The Complete US Post-Quantum Cryptography (PQC) Regulatory Framework in 2026

The legal obligation to migrate federal systems to quantum-resistant cryptography remains firmly intact despite a change in administration, but the path to compliance has shifted from top-down mandates to agency-level discretion.

I spend a good portion of my professional life helping CISOs and security leaders interpret PQC regulatory requirements – and lately, a growing share of that time goes toward untangling the US framework specifically. Which is ironic, because the United States was the first major jurisdiction to get serious about regulating post-quantum migration. They started earlier, moved faster, and built a more comprehensive policy architecture than anyone else. But first-mover advantage has a downside: layer upon layer of executive orders, federal statutes, agency memoranda, and technical standards – some reinforcing each other, some contradicting, and some sitting in regulatory limbo after a change in administration. I have lost count of how many times a client has asked me some variation of “so what’s actually required?” This article is my (and my ChatGPT’s) best answer to that question. (I used AI extensively in this article for research, but then still manually validated everything and drafted the post.)

Three pillars anchor the US PQC framework:

• the Quantum Computing Cybersecurity Preparedness Act (federal law that no executive order can undo),
• NSM-10‘s 2035 migration target (still in force),
• and NIST’s finalized FIPS standards (published August 2024).

The Trump administration’s June 2025 executive order streamlined, rather than eliminated, PQC obligations, removing prescriptive procurement mandates while retaining the CISA product category list and a TLS 1.3 deadline of January 2, 2030.

For CISOs, the bottom line is clear: the regulatory floor has not changed, but the enforcement ceiling has been lowered, creating a window where proactive organizations gain competitive advantage while laggards risk exposure to both quantum threats and future compliance crackdowns.

Three federal laws form the immovable foundation

The US PQC framework rests on three enacted federal statutes that survive any change of administration. Unlike executive orders or agency memoranda, these laws require congressional action to repeal.

The Quantum Computing Cybersecurity Preparedness Act (H.R. 7535, Public Law 117-260) was signed by President Biden on December 21, 2022, after passing the House 420-3 and clearing the Senate by unanimous consent. Sponsored by Rep. Ro Khanna (D-CA) with bipartisan support from Rep. Nancy Mace (R-SC) and others, the Act imposes concrete obligations on the executive branch. Within 180 days of enactment (by approximately June 2023), OMB was required to issue guidance directing each federal agency to establish and maintain a prioritized inventory of IT systems vulnerable to quantum decryption. Within one year of NIST issuing PQC standards – which occurred on August 13, 2024, making the deadline approximately August 2025 – OMB must issue guidance requiring agencies to begin prioritizing migration. The Act mandates annual reporting to Congress on migration progress for five years after NIST standards are published, meaning reports are due through at least 2029. Crucially, the Act exempts national security systems, which fall under separate NSA governance. There is no public evidence that OMB issued the post-standards migration guidance by the August 2025 statutory deadline.

The National Quantum Initiative Act (H.R. 6227, Public Law 115-368), signed by President Trump on December 21, 2018, established the 10-year National Quantum Initiative Program, the National Quantum Coordination Office within OSTP, and authorized roughly $1.275 billion across DOE, NSF, and NIST for fiscal years 2019–2023. Its authorization lapsed in September 2023, and multiple reauthorization attempts in the 118th Congress – including H.R. 6213 ($1.8 billion) and S. 5411 ($2.7 billion) – failed to advance. The most recent reauthorization bill, S. 3597, was introduced on January 8, 2026 by Senators Todd Young (R-IN) and Maria Cantwell (D-WA), proposing up to three new NIST quantum centers and extending the program to 2034. It remains in the Senate Commerce Committee.

The CHIPS and Science Act (H.R. 4346, Public Law 117-167), signed on August 9, 2022, authorized approximately $153 million annually in quantum-specific programs, including $100 million per year for DOE quantum network infrastructure and $15 million per year for NIST quantum networking R&D. While it contains no direct PQC migration mandates, it amended the NQI Act and identified quantum information science as one of ten key technology focus areas for the new NSF Directorate for Technology, Innovation, and Partnerships. The word “quantum” appears 126 times in the bill text.

