Trump EO 14409 Sets 2030-2031 Deadlines for Federal PQC Migration on High-Value Systems

The order directs OMB NIST NSA DHS and CISA to issue joint technical guidance while requiring agencies to designate PQC leads and inventory cryptographic assets. Federal contractors must align with NIST PQC algorithms by end of 2030 and the Commerce Department will run a migration pilot through 2027. State Department outreach extends the timeline to critical infrastructure operators and allied governments.

Procurement records and prior NIST publications SP 800-208 and FIPS 203-205 already identified ML-KEM and ML-DSA as primary algorithms yet agency cryptographic inventories remain incomplete per GAO reports from 2023-2024. The EO creates a compliance lever that links contract eligibility to PQC readiness exposing the gap between voluntary industry pilots at Google and Dell and mandatory federal timelines.

This accelerates a pattern seen in the 2022 National Security Memorandum 10 where classified systems received earlier NSA guidance while unclassified networks lagged. Contractors face indirect costs through updated acquisition clauses and supply-chain attestations. Next milestone is the 2027 pilot results which will determine whether 2030 deadlines trigger waivers or enforcement actions.

Operational impact centers on legacy key management systems in defense and financial sectors where harvest-now-decrypt-later collection already targets diplomatic and intellectual property traffic.