A White House executive order forces every federal agency to name a leader for moving the government's most sensitive systems onto encryption that future quantum computers cannot break.
The executive order gives federal agencies 30 days to name a post-quantum cryptography migration lead. The harder deadline is 2030. The harder problem is whether the person in that chair can actually move the agency.
Post-quantum cryptography, or PQC, is the family of new encryption standards built to survive attacks from a future quantum computer powerful enough to break the public-key systems that protect most of the government's traffic today. The White House order, titled "Securing the Nation Against Advanced Cryptographic Attacks," sets hard dates for moving federal systems to those standards. Section 4 forces every federal agency head to designate a PQC migration lead within 30 days and report the name and contact to the Office of Management and Budget and the National Cyber Director. The accompanying fact sheet reinforces an inventory-first posture: know what you have, decide what matters most, and move it in order.
That is real work. It is also not the operational story.
The migration lead is, in effect, a program-office role. The job, as Forrester analyst Heidi Shey and the security and risk team frame it, is to own the agency's full cryptographic inventory, run a prioritized migration plan, and coordinate across systems and outside the agency. The National Institute of Standards and Technology has already finalized the underlying standards the order points to: ML-KEM for key establishment, ML-DSA for digital signatures, and SLH-DSA as a hash-based signature fallback. Those names look exotic because they are. They are also the actual technical surface federal security leaders will be working against for the rest of the decade.
The dates that follow the 30-day lead designation make the scope visible. OMB inventory guidance is due in 90 days. The order's binding milestones put the most sensitive systems on the new key-establishment standards by 2030 and on the new digital-signature standards by 2031. For a program that has to inventory, prioritize, pilot, deploy, and decommission legacy crypto across thousands of federal systems in roughly four years, the work is not impossible, but it is not forgiving. As Shey and the Forrester team put it, agencies have to move fast enough that they do not lose control of scope, dependencies, and mission risk.
The unresolved question is authority. Naming a contact and empowering a multiyear program lead are different acts, and the EO does the first on the page without doing the second. Federal security programs stall when scope creeps past the program owner's reach, when cross-system dependencies turn a one-line change into a three-quarter replatform, and when the budget conversation for replacing legacy crypto lives somewhere other than the person accountable for the migration. The 30-day clock will produce names. It will not, by itself, produce the charter, the budget line, the seat at the change-control board, or the contracting authority that a 2030 milestone actually requires.
This is also the first U.S. instrument that formally creates a named federal role whose job is post-quantum cryptographic inventory and migration. PQC work used to be diffused across CIO, CISO, and enterprise architecture teams, with no single accountable owner. The order changes that on paper. Whether the new role is backed by the standing to make the 2030 deadline real is the open question the next 30 days will start to answer.
For private-sector CISOs, the order is not a mandate. As Forrester's framing makes clear, it is an additional signal and a call to action: the federal government is now treating PQC migration as a clock, not a research agenda, and the procurement and standards signals that follow will land on every supplier in the federal supply chain.
What to watch in the next 30 days is not the list of names that comes back to OMB. It is what those names come with.