On January 16th, the White House issued an Executive Order outlining actionable strategies to safeguard the nation’s cybersecurity.
Section 4 of the order focuses on Securing Federal Government Communications and, in addition to addressing identity authentication, encryption, and Internet traffic, it also highlights the quantum computing threat to today’s cryptographic landscape. It outlines the urgency of adopting Post Quantum Cryptography (PQC) to secure the future of sensitive communications for all government-related organizations.
In this blog, we explore the Executive Order's PQC-related strategies, its implementation timeline, and best practices for fulfillment of requirements.
The role of Post Quantum Cryptography in the Executive Order
In the Executive Order, the White House recognizes the risk that quantum computers pose to the cybersecurity of the United States.
Therefore, the following specific measures were decided:
Include PQC support as required in government-related solicitations
- Within 180 days: The Secretary of Homeland Security will release and regularly update a list of products that support post-quantum cryptography, divided into product categories.
- Within 90 days of a product category being placed on this list: Agencies shall take steps to include in any solicitations for products in that category a requirement that products support PQC.
- Agencies shall implement PQC key establishment or hybrid key establishment including a PQC algorithm as soon as practicable and supported by the products and services they are using.
Support foreign governments in their PQC transition
- Within 90 days: Identify and engage foreign governments and industry groups in key countries to encourage their transition to PQC algorithms standardized by NIST.
Support of TLS 1.3 for government agencies until 2030 at the latest
- Within 180 days: To prepare for transition to PQC, agencies shall support, as soon as practicable, but not later than January 2, 2030, Transport Layer Security protocol version 1.3 or a successor version.
Use Hardware Security Modules to protect cryptographic keys
The Federal Government should take advantage of commercial security technologies and architectures, such as Hardware Security Modules (HSM), trusted execution environments, and other isolation technologies, to protect and audit access to cryptographic keys with extended lifecycles.
Guidelines for cryptographic key management
- Within 270 days: Develop guidelines for the secure management of access tokens and cryptographic keys used by cloud service providers.
- Within 60 days of the publication of the guidelines: Develop updated FedRAMP requirements, incorporating the guidelines concerning cryptographic key management security practices.
- Within 60 days of the publication of the guidelines: Take appropriate steps to require FCEB agencies to follow best practices concerning the protection and management of hardware security modules, trusted execution environments, or other isolation technologies for access tokens and cryptographic keys used by cloud service providers in the provision of services to agencies.
For reasons of readability, we have omitted the institutes responsible.
Plan Your PQC Migration
Transitioning to Post-Quantum Cryptography is essential, but ensuring key management and protection along the way is just as critical.
- Plan Your PQC Migration: Organizations seeking to collaborate with the US government must plan their PQC migration now, for example, by preparing a crypto inventory.
- Prioritize Key Management: Showcasing robust cryptographic key management becomes increasingly vital – especially in cloud applications.
- Protect Your Keys: Secure your (PQC) keys using trusted methods, for example by deploying a Hardware Security Module for generating, managing and storing keys.
Utimaco's Commitment to PQC
Utimaco welcomes the White House’s recognition for Post-Quantum Cryptography migration and the critical importance of reliable cryptographic key management, including the use of Hardware Security Modules to protect sensitive key material.
For years, we have been committed to shaping the future of cryptography for the quantum era. As active participants in influential committees and working groups on PQC—including a White House Round Table on Securing the Nation’s Cybersecurity—we are dedicated to driving innovation and setting standards for this transformative technology.
Our own HSMs – u.trust General Purpose HSM Se-Series – are designed crypto agile and can be upgraded with standardized PQC algorithms such as ML-KEM, ML-DSA, LMS, and XMSS already today. By choosing Utimaco, you meet not only PQC requirements but also ensure that cryptographic keys are generated and managed in a high-security environment—perfectly aligning with the White House’s stringent cybersecurity standards.
Join us for a webinar
Join us, along with our technology partner AppViewX, for a webinar to understand the urgency of migrating to PQC, explore NIST's new PQC standards and encryption algorithms, and gain practical strategies for ensuring certificate visibility, automation, and crypto-agility.