Adversaries are already collecting encrypted data, waiting for quantum computers to decrypt it.
In the long contest between secrets and the tools built to break them, the United States has set a hard boundary: federal systems must complete their migration to post-quantum cryptography by 2030, not because quantum computers capable of breaking today's encryption have arrived, but because adversaries are already harvesting encrypted data to decrypt when they do. The White House, responding to research that dramatically lowered estimates of the computing power required to crack current standards, has moved quantum security from a future concern to a present obligation. What is at stake is not only what will be transmitted tomorrow, but what has already been taken.
- Adversaries are already intercepting and stockpiling encrypted U.S. government communications, betting that quantum computers will eventually unlock them — making every day of delay a permanent vulnerability.
- Spring 2026 research from Google and startup Oratomic slashed the qubit estimates needed to break standard encryption by orders of magnitude, collapsing the assumed timeline and forcing immediate policy action.
- Executive Order 14412 and OMB Memorandum M-26-15 transformed the migration from guidance into law, with binding deadlines, phased technical standards, and agency migration plans due by October 2026.
- A dangerous 'Signature Gap' persists even for early movers: organizations deploying quantum-resistant key exchange are still authenticating identities with classical certificates that a quantum computer could forge.
- Federal contractors face their own reckoning through a proposed procurement rule due December 2026, extending compliance obligations across the entire federal supply chain whether or not companies hold direct government contracts.
On a Tuesday in early July, officials, technologists, and researchers gathered at the Eisenhower Executive Office Building for a meeting that marked the moment American quantum security policy became operational rather than aspirational. The White House announced that NIST would migrate its own critical systems to post-quantum cryptography by 2027 — a pilot designed to surface real obstacles before the binding federal deadline of 2030 arrives under Executive Order 14412.
The threat driving that deadline requires no working quantum computer to be dangerous today. Adversaries are already intercepting encrypted government communications and storing them, waiting for the day a sufficiently powerful machine can unlock the archive. Any migration completed after 2030 cannot protect data already harvested. The race is not to be ready before quantum computers exist — it is to limit how much of the government's long-lived secrets will eventually be readable.
That urgency sharpened dramatically in spring 2026. Google's Quantum AI team showed that breaking elliptic-curve cryptography might require fewer than 500,000 qubits — down from earlier estimates near 10 million. Days later, Caltech-linked startup Oratomic published results suggesting a neutral-atom machine could break P-256 encryption with only around 10,000 qubits. The two papers were widely read as coordinated disclosure. Cloudflare immediately moved its internal deadline for full post-quantum security to 2029. IBM stated publicly that targeted attacks on high-value systems could not be ruled out by that year.
The federal response was swift. Two executive orders were signed in late June, followed by OMB Memorandum M-26-15 laying out a phased implementation plan. The staggered deadlines reflect genuine technical complexity: replacing key exchange — the handshake that opens a secure connection — is relatively straightforward, and the NIST standard ML-KEM must be deployed by December 31, 2030. Rebuilding digital signatures is far harder, requiring reconstruction of the entire public key infrastructure, and carries a deadline of December 31, 2031.
Even organizations moving quickly face a structural vulnerability: deploying quantum-resistant key exchange while still authenticating with classical certificates leaves identity open to quantum forgery — the so-called Signature Gap. Meanwhile, most federal systems were never designed to swap cryptographic algorithms at all, with primitives hardcoded into applications and hardware. OMB now requires crypto-agility — the capacity to update algorithms through configuration rather than full rebuilds — as a condition of any compliant migration plan.
The obligation will extend well beyond government walls. A proposed Federal Acquisition Regulation rule, due around December 2026, will impose the same 2030 deadline on federal contractors, reaching businesses that handle government data without a direct federal mission. The estimated federal migration cost alone stands at roughly 7.1 billion dollars over a decade — before supply-chain costs are counted. For every organization transmitting sensitive data with a long shelf life, the question is no longer whether to begin, but whether to start now or wait until the deadline removes the choice entirely.