The 119th Congress (2025–2026) has introduced a wave of PQC-adjacent legislation that has not yet been enacted. H.R. 3259, the Post Quantum Cybersecurity Standards Act, would direct NIST to promote voluntary PQC adoption and establish grants for high-risk entities. S. 3312, the Quantum Readiness and Innovation Act of 2025, would require NIST to issue critical-infrastructure-specific PQC guidance within 180 days and create a pilot program for federal agencies to upgrade high-impact systems within 18 months. S. 2558, the National Quantum Cybersecurity Migration Strategy Act, would mandate development of a coordinated national migration strategy. Approximately 11 quantum-related amendments were filed to the FY2026 NDAA by September 2025. Among these, S.Amdt.3684 contains a provision for a PQC pilot program that would require at least one “high-impact system” in each agency to be upgraded to PQC by January 1, 2027 – a concrete attempt by Congress to force agencies from planning into execution. While the NDAA’s final form is always subject to conference negotiation, the inclusion of such language reflects bipartisan congressional impatience with the pace of federal PQC adoption.

Executive orders: what survived, what changed, and what’s coming

The presidential directive landscape has undergone significant reshaping under the Trump administration, though the core PQC framework has proven remarkably durable.

National Security Memorandum 10 (NSM-10), signed by President Biden on May 4, 2022, remains the cornerstone policy document for US PQC transition. Titled “Promoting United States Leadership in Quantum Computing While Mitigating Risks to Vulnerable Cryptographic Systems,” it established the overarching goal of mitigating quantum risk “as much as feasible by 2035.” NSM-10 directed NIST to initiate industry engagement within 90 days, required CISA to engage critical infrastructure partners within 180 days, and tasked each federal agency with delivering an annual inventory of quantum-vulnerable IT systems beginning May 2023. For national security systems, it directed NSA to provide migration guidance and required agency heads to submit transition plans. NSM-10 has not been rescinded by the Trump administration. Trump’s June 2025 executive order explicitly references NSM-10 as the foundational document for PQC transition, and the January 20, 2025 mass rescission of Biden-era executive orders did not target it. Multiple law firms, CRS analyses, and industry sources confirm it remains operative.

Executive Order 14028 (“Improving the Nation’s Cybersecurity”), signed May 12, 2021, contained no direct PQC mandates but established the zero trust architecture framework and software supply chain security requirements that underpin cryptographic modernization. It remains fully in force – the Trump administration explicitly preserved it. The implementing OMB memoranda (M-22-18 and M-23-16) on software attestation also remain in place.

Executive Order 14144 (“Strengthening and Promoting Innovation in the Nation’s Cybersecurity”), signed by Biden on January 16, 2025 – just four days before leaving office – contained the most aggressive PQC provisions of any executive order. Section 6 originally required CISA to publish a PQC product category list, mandated agencies to include PQC support requirements in solicitations within 90 days of a product category being listed, directed agencies to implement PQC or hybrid key establishment “as soon as practicable,” and instructed the State and Commerce Departments to promote NIST PQC algorithms internationally.

Executive Order 14306, signed by President Trump on June 6, 2025, substantially amended EO 14144 rather than rescinding it. The CRS characterized the approach as performing “line edits to remove text or policies with which the administration disagrees.” The PQC-specific changes were significant. Three provisions were retained: CISA’s obligation to publish a PQC product category list (deadline shifted to December 1, 2025), TLS 1.3 adoption required by January 2, 2030, and explicit recognition of the CRQC threat using language identical to Biden’s original. Three provisions were removed: the mandatory procurement trigger requiring PQC in solicitations, the “as soon as practicable” hybrid adoption requirement, and the international PQC promotion mandate. The net effect, as law firm Crowell & Moring summarized, is that PQC requirements were “stripped down” while the awareness and infrastructure framework remained intact.

A critical nuance that CISOs should internalize: the removal of top-level procurement mandates does not mean PQC procurement requirements have disappeared – they are migrating to the agency level. The clearest example is the USDA Acquisition Regulation (AGAR), revised September 13, 2025, which contains an explicit PQC procurement instruction: for products on the “CISA-list of product categories for products that support PQC,” the solicitation must require that related products support PQC. This is not guidance – it is procurement rule text in a specific agency’s acquisition regulation. Individual agencies can and will recreate the earlier EO-14144-style procurement hook through their own acquisition rules, contract clauses, and authorization packages, regardless of what the White House-level directive requires. For vendors, this means PQC procurement pressure will arrive unevenly, agency by agency, rather than through a single federal mandate.

