Executive Orders on Cybersecurity — part 1, Quantum
- Joel Van Dyk
- Jun 19
- 4 min read
I spent a good amount of time reading the two versions of the Presidential Executive Order on Cybersecurity 14144 from the Biden Administration (January 16, 2025), https://www.presidency.ucsb.edu/documents/executive-order-14144-strengthening-and-promoting-innovation-the-nations-cybersecurity, and the updates to it from the Trump Administration ( June 6, 2025 ), https://www.whitehouse.gov/presidential-actions/2025/06/sustaining-select-efforts-to-strengthen-the-nations-cybersecurity-and-amending-executive-order-13694-and-executive-order-14144/. There are a few things going on here, for Cybersecurity in general and for Post- Quantum Cryptography (PQC) specifically. Let’s deal with PQC first.
For PQC, and Cybersecurity in general, the Biden Administration version, released January 2025, mandated direct action to have a plan to migrate to PQC (quantum resistant algos, see NIST: Post-Quantum Cryptography FIPs approved) by 2030 and start the process on issue of the Executive Order in order to be ready by 2035 in line with the recommendations by NIST: Post-Quantum Cryptography. It directed responsibile government managers such the head of CISA, Secretary of Homeland Security, Secretary of Defense to take action. The Trump Administration plan, just released in June 2025, pulls back from this and only mandates a list of products that support PQC. The relevant text from sec 4 is:
(f) A quantum computer of sufficient size and sophistication — also known as a cryptanalytically relevant quantum computer (CRQC) — will be capable of breaking much of the public-key cryptography used on digital systems across the United States and around the world. National Security Memorandum 10 of May 4, 2022 (Promoting United States Leadership in Quantum Computing While Mitigating Risks to Vulnerable Cryptographic Systems), directed the Federal Government to prepare for a transition to cryptographic algorithms that would not be vulnerable to a CRQC.
(i) By December 1, 2025, the Secretary of Homeland Security, acting through the Director of the Cybersecurity and Infrastructure Security Agency (CISA), and in consultation with the Director of the National Security Agency, shall release and thereafter regularly update a list of product categories in which products that support post-quantum cryptography (PQC) are widely available.
(ii) By December 1, 2025, to prepare for transition to PQC, the Director of the National Security Agency with respect to National Security Systems (NSS), and the Director of OMB with respect to non-NSS, shall each issue requirements for agencies to support, as soon as practicable, but not later than January 2, 2030, Transport Layer Security protocol version 1.3 or a successor version.”;
Here is a table courtesy of AI:
PQC Executive Order Comparison Table
PQC Topic | EO 14144 (Jan 2025) | Amended EO 14144 (June 2025) | Differences |
Product Category Inventory | Required CISA and DHS to publish a list of commercial PQC-supporting product categories within 180 days. | Reduced Requirement to identify or publish PQC-relevant product categories stretched out to December 1, 2025. | Stretched out government-led PQC product discovery and inventory. |
Product Mandates | Mandated PQC support language in solicitations within 90 days of product list publication. | Removed Removed. No requirement for agencies to consider PQC capabilities in new acquisitions. | Removed proactive procurement policy enforcing PQC readiness. |
Hybrid Key Establishment | Encouraged “as soon as practicable” deployment of hybrid (classical + PQC) cryptographic solutions. | Removed No mandate or encouragement to deploy hybrid key exchange. | Erased guidance on hybrid deployment, delaying early quantum-resistance exposure. |
International Engagement | Required the Departments of State and Commerce to engage foreign counterparts on PQC standards development. | Removed No directive for global engagement or standards coordination. | Downgraded U.S. role in shaping international PQC standards and adoption.. |
TLS 1.3 / Successor Protocol | Required NSA and OMB to issue TLS 1.3/successor guidance by Dec 1, 2025, and full support by Jan 2, 2030. | Retained TLS 1.3 / successor migration timeline remains in full effect. | Only quantum-resilience measure retained across both versions. |
While ok in and of itself, I’m not sure what TLS1.3 alone will do to make things Quantum-safer, other than make it easier to layer Quantum Resistant algos on top of it. This I got from one of my FS-ISAC colleague (Josh Holt of MUFG):
TLS 1.2 is in Feature Freeze – so any post quantum algorithms including key exchange (ML-KEM) and digital signatures (ML-DSA) won’t be added to TLS 1.2 barring some future development. TLS 1.3 already supports RFC 9180: Hybrid Public Key Encryption and there is a draft memo for ML-KEM Post-Quantum Key Agreement for TLS 1.3. and major browsers already support some form of post quantum key exchange.
It’s still anyone’s guess as to what digital signatures are going to look like in TLS when it’s all said and done (WED_PLENARY_1500_Luke-Valenta_Why-the-Internet-isnt-ready-for-PQ-Certificates.pdf) – but TLS 1.3 at least puts you on the path to post quantum key exchange today while the industry figures out this whole post quantum PKI thing.
As a direction, the whole Exec Order preserves the strategic direction – enhancing software, AI, Quantum, IoT, and sanctions – but abandons many centralized, mandatory standards from the Biden era Exec Order. That would point to an approach led at the agency level and industry collaborative approach.
I think with the consensus from my industry peers here though is that what is driving Quantum forward is the technological advances and imperative. While you could wait, if you are not in an innovative organization, another few months to follow the pack in Quantum Computing in general, you don’t have that the luxury of time in preparing for PQC, because of all the prep work needed (inventory, management tooling, at the least) in large institutions (see what we have written at https://www.fsisac.com/pqc) . Even if the current Administration has backed off setting a strategic direction and guardrails, Quantum and PQC will still go forward.
More about what the Executive Order means for Cybersecurity in general in a later post.
Comments