On a Tuesday in early July, nearly a hundred people gathered in a secure room at the Eisenhower Executive Office Building for a conversation that marked the moment American quantum security policy stopped being theoretical and became operational. The White House Office of Science and Technology Policy announced that the National Institute of Standards and Technology would migrate its own critical systems to post-quantum cryptography by the end of 2027—a pilot run designed to expose the real friction points before the federal government's binding 2030 deadline arrives. That deadline is not negotiable. It is written into Executive Order 14412, signed in late June, and it exists because of a threat that requires no working quantum computer to be real right now.
Adversaries are already collecting encrypted American government data. They are intercepting it, storing it, and waiting. The strategy has a name: harvest now, decrypt later. The logic is simple and structural: if you encrypt something today and an adversary captures it, that adversary can hold it indefinitely. When a sufficiently powerful quantum computer eventually becomes available—years or decades from now—they can decrypt the entire archive. Any migration completed after 2030 cannot undo the exposure of data that has already been transmitted and harvested. The race is not to be ready before quantum computers arrive. It is to minimize how much of the government's long-lived data archive will eventually be readable to enemies.
The urgency of that timeline compressed dramatically in the spring of 2026. In late March and early April, two research teams published results that fundamentally changed the math. Google's Quantum AI team showed that breaking elliptic-curve cryptography could be done with fewer than 500,000 physical superconducting qubits—down from roughly 10 million in previous estimates. Days later, Oratomic, a startup connected to Caltech, published a resource estimate showing that a neutral-atom quantum computer could break the P-256 encryption standard with only around 10,000 physical qubits, exploiting the natural architecture of neutral atoms to achieve error correction far more efficiently than superconducting systems. The two papers built on each other and were widely understood as coordinated disclosure. The effect was immediate: Cloudflare moved its internal target for full post-quantum security to 2029. Google had already adopted the same deadline. IBM's quantum team stated publicly that moonshot attacks on high-value targets cannot be ruled out by that year.
The federal response came in a rapid sequence. Executive Order 14412, titled "Securing the Nation Against Advanced Cryptographic Attacks," was signed on June 22. Its companion, Executive Order 14413, "Ushering in the Next Frontier of Quantum Innovation," followed within days. The Office of Management and Budget issued Memorandum M-26-15, laying out a phased implementation plan for civilian agencies. The summit on July 7 brought together federal officials, quantum technology companies including Infleqtion, PsiQuantum, Qolab, IonQ, and Xanadu, and representatives from major research universities. The message was direct: the government has done the work to get ready. The standards exist. The deadlines are binding. Now industry needs to move.
The technical architecture of the migration explains why the deadlines are staggered. Replacing key establishment—the negotiation that opens a secure connection—primarily means swapping a single mathematical operation in network software. The NIST standard for this is FIPS 203, which specifies ML-KEM, derived from the CRYSTALS-Kyber lattice algorithm. This is operationally straightforward. Cloudflare, Google, Apple's iMessage, and Signal have already deployed post-quantum key encapsulation to significant portions of their user traffic. Digital signatures are a different order of complexity entirely. Rebuilding them requires reconstructing the entire public key infrastructure: every root certificate authority, every intermediate CA, every code-signing certificate, and every cross-certification relationship. The NIST standard for signatures, FIPS 204, specifies ML-DSA, and its signatures are several kilobytes instead of dozens of bytes—creating performance implications for systems with constrained bandwidth. NIST also finalized FIPS 205, specifying SLH-DSA, a hash-based signature scheme that provides mathematical diversity in case the lattice assumptions underlying ML-DSA are ever broken. The one-year gap between the key-establishment deadline of December 31, 2030, and the digital-signatures deadline of December 31, 2031, is not a concession. It is a recognition that even fast movers will need it.
The security community has identified a specific vulnerability in that gap: organizations that have already deployed post-quantum key encapsulation are still authenticating with classical, quantum-vulnerable certificates. This "Signature Gap" means data is being exchanged with quantum-resistant session keys but the identity behind those sessions can still be forged by an adversary with a quantum computer. Cloudflare has made closing this gap the primary focus of its 2026-2029 roadmap. The broader challenge is architectural. Most production federal systems were not designed with the ability to swap cryptographic algorithms at all. Cryptographic primitives are frequently hardcoded into applications, firmware, and hardware security modules. What the government now requires is crypto-agility—the capacity to replace RSA key exchange with ML-KEM through configuration changes or modular software updates rather than application rebuilds. OMB M-26-15 requires all federal systems to be cryptographically agile as a condition of their migration plans, which are due by October 2026.