A draft quantum executive order titled “Ushering In The Next Frontier Of Quantum Innovation,” dated February 3, 2026, has been reported by Nextgov/FCW. This sweeping order would update the National Quantum Strategy, establish a federally backed quantum computer for scientific applications (QCSAD) at a DOE facility, reconstitute the National Quantum Initiative Advisory Committee within 180 days, and require five-year agency roadmaps. Notably, reporting suggests this draft omits specific PQC provisions, focusing instead on quantum research, commercialization, and workforce development. However, the OMB circulated a separate draft memorandum in July 2025 that would direct agencies to fully migrate to PQC standards and require third-party vendors to disclose phased PQC transition timelines. Neither document had been finalized as of late February 2026.

Separately, on November 24, 2025, President Trump signed the Genesis Mission executive order, a sweeping DOE-led initiative to accelerate AI-driven scientific discovery by linking the nation’s supercomputers, AI systems, and next-generation quantum processors into a unified national discovery platform. While primarily an AI initiative, the order explicitly identifies quantum information science as one of its priority technology domains. For CISOs, the Genesis Mission represents a strategic paradox: the same administration that softened civilian PQC procurement mandates is simultaneously investing heavily in the quantum hardware ecosystem that makes PQC migration urgent. The order does not contain PQC provisions, but it signals that the federal government expects quantum capabilities — and by extension quantum threats – to accelerate.

The Department of Defense CIO memo dated November 20, 2025, issued by Katie Arrington (then acting CIO), directed all Pentagon components and combatant commands to identify and inventory all cryptography across every system type – including national security systems, weapons systems, cloud capabilities, mobile devices, IoT, unmanned systems, and operational technology. It required designation of PQC migration leads within 20 days and explicitly cited M-23-02 as the governing mandate. The memo also prohibited components from testing, procuring, or using quantum key distribution or quantum-based random number generation for security functions without an exception.

OMB M-23-02 still governs the federal cryptographic inventory

OMB Memorandum M-23-02, “Migrating to Post-Quantum Cryptography,” issued on November 18, 2022 by OMB Director Shalanda Young, remains the operational playbook for federal PQC transition. It has not been formally rescinded by the Trump administration.

The memo’s requirements are granular and specific. Each agency must designate a cryptographic inventory and migration lead (due within 30 days of publication). Agencies must submit a prioritized inventory of quantum-vulnerable cryptographic systems to the Office of the National Cyber Director and CISA by May 4, 2023, and annually thereafter until 2035. For each system, agencies must provide nine data items: FISMA system identifier, FIPS 199 categorization, High Value Asset identifier, each CRQC-vulnerable cryptographic algorithm in active use (including algorithm type, service, and key length), software package type and vendor, operating system details, hosting information, lifecycle characteristics, and additional notes. Within 30 days of each annual inventory submission, agencies must provide a funding assessment for the following fiscal year’s migration activities.

The memo identifies specific quantum-vulnerable algorithms requiring eventual replacement: RSA, ECDSA, ECDH, DSA, Diffie-Hellman, and MQV – essentially all widely deployed asymmetric cryptographic algorithms. NIST, NSA, and CISA were tasked with establishing mechanisms for sharing PQC testing information within 60 days, and CISA was directed to release a strategy on automated tooling within one year.

A July 2024 White House report estimated the total government-wide PQC migration cost at approximately $7.1 billion in 2024 dollars between 2025 and 2035. The DOD, ODNI, and NSA are developing separate classified cost estimates for national security systems.

The current enforcement reality is nuanced. M-23-02 remains technically binding, and the DoD CIO’s November 2025 memo explicitly cited it as the governing mandate for Pentagon PQC activities. Vendor marketing from multiple federal IT contractors actively targets M-23-02 compliance, suggesting ongoing agency activity.

However, no formal Trump administration guidance has confirmed or denied whether the annual inventory obligations continue to be actively monitored. The Trump executive order “simply isn’t reinforcing” M-23-02, though it hasn’t rescinded it either.

NIST has delivered five standards with a 2035 deadline on the horizon

NIST’s PQC standardization program, which began with a call for proposals in December 2016 and evaluated 82 submissions, has now produced its first generation of final standards with a clear deprecation timeline.

