML-KEM (FIPS 203) for key establishment and ML-DSA (FIPS 204) for digital signatures. A second proposed rule, due within 270 days, would extend contractor vulnerability disclosure programs to cover cryptographic weaknesses, including testing for missing encryption and the use of non-FIPS-approved algorithms.
If you already hold or are pursuing CMMC, this isn't entirely new ground: CMMC Level 2 (NIST SP 800-171) already expects FIPS-validated cryptography to protect CUI. The new rule extends that expectation into a government-wide, deadline-bound requirement. 2026 Compliance Guide: CMMC 2.0 for Small Businesses
Civilian agencies or DoD: who EO 14409 covers
Scope matters here. EO 14409 covers civilian agencies and their contractors. National security systems — DoD and the intelligence community — are exempt and remain on the NSA's CNSA 2.0 track, which already expects newly acquired national-security systems to be quantum-safe from January 1, 2027.
So if you sell IT or cyber services to DHS, VA, GSA, or other civilian agencies, the forthcoming FAR clause is aimed at you. If your work is DoD-side, CNSA 2.0 — not this order — governs your timeline. Either way the direction is identical: FIPS-validated, quantum-resistant cryptography is becoming a contract requirement, not a best practice.
What to do now
Inventory your cryptography. Identify what encryption your systems use, where, and which modules are FIPS-validated. This is the gating task for almost everyone.
Check your FIPS validation status. FIPS 140-2 validations move to historical status on September 21, 2026, and FIPS 140-3 validation through the CMVP commonly runs 18 months or longer — so a 2030 line is closer than it reads.
Map your civilian-agency exposure. The forthcoming FAR clause targets covered contractors on civilian-agency work; know which of your contracts are in scope.
Watch regulations.gov. The FAR proposed rule is due within roughly six months and the vulnerability-disclosure rule about three months after that. Both will carry comment windows worth using.
FAQ
Does the post-quantum executive order apply to DoD contractors?
No. EO 14409 covers civilian agencies and their contractors. National security systems — DoD and the intelligence community — are exempt and follow the NSA's CNSA 2.0 schedule, which expects new national-security-system acquisitions to be quantum-safe from January 1, 2027.
When does the FAR rule take effect?
It doesn't yet. The order directs the FAR Council to publish a proposed rule within 180 days; it then goes through notice-and-comment before any final rule. The compliance date the rule will set is December 31, 2030.
What is the contractor deadline?
Covered civilian-agency contractors would need to meet NIST's FIPS, including post-quantum algorithms, by December 31, 2030, once the rule is finalized.
SOURCES
The White House (primary) — Securing the Nation Against Advanced Cryptographic Attacks — https://www.whitehouse.gov/presidential-actions/2026/06/securing-the-nation-against-advanced-cryptographic-attacks/ (confirm before publishing: §6(c) FAR proposed rule within 180 days, covered contractors comply by Dec 31, 2030 with NIST FIPS incl. PQC; §6(d) VDP rule within 270 days covering cryptographic vulnerabilities. Confirm the EO number "14409" against the Federal Register listing once published — number is from secondary reporting)
The Hacker News — Trump Order Sets 2030 Deadline for Federal Post-Quantum Crypto Migration — https://thehackernews.com/2026/06/trump-order-sets-2030-deadline-for.html (confirm: agency deadlines — key establishment Dec 31, 2030; digital signatures Dec 31, 2031; FAR Council 180-day timeline; 30-day agency migration leads; OMB 90-day guidance)
Tech Times / Breaking Defense — Post-Quantum Encryption Mandate — https://www.techtimes.com/articles/318890/20260623/post-quantum-encryption-mandate-trump-sets-2030-deadline-adversaries-harvest-data-now.htm (confirm scope: civilian agencies + contractors only; NSS/DoD exempt, on NSA CNSA 2.0 — new NSS acquisitions quantum-safe from Jan 1, 2027)
Cybersecurity Dive — Trump sets new deadlines… post-quantum cryptography — https://www.cybersecuritydive.com/news/quantum-cryptography-white-house-executive-order/823530/ (confirm: contractor FIPS regulation + VDP regulation directives; CISA/SRMA critical-infrastructure migration support)