Executive Order 14409: What the Order Says and What It Requires

On June 22, 2026, the White House signed Executive Order 14409: "Securing the Nation Against Advanced Cryptographic Attacks." The order is built on a single threat premise: foreign adversaries are harvesting encrypted U.S. data and communications, storing them in bulk, and waiting for quantum computers powerful enough to decrypt them later. This Executive Order is based on reality, rather than theory, and organizations will now need to comply.

For federal agencies, the order mandates a shift from quantum-readiness planning to quantum-readiness enforcement. For federal contractors, it goes further: Section 6 imposes compliance obligations, including hard deadlines and audit requirements. The order also demands cryptographic agility — the ability to migrate from quantum-vulnerable encryption to quantum-safe algorithms across systems, data, and infrastructure. This means organizations need to know where legacy encryption is in use across their data repositories, infrastructure, and supply chain. Any organization with federal contracts is affected, with the deadline to comply set for December 31, 2030.

Why This Matters: The Harvest Now, Decrypt Later Threat and Cryptographic Agility

The Executive Order introduces the concept of Harvest Now, Decrypt Later (HNDL). The term is relatively new to security policy, but it's central to post-quantum cryptography (PQC) migration timelines. Here's how it works: adversaries intercept and store encrypted communications and data today — files, emails, classified information, and intellectual property. They store it in bulk because decryption isn't possible yet. But they're betting on the arrival of cryptographically-relevant quantum computers (CRQCs) within 10–15 years. This means once a CRQC exists, current encryption standards, including RSA-2048, ECC, and the cryptographic foundations of TLS and PKI, become solvable problems. The stored data can be decrypted at scale retroactively, hence the term 'harvest now, decrypt later'.

The solution for HNDL is cryptographic agility. Cryptographic agility is an organization's ability to migrate from quantum-vulnerable encryption to quantum-safe algorithms across systems, data, and infrastructure without redesigning systems, rebuilding infrastructure, or disrupting operations. In practice, this means knowing which algorithms are used to encrypt what, where those systems live, and having the capability to update them.

This could be a challenge for many organizations because of a lack of visibility into their cryptographic programs. This could include:

• Having TLS encryption on their networks and some PKI infrastructure, but they may not know if their databases are encrypted.

• Not knowing if their files, including documents, PDFs, and research data, are encrypted at rest.

• Not having an inventory of cryptographic dependencies.

Some organizations may not have answers to one or all of these questions. And when the order

requires migration to post-quantum algorithms, they'll have no idea where to start.

The Timeline: What Happens and When

The order establishes explicit deadlines, which are all legally binding.

As of this moment, the December 2026 and March 2027 dates are proposed rules rather than hard compliance deadlines. The real deadline is December 31, 2030 — over four years away.

The timeline does create urgency. The December 2026 proposed rule will clarify what constitutes a "covered contractor" and what compliance entails. The March 2027 CBOM guidance will define where cryptographic vulnerabilities live and how to audit for them. This means organizations that wait until late 2027 to start planning will have less than three years for remediation.

Who is a covered contractor?

The order uses broad language: any contractor that handles, processes, or transmits federal information. This includes:

• Defense and aerospace companies

• Life sciences firms with federal grants or contracts

• Financial services and healthcare organizations with government contracts

• Critical infrastructure operators (energy, water, telecommunications)

• Any vendor in the federal supply chain

What Changes: The Operational Shift

For federal agencies: The order compresses migration timelines and creates accountability. Agencies must name a PQC Lead, inventory high-value assets, and submit migration plans.

For contractors: The operational change is larger. The order requires:

1. Cryptographic inventory and assessment: They must know where cryptographic systems live: in TLS, PKI, digital signatures, key management, and data encryption (both structured and unstructured).

2. Migration planning: They must plan the transition from quantum-vulnerable algorithms to NIST post-quantum standards (FIPS 203/204/205) for key establishment and digital signatures.

3. Compliance proof: When auditors arrive (expected in 2027–2028, as the proposed rule materializes), they must demonstrate that systems are migrated or on a validated migration path.

4. Cryptographic bill of materials: When CISA publishes CBOM guidance, they'll need to document what's encrypted, with what algorithms, and with what lifecycle.

The March 2027 reference to testing for "lack of encryption" suggests the audit will extend beyond TLS and PKI. It will include questions about how sensitive files, documents, and unstructured data are protected. Organizations that encrypt databases but leave documents unencrypted will have explaining to do.

Next Steps

The December 2026 proposed rule will clarify the scope and requirements. The March 2027 CBOM guidance will define the audit surface. Organizations that move now — conducting cryptographic inventories, assessing where legacy encryption is in use, and planning remediation — will have time to complete the work.

Organizations that wait until the final rule lands will have a tighter remediation window and higher costs.

The assessment cycle begins in the next 6–9 months as the December 2026 rule proposals land.

For both agencies and contractors, the discovery problem is immediate: they need to know where sensitive data lives across documents, files, and repositories before auditors ask. HNDL assumes data is stolen as files. Post-quantum migration in TLS alone doesn't protect unstructured data at rest, while content-layer protection, binding quantum-safe encryption to the documents and data objects themselves, is where the real compliance gap lives. Organizations that start discovery and data classification now will have answers ready when the CBOM guidance lands. Organizations that wait will scramble.

To learn more, https://www.confidencial.io/no-hype-pqc-guide.

Frequently Asked Questions

What is Executive Order 14409?

Executive Order 14409, "Securing the Nation Against Advanced Cryptographic Attacks," was signed on June 22, 2026. It mandates that federal agencies migrate to post-quantum cryptography and imposes compliance obligations, including hard deadlines and audit requirements, on federal contractors. The compliance deadline is December 31, 2030.

What does EO 14409 require federal contractors to do?

Contractors must inventory and assess where cryptographic systems live across TLS, PKI, digital signatures, key management, and data encryption; plan the transition to NIST post-quantum standards (FIPS 203/204/205); demonstrate to auditors that systems are migrated or on a validated path; and prepare to document their cryptographic assets through a cryptographic bill of materials (CBOM) once CISA guidance is published.

When is the EO 14409 compliance deadline?

December 31, 2030 for key establishment systems, and December 31, 2031 for digital signature systems. The December 2026 and March 2027 dates referenced in the order are proposed rules, not compliance deadlines.

What is harvest now, decrypt later (HNDL)?

Harvest now, decrypt later is a threat in which adversaries intercept and store encrypted data today and wait for cryptographically-relevant quantum computers (CRQCs) to decrypt it later. Once such a computer exists, current encryption standards like RSA-2048 and ECC become solvable, allowing stored data to be decrypted retroactively at scale.

What is cryptographic agility?

Cryptographic agility is an organization's ability to migrate from quantum-vulnerable encryption to quantum-safe algorithms across systems, data, and infrastructure without redesigning systems, rebuilding infrastructure, or disrupting operations. In practice, it requires knowing which algorithms encrypt what, where those systems live, and having the capability to update them.

Who is a covered contractor under EO 14409?

The order uses broad language: any contractor that handles, processes, or transmits federal information. This includes defense and aerospace companies, life sciences firms with federal grants or contracts, financial services and healthcare organizations with government contracts, critical infrastructure operators, and any vendor in the federal supply chain.

What is a cryptographic bill of materials (CBOM)?

A cryptographic bill of materials is a structured inventory of the cryptographic assets inside a piece of hardware or software, designed to enable automated assessment of where and how cryptography is used. Under EO 14409, CISA and NIST are directed to publish guidance on the minimum elements of a CBOM, expected around March 2027.