The three foundational standards were published simultaneously on August 13, 2024. FIPS 203 (ML-KEM) standardizes the Module-Lattice-Based Key-Encapsulation Mechanism, derived from CRYSTALS-Kyber, for establishing shared secret keys. It offers three parameter sets: ML-KEM-512 (128-bit security), ML-KEM-768 (192-bit), and ML-KEM-1024 (256-bit). FIPS 204 (ML-DSA) standardizes the Module-Lattice-Based Digital Signature Algorithm, derived from CRYSTALS-Dilithium, intended as the primary digital signature standard. FIPS 205 (SLH-DSA) standardizes the Stateless Hash-Based Digital Signature Algorithm, derived from SPHINCS+, as a backup signature scheme based on hash functions rather than lattices — providing mathematical diversity in case lattice-based cryptography is ever compromised. SLH-DSA produces significantly larger signatures and is slower than ML-DSA, making it suitable for specialized high-assurance applications.

A fourth standard, FIPS 206 (FN-DSA), based on the FALCON algorithm, was submitted for internal NIST/Department of Commerce clearance on August 28, 2025. As of late 2025, it remained in the approval pipeline. FN-DSA offers very compact signatures (~666 bytes) but requires complex floating-point arithmetic in signing operations. A public draft and finalization are expected in 2026–2027.

On March 11, 2025, NIST selected HQC (Hamming Quasi-Cyclic) as the fifth PQC algorithm, announced alongside NIST IR 8545 documenting the fourth-round evaluation. HQC is a code-based key encapsulation mechanism — using a completely different mathematical foundation than the lattice-based ML-KEM — providing critical algorithmic diversity. NIST chose HQC over BIKE due to its more mature decryption failure rate analysis. A draft standard is expected in 2026, with finalization around 2027. Organizations should not wait for HQC; ML-KEM remains the primary recommendation for immediate deployment.

NIST IR 8547, published as an initial public draft on November 12, 2024, establishes the critical deprecation timeline. Quantum-vulnerable algorithms at ≤112-bit security (such as RSA-2048 and ECDSA with P-256) will be deprecated after 2030, meaning they should be phased out but are not yet fully prohibited. All quantum-vulnerable public-key cryptographic algorithms will be disallowed after 2035. This document remains in draft — the comment period closed January 10, 2025, and a final version has not been published. The 2030/2035 dates may be adjusted based on public feedback, but they align with NSM-10’s overarching 2035 target.

Several supporting publications round out the NIST guidance ecosystem. SP 800-227 (Recommendations for Key-Encapsulation Mechanisms) was finalized on September 18, 2025, providing operational guidance on using KEMs including hybrid deployments during transition. SP 1800-38 (Migration to Post-Quantum Cryptography) is an ongoing NCCoE practice guide in three preliminary draft volumes with 47+ industry collaborators including AWS, IBM, Microsoft, Cisco, JPMorgan Chase, and PQShield. Volume C of SP 1800-38 documents critical interoperability and performance findings: while raw ML-KEM implementations can match or outperform classical ECDH in handshake throughput, hybrid mode deployments — which run a classical and PQC algorithm simultaneously — roughly halved network throughput in NIST’s testing and significantly increased latency. CISOs must factor these performance impacts into capacity planning, particularly for latency-sensitive applications and legacy infrastructure with constrained processing power. CSWP 39 (Considerations for Achieving Cryptographic Agility) was finalized on December 19, 2025, defining crypto agility as essential capability and introducing a maturity model. CSWP 48 (Mappings of Migration to PQC Project Capabilities to Risk Framework Documents) was published as an initial public draft on September 18, 2025, mapping PQC capabilities to the NIST Cybersecurity Framework 2.0 and SP 800-53 Rev. 5 controls — giving governance teams a structured method for expressing PQC migration as auditable risk outcomes rather than an isolated engineering project.

A parallel compliance deadline that CISOs should track: on September 21, 2026, NIST’s Cryptographic Module Validation Program (CMVP) will move all remaining FIPS 140-2 validated certificates to the Historical list. After that date, only FIPS 140-3 validated modules may be used for new federal system procurement. This is directly relevant to PQC because quantum-resistant algorithm implementations must ultimately be validated under FIPS 140-3 to be acceptable for federal use. The current FIPS 140-3 validation process averages over 500 days — a 42% increase over the FIPS 140-2 process — meaning any vendor not already in the FIPS 140-3 pipeline faces a gap of at least 12–18 months before their PQC-capable modules can be federally validated. The practical implication: FIPS 140-3 validated PQC implementations will not be widely available before 2027 at the earliest, creating a transitional period where agencies must plan for PQC adoption while navigating a constrained vendor landscape.

