AI may be stealing the spotlight, but quantum computing also poses an immediate risk to our data. On June 22, 2026, the White House delivered a major wake-up call, reinforcing that quantum computing isn’t just a future problem, but rather a security threat we need to start tackling today.
U.S. Executive Order 14412 (Securing the Nation Against Advanced Cryptographic Attacks) underscores the urgency of post-quantum cryptography (PQC) migration, prioritizing funding and procurement policies to meet federal compliance deadlines more effectively.
“U.S. Executive Order 14412 shifts the conversation from a distant “what if” scenario to an immediate compliance reality, forcing organizations to prioritize concrete deadlines to secure the nation’s critical systems.”
If you think this is just a headache for government agencies, think again. The order triggers a massive ripple effect across procurement cycles, forcing technology vendors and enterprises to prioritize quantum-safe systems in their current buying cycles.
Moving beyond “Q-Day”: The operational deadlines
For years, the collective assumption was that the "quantum threat"—the point when quantum computers could easily break standard encryption like RSA—was still a long way off. We thought there would be plenty of time to prepare for “Q-Day.”
But physical hardware is outpacing what the math originally projected. Recent breakthroughs from Harvard Quantum Initiative researchers suggest that stable, fault-tolerant quantum systems are advancing well ahead of expectations, potentially shrinking the timeline to the end of this decade.
Executive Order 14412 injects a heavy dose of realism into this landscape. It shifts the conversation from a distant “what if” scenario to an immediate compliance reality, forcing organizations to prioritize concrete deadlines to secure the nation’s critical systems.
- By December 31, 2030: Federal agencies need to fully migrate to U.S. National Institute of Technology (NIST)-approved PQC algorithms for key establishment(encryption). This goal here is to neutralize "harvest now, decrypt later" attacks, where adversaries steal and store encrypted traffic today, knowing quantum computing will eventually decrypt it.
- By December 31, 2031: PQC migration for digital signatures(authentication) must be completed to protect against impersonation and spoofing attacks.
These deadlines may seem narrow in scope, but they’re anything but. To operationalize the order, the Office of Management and Budget (OMB) released Memorandum M-26-15 on June 24, giving civilian agencies a strict 120-day countdown to submit their formal migration plans, with parallel execution tracks rolling out from the Department of War (DoW).
The order also directs the U.S. Federal Acquisition Regulatory (FAR) Council to write these exact same timelines into federal contract requirements. This turns a government mandate into a commercial reality: the entire Defense Industrial Base and thousands of federal contractors will have to prove PQC compliance just to continue doing business with the government.
On top of that, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) is instructing agencies to strongly favor PQC-capable vendors in upcoming procurement cycles. Whether you’re directly in the military supply chain or operating in other highly regulated spaces like finance and healthcare, the bottom line remains unchanged: if your systems touch federal data, quantum readiness is a non-negotiable requirement for doing business.
The supply chain blind spot: Enter the CBOM
Data doesn’t stay locked in one place. It moves constantly—across third-party APIs, external SaaS platforms, vendor-hosted clouds, and more. These dependencies create vulnerabilities outside of your direct control, making PQC readiness far more complex than just safeguarding your internal systems.
In line with Executive Order 14412, the accompanying White House directives introduce the Cryptographic Bill of Materials (CBOM) to tackle this blind spot by requiring vendors to disclose detailed information about their cryptographic systems. Similar to a Software Bill of Materials (SBOM), the CBOM focuses on encryption transparency, exposing what algorithms, libraries, and certificates are embedded in their products.
The challenge? Most enterprise infrastructure isn’t ready to meet these transparency standards, and the lack of PQC readiness among vendors makes this dependency even more critical. For instance, data from F5 Labs shows that while 57% of global web browser traffic is technically PQC-ready thanks to automated updates, enterprise backend systems lag far behind. Among the top 1 million websites, only 8.6% support hybrid PQC key exchange, and banking websites sit at a staggering 3%.
Quantum readiness doesn’t only depend on how well you prepare—it hinges on your partners, and your weakest dependency could undermine everything. CBOM transparency will be essential for vetting vendors and ensuring your organization can manage the quantum transition smoothly.
The three-step PQC readiness checklist
Migrating to quantum-safe algorithms isn’t something you can knock out with a quick software patch. It’s a multi-year process that demands thoughtful planning. Right now, the White House has given federal agencies just 30 days to appoint a dedicated PQC migration lead. Enterprises should match that pace.
Here are three immediate steps to get started today:
- Assign ownership and map dependencies: Immediate priority. Designate a lead responsible for quantum readiness across your organization. Their first priority should be mapping where classical encryption algorithms like RSA and ECC are currently used—both inside your own infrastructure and throughout third-party APIs, SaaS platforms, and vendor ecosystems.
- Prepare for the CBOM mandate: Next three-six months. Update your purchasing guidelines. Require upcoming hardware, software, and cloud vendors to provide a clear roadmap for NIST-compliant PQC support, and ask how they plan to deliver a transparent CBOM. Identifying these dependency gaps early is far better than waiting for compliance deadlines.
- Test hybrid deployment models: Next six-12 months. Adopt TLS 1.3 and begin testing hybrid key exchanges in non-production environments to evaluate how post-quantum keys impact your actual network latency and application performance. Testing today prevents major operational disruptions tomorrow.
Navigating the transition with F5
Successfully migrating to quantum-safe cryptography requires crypto-agility—the capacity to seamlessly swap out encryption algorithms as standards evolve, without interrupting systems or creating downtime.
Rewriting thousands of legacy applications can take years—an enormous and expensive undertaking for most teams. That’s why F5 has joined NIST’s National Cybersecurity Center of Excellence (NCCoE) "Migration to PQC" project, a consortium focused on building practical frameworks to guide organizations through this change.
F5 simplifies this migration with a gateway platform architecture that fundamentally lowers deployment risk. Instead of requiring developers to re-architect apps manually—across hybrid, multicloud, or legacy environments—F5 integrates native support for hybrid PQC ciphers (server- and client-side) directly into its F5 Application Delivery and Security Platform (ADSP). This helps secure critical data exchanges today while giving your team the breathing room needed for a smooth, long-term transition.
Preparing for the quantum era
Executive Order 14412 makes one thing clear: the time to lay the groundwork is now. This transition is no longer a distant item on a future roadmap.
Organizations that act today—by reworking procurement rules, demanding transparency from vendors, and testing hybrid deployment models—will be better positioned to navigate the PQC transition long before compliance deadlines arrive.
About the Author

Related Blog Posts

Securing the new control points in the AI journey
AI architecture is fundamentally different than traditional IT environments and requires a different security strategy to protect critical AI workloads.

The patch window has closed. Here is how F5 is built for what comes next.
As AI models have changed software security, the industry needs to adapt.

Best practices for optimizing AI infrastructure at scale
Optimizing AI infrastructure isn’t about chasing peak performance benchmarks. It’s about designing for stability, resiliency, security, and operational clarity

Datos Insights: Securing APIs and multicloud in financial services
New threat analysis from Datos Insights highlights actionable recommendations for API and web application security in the financial services sector

Secrets to scaling AI-ready, secure SaaS
Learn how secure SaaS scales with application delivery, security, observability, and XOps.

How AI inference changes application delivery
Learn how AI inference reshapes application delivery by redefining performance, availability, and reliability, and why traditional approaches no longer suffice.
