This week, the White House released an Executive Order on Strengthening the Nation’s Cybersecurity, based on previously issued EOs 13694 and 14144. It’s the first clear signal from the administration that the focus on national cybersecurity continues as a priority, particularly for solutions used by the Federal government, and consequentially the industries serving it. While US politics might remain turbulent, this Executive Order adds key amendments to those issued by the previous administration, and shows a refocus on cybersecurity considerations such as PQC, following on from NSM-10 (May 2022). There are a number of key takeaways:
CISA PQC Product Category List
While EO 14144 mandated a list of PQC-ready product categories, the amended Executive Order adds a deadline of December 1st, 2025. The Director of CISA is mandated (in consultation with the NSA) to “release and regularly update the list of product categories in which products supporting PQC are available, by this date.”
It’s likely that this list will be critical for the supply chain when it comes to federal agencies and beyond. PQC products in each of the relevant categories will be considered for inclusion, and vendors, manufacturers and PQC providers will need to ensure readiness and compatibility.
TLS 1.3 support for Federal Agencies
The order also mandates that Federal agencies must support TLS 1.3 (or subsequent) “as soon as is practicable”. This effort, falling under the NSA (National Security Agency) and OMB (Office of Management and Budget), emphasizes that both National Security Systems and Non-National Security Systems must meet this requirement by a final deadline of January 2, 2030. It also provides a focus for vendors to support quantum resistant protocols; particularly for internet communications.
The Directors of the NSA and the OMB are required to issue this requirement to agencies by December 1, 2025.
Application to National Security Systems
The requirements related to quantum computing (section 4(f)) explicitly call out National Security Systems (NSS). This is interesting as it amends the previous mandate. It means PQC solutions are now considered relevant for the most sensitive and critical government systems as well as non-national security systems. Effectively, this amendment expands the market for PQC solutions beyond civilian agencies.
Emphasis on Secure Software Development and Patch Management
The EO maintains a further focus on secure software development, including the establishment of a consortium with industry by August 1, 2025. Key directives are given to develop guidance based on NIST SP 800-218 and updating NIST SP 800-53 for secure patch and update deployment. This naturally includes PQC software practices.
PQShield’s view
It’s great to see that the core commitment to advancing PQC is upheld, with a focus on robust and timely practices. It’s another reminder that behind the scenes, the administration takes the quantum threat seriously, and is keen to protect the US by engaging with, and focusing on post-quantum solutions.
Our goal is to empower organizations with the ultimate quantum-resistant, compliant cryptographic solutions in hardware and software – updating the legacy cryptography components of the world’s technology supply chain, and staying one step ahead of the attackers. This Executive Order reminds us that the cyber threat landscape is both real and evolving, pointing out threats to the US by nation states and criminals as a key driver for updating policy. As that policy continues to sharpen, the need for post-quantum cryptography implementations will only increase, and it’s clear that ultra-secure PQC continues to be an integral feature of the defenses of tomorrow.