Federal contractors face the same 2030 compliance date through a proposed Federal Acquisition Regulation rule that the FAR Council must publish within 180 days of the executive order's signing—placing it around December 2026. That requirement will extend PQC obligations across the entire federal supply chain, reaching businesses with no direct government mission that nonetheless handle federal data. Until that rule is finalized, the government can encourage but cannot compel commercial technology companies, banks, hospitals, or utilities to act. But the boundary is narrowing. A near-term procurement deadline adds immediate pressure: FIPS 140-2 validation, the federal cryptographic module certification program, reaches its sunset date on September 21, 2026. Vendors without FIPS 140-3 validated modules will be locked out of federal procurement from that date. Validated PQC implementations under FIPS 140-3 remain roughly 12 to 18 months away for most vendors, creating a specific gap in the certification pipeline that agencies must navigate. The Biden-era OMB estimated the federal migration cost at roughly 7.1 billion dollars over 10 years—and that figure covers only direct federal systems, before contractor supply-chain costs. For organizations without that architecture, achieving PQC compliance means rebuilding from the infrastructure layer up, not swapping a parameter. The question facing every organization that transmits long-lived sensitive data is not whether to start. It is whether to start today or wait until the deadline makes the choice for them.
Citas Notables
What's changed is the perceived timeline. If Q-Day is far away, the main risk is harvest now, decrypt later, so encryption naturally comes first. But recent advances have accelerated the Q-Day timeline, making protection against authentication attacks much more critical.— Bas Westerbaan, Cloudflare
Migrating to PQC is not a simple one-and-done upgrade. It means mapping every environment where public-key algorithms are in use, identifying which data carries long-term sensitivity, sequencing changes across interconnected systems, and verifying that vendors throughout the supply chain can meet the same standard.— Darren Guccione, cybersecurity industry executive
La Conversación del Hearth Otra perspectiva de la historia
Why does the government care about data that's being collected right now if quantum computers don't exist yet?
Because the adversary doesn't need a quantum computer today. They just need to store the encrypted data and wait. If you encrypt something in 2026 and an adversary captures it, they hold it. In 2035 or 2040, when a quantum computer becomes available, they decrypt the entire archive. Any migration completed after 2030 cannot undo that exposure.
So the 2030 deadline is really about protecting data that's being transmitted right now?
Exactly. The deadline is a cutoff. Data encrypted with post-quantum cryptography after 2030 is protected. Data encrypted before 2030 with classical algorithms is not. The government is trying to minimize the fraction of its long-lived data archive that enemies will eventually be able to read.
Why are key exchange and digital signatures on different timelines?
Because they're fundamentally different engineering problems. Replacing key exchange—the handshake that opens a secure connection—is operationally straightforward. You swap one mathematical operation in network software. Digital signatures require rebuilding the entire public key infrastructure: every certificate authority, every certificate, every cross-certification relationship. Even fast movers need the extra year.
What happens to organizations that don't have federal contracts?
Right now, nothing legally binding. But the boundary is narrowing. The FAR rule expected in December 2026 will extend the obligation to federal contractors. And any organization that can't demonstrate PQC compliance will face procurement barriers when selling to federal agencies. Beyond that, any organization transmitting long-lived sensitive data should treat 2030 as a practical baseline.
What's crypto-agility, and why does it matter more than picking the right algorithm?
Crypto-agility is the ability to swap cryptographic algorithms through configuration changes, without rebuilding entire applications. The government emphasizes it because history shows that algorithm deprecations consistently take longer than expected. A crypto-agile organization can respond to a discovered weakness by switching algorithms without a system rebuild. An organization with hardcoded cryptography cannot. Building agility now is what makes every subsequent algorithm transition cheaper.
What's the actual risk to an organization that waits until 2030 to start?
It depends on what data you're protecting and how long it needs to stay secret. If you transmit something sensitive in 2027 and an adversary captures it, waiting until 2030 to migrate means that data is vulnerable for three years. For defense contractors, healthcare providers, financial institutions—anyone with decade-long data sensitivity—that window is a real exposure.