Industry News

Executive Order 14144: Biden’s Big Swing at Cybersecurity Modernization

Photo of Marin Ivezic Marin Ivezic Follow on X Send an email January 19, 2025
3 minutes read
Executive Order 14144 Quantum

On January 16, 2025 President Joe Biden signed Executive Order 14144, “Strengthening and Promoting Innovation in the Nation’s Cybersecurity.” The 17‑page directive is the administration’s most comprehensive cyber policy since EO 14028 in 2021 and, for the first time, embeds post‑quantum cryptography (PQC) migration deadlines directly in federal law.

At its core the order:

  • Puts PQC on a clock. CISA must publish, within 180 days, a list of product categories where PQC‑capable solutions are “widely available.” Agencies then have 90 days to make PQC support a mandatory requirement in any new solicitation for those products, and they must enable PQC or “hybrid” key‑establishment as soon as practicable on networks that already support it.
  • Commits the U.S. to global leadership. State and Commerce are ordered to rally allied governments and industry groups around the forthcoming NIST PQC standards within 90 days.
  • Sets a hard finish line. OMB (for civilian systems) and the Department of Defense (for national‑security systems) must ensure all agencies support TLS 1.3 (or its successor) no later than January 2 2030 – effectively the federal “Q‑Day” deadline.
  • Hardens identity and messaging. Agencies are told to pilot phishing‑resistant authentication technologies such as WebAuthn and to upgrade e‑mail, voice and video services to authenticated, end‑to‑end encryption by default.
  • Modernises digital identity. A dedicated section directs NIST to issue practical guidance for mobile driver’s licences and remote identity proofing, and encourages agencies to accept such digital IDs in public‑benefit programmes.
  • Raises the bar for vendors. Software suppliers will have to lodge machine‑readable secure‑development attestations and artefacts in CISA’s Repository for Software Attestation and Artifacts (RSAA); the FAR Council is instructed to embed those duties in contract law.

Taken together, EO 14144 marries short‑term supply‑chain hygiene with a long‑term sprint toward quantum‑safe cryptography, giving agencies clear milestones and—crucially—tying future purchases to PQC readiness.

My Perspective

As someone who advises agencies and critical‑infrastructure operators on quantum resilience, I see EO 14144 as a watershed moment. The United States has flirted with PQC policy since NSM‑10 in 2022, but this is the first time the White House has put procurement teeth behind the vision. By linking budget dollars to PQC features, the order sends an unmistakable demand signal to the vendor ecosystem: ship quantum‑safe products or lose federal business. That alone will accelerate feature road‑maps across firewalls, VPNs, IoT gateways and cloud platforms.

The timeline is also aggressive, but necessarily so. Cryptanalytically relevant quantum computers (CRQCs) are not science‑fiction; they are a probability curve. Suppose a state actor attains a CRQC in, say, 2033. Any intercepted traffic encrypted with classical RSA or ECC today becomes readable retroactively. Biden’s 2030 TLS deadline therefore isn’t a nice‑to‑have—it is the last realistic window to finish a migration that will take years of inventorying, testing and phased cut‑overs. The “harvest‑now‑decrypt‑later” threat model means every month we wait is a month of sensitive data at risk.

Equally important is the diplomacy clause. NIST’s algorithms will only deliver collective security if allies adopt them in lock‑step. EO 14144 instructs State and Commerce to get that drum‑beat started within three months—a tacit acknowledgement that supply‑chain vulnerabilities don’t respect borders. From a standards‑leadership angle, locking in early foreign buy‑in reduces the risk of balkanised or proprietary PQC schemes emerging overseas.

The identity provisions deserve more attention than they have received. Phishing‑resistant WebAuthn pilots, combined with guidance for mobile driver’s licences, sketch a future in which government services are accessed with hardware‑backed credentials rather than phishable passwords or SMS codes. That move closes a major attack vector even before quantum computers arrive.

Of course, the order is only as strong as its follow‑through. Agencies will need funding to rip and replace embedded crypto, and the FAR Council must finalise rule‑making without dilution. But the roadmap is finally on paper—clear, measurable and time‑boxed.

In short, EO 14144 flips the federal posture from planning for quantum threats to executing against them. For practitioners like me, it feels like the starter pistol has finally fired. The next five years will determine whether we cross the finish line before attackers do.

Photo of Marin Ivezic Marin Ivezic Follow on X Send an email January 19, 2025
3 minutes read
Photo of Marin Ivezic

Marin Ivezic

I am the Founder of Applied Quantum (AppliedQuantum.com), a research-driven professional services firm dedicated to helping organizations unlock the transformative power of quantum technologies. Alongside leading its specialized service, Secure Quantum (SecureQuantum.com)—focused on quantum resilience and post-quantum cryptography—I also invest in cutting-edge quantum ventures through Quantum.Partners. Currently, I’m completing a PhD in Quantum Computing and authoring an upcoming book “Practical Quantum Resistance” (QuantumResistance.com) while regularly sharing news and insights on quantum computing and quantum security at PostQuantum.com. I’m primarily a cybersecurity and tech risk expert with more than three decades of experience, particularly in critical infrastructure cyber protection. That focus drew me into quantum computing in the early 2000s, and I’ve been captivated by its opportunities and risks ever since. So my experience in quantum tech stretches back decades, having previously founded Boston Photonics and PQ Defense where I engaged in quantum-related R&D well before the field’s mainstream emergence. Today, with quantum computing finally on the horizon, I’ve returned to a 100% focus on quantum technology and its associated risks—drawing on my quantum and AI background, decades of cybersecurity expertise, and experience overseeing major technology transformations—all to help organizations and nations safeguard themselves against quantum threats and capitalize on quantum-driven opportunities.
© Copyright 2025 Marin Ivezic, All Rights Reserved
Share via
Facebook
X (Twitter)
LinkedIn
Mix
Pinterest
Bluesky
Tumblr
Skype
Buffer
Pocket
VKontakte
Parler
Xing
Reddit
Line
Flipboard
MySpace
Delicious
Amazon
Digg
Evernote
Blogger
LiveJournal
Baidu
MeWe
NewsVine
Yummly
Yahoo
WhatsApp
Viber
SMS
Telegram
Facebook Messenger
Like
Email
Print
Copy Link
Powered by Social Snap
Copy link
CopyCopied
Powered by Social Snap