Key Takeaways
- The new Executive Order reinforces the federal quantum-resistant encryption mandate
- CISA must publish a PQC product category list by December 1, 2025
- Federal agencies must support TLS 1.3 by January 2, 2030
- National Security Systems are now explicitly included
- Secure software development and patching remain central priorities
Executive Order: Strengthening the Nation’s Cybersecurity
This week, the White House released an Executive Order on Strengthening the Nation’s Cybersecurity, reinforcing the federal quantum-resistant encryption mandate and building on previously issued EOs 13694 and 14144.
It’s the first clear signal from the administration that the focus on national cybersecurity continues as a priority, particularly for solutions used by the Federal government, and consequentially the industries serving it.
While US politics might remain turbulent, this Executive Order adds key amendments to those issued by the previous administration, and shows a refocus on cybersecurity considerations such as PQC, following on from NSM-10 (May 2022). There are a number of key takeaways which this blog explores.
CISA PQC Product Category List and Supply Chain Impact
While EO 14144 mandated a list of PQC-ready product categories, the amended Executive Order adds a deadline of December 1st, 2025.
The Director of CISA is mandated (in consultation with the NSA) to “release and regularly update the list of product categories in which products supporting PQC are available, by this date.”
Why This Matters
This list is likely to become a critical procurement benchmark across federal agencies and their suppliers. Vendors, manufacturers, and PQC providers must ensure:
- Product readiness
- Standards alignment
- Interoperability across federal systems
- Compliance with evolving guidance
For companies navigating the quantum-resistant encryption mandate, early preparation will be essential to remain competitive within federal frameworks.
TLS 1.3 Support for Federal Agencies
The Executive Order mandates that Federal agencies support TLS 1.3 or subsequent versions as soon as practicable.
This requirement applies to both National Security Systems and Non-National Security Systems. The final compliance deadline is January 2, 2030, with implementation guidance to be issued by December 1, 2025.
Implications for Vendors
This directive provides a clear pathway for the integration of quantum-resistant protocols, particularly within internet communications. Vendors serving federal agencies must:
- Upgrade cryptographic protocols
- Ensure compatibility with post-quantum standards
- Prepare infrastructure for hybrid or PQC-native deployments
The quantum-resistant encryption mandate directly influences procurement decisions, making TLS modernisation a strategic necessity rather than a technical upgrade.
Application to National Security Systems
The requirements related to quantum computing (section 4(f)) explicitly call out National Security Systems (NSS).
This is interesting as it amends the previous mandate. It means PQC solutions are now considered relevant for the most sensitive and critical government systems as well as non-national security systems. Effectively, this amendment expands the market for PQC solutions beyond civilian agencies.
Emphasis on Secure Software Development and Patch Management
The Executive Order continues to prioritise secure software development practices. A consortium with industry will be established by August 1, 2025, with guidance aligned to:
- NIST SP 800-218
- Updates to NIST SP 800-53
- Secure patch and update deployment standards
Post-quantum cryptography implementation naturally intersects with these frameworks. Cryptographic agility, secure updates, and validated implementations are critical components of meeting the quantum-resistant encryption mandate.
PQShield’s Perspective on the Mandate
At PQShield, the continued federal focus on post-quantum cryptography demonstrates that the quantum threat is taken seriously at the highest levels of government.
Our mission is to empower organisations with compliant, quantum-secure cryptographic solutions in both hardware and software. By modernising legacy cryptographic components across the global technology supply chain, PQShield helps organisations remain resilient against emerging threats.
The evolving quantum-resistant encryption mandate reinforces what forward-thinking organisations already recognise. The cyber threat landscape is real, evolving, and increasingly shaped by nation-state actors and sophisticated criminal networks.
As federal policy sharpens and timelines approach, demand for robust post-quantum cryptography will accelerate. Ultra-secure PQC is not optional. It is becoming a foundational pillar of tomorrow’s cybersecurity architecture.
Prepare for the Quantum-Resistant Encryption Mandate Today
If your organisation is preparing for compliance, now is the time to assess your cryptographic posture.
Contact PQShield today to ensure you are ready for the full implications of the quantum-resistant encryption mandate.
Frequently Asked Questions
What is the quantum-resistant encryption mandate?
The quantum-resistant encryption mandate refers to federal requirements that agencies and suppliers transition to post-quantum cryptography to mitigate risks posed by quantum computing.
When must federal agencies comply with TLS 1.3 requirements?
Federal agencies must support TLS 1.3 or later by January 2, 2030, with implementation guidance issued by December 1, 2025.
Does the mandate apply to National Security Systems?
Yes. The updated Executive Order explicitly includes National Security Systems, expanding the scope of post-quantum cryptography requirements.
How does the CISA PQC product list affect vendors?
Vendors supplying federal agencies must ensure their products align with the CISA list of PQC-ready product categories to remain eligible for procurement consideration.
How can PQShield support compliance efforts?
PQShield provides quantum-secure cryptographic solutions in hardware and software, helping organisations align with federal standards and prepare for long-term cryptographic resilience.