NSA’s CNSA 2.0 imposes the most aggressive concrete deadlines

The Commercial National Security Algorithm Suite 2.0 (CNSA 2.0), announced by NSA on September 7, 2022 and updated to version 2.1 in December 2024, establishes the most binding and specific PQC deadlines in the US regulatory landscape. It applies to all National Security Systems — classified and unclassified — operated by the Department of Defense, the Intelligence Community, and their vendor ecosystem.

The algorithm suite mandates four core algorithms for general use: AES-256 for symmetric encryption, ML-KEM-1024 (FIPS 203) for key establishment, ML-DSA-87 (FIPS 204) for digital signatures, and SHA-384 or SHA-512 for hashing. For software and firmware signing specifically, LMS and XMSS (per NIST SP 800-208) are also approved. Notably, SLH-DSA is not approved for NSS use, and NSA has stated it does not currently plan to add FN-DSA (FALCON) or HQC to the suite.

The timelines are structured in two phases — “prefer” dates (when CNSA 2.0 should be supported and preferred) and “exclusively use” dates (hard compliance deadlines):

Structural milestones from CNSSP 15 (updated 2024) include: no enforcement before December 31, 2025; all new acquisitions for NSS must be CNSA 2.0 compliant by January 1, 2027; equipment that cannot support CNSA 2.0 must be phased out by December 31, 2030; and CNSA 2.0 algorithms are mandated across NSS by December 31, 2031. Products require NIAP validation against protection profiles incorporating CNSA 2.0 — FIPS validation alone is insufficient.

CNSA 2.0 remains fully in effect and is unaffected by the Trump administration’s scaling back of civilian PQC mandates. As an NSA/CNSS-governed program operating under NSD-42, NSM-8, and NSM-10, it occupies a governance space independent of White House executive orders targeting civilian agencies. Defense contractors and vendors selling to NSS environments face de facto compliance requirements through procurement and NIAP validation channels.

CISA’s evolving role: from mandate enforcer to guidance provider

CISA’s PQC footprint has shifted measurably under the Trump administration, from a compliance-enforcement posture to an advisory one.

CISA established its Post-Quantum Cryptography Initiative on July 6, 2022, organizing work across four areas: risk assessment of 55 National Critical Functions (with RAND Corporation identifying four priority sectors), interagency engagement, tool development, and published guidance. CISA’s quantum landing page at cisa.gov/quantum remains active.

The CISA PQC Product Categories List was published on January 23, 2026 — slightly past the December 1, 2025 deadline set by EO 14306. It classifies product categories into two tiers: “Widely Available” (cloud services, web browsers, endpoint security products where PQC-capable products already exist commercially) and “Transitioning” (networking hardware/software, storage area networks, identity/access management, containers where capabilities are still maturing). Products must implement FIPS 203, 204, and/or 205. This list is advisory, not a procurement mandate. Under Biden’s original EO 14144, agencies would have been required to include PQC in solicitations within 90 days of listing; Trump’s EO 14306 removed that trigger. CISA official Gary Jones warned vendors that “if your product is not PQC-enabled, you probably won’t be able to do business with the government as we move forward.”

A critical operational nuance identified in the CISA guidance is what might be called the “Signature Gap.” The vast majority of products in the “Widely Available” category implement FIPS 203 (ML-KEM) for key establishment — effectively protecting data in transit from future harvest-now-decrypt-later attacks — but commercial support for FIPS 204 (ML-DSA) digital signatures lags significantly behind. This creates a dangerous half-migrated state: encrypted payloads may be quantum-resistant, but the authentication layer that verifies identities and ensures message integrity remains vulnerable to quantum-enabled forgery. CISOs evaluating vendor claims of being “quantum safe” should interrogate whether both key encapsulation and digital signatures have been upgraded — a system is not truly resilient until both functions are covered.

CISA’s Strategy for Automated Cryptographic Discovery and Inventory was published on September 26, 2024, fulfilling M-23-02’s requirement for an automated tooling strategy. It promotes Automated Cryptography Discovery and Inventory (ACDI) tools integrated with CISA’s Continuous Diagnostics and Mitigation (CDM) program. Currently, only 3 of the 9 data items required by M-23-02 can be collected by automated tools — the remainder require manual inventory. CISA planned to work with GSA to develop a list of PQC-enabled products with version numbers within 90 days.

Joint guidance publications include the CISA/NSA/NIST factsheet on quantum readiness (August 21, 2023), recommending organizations establish quantum-readiness roadmaps, create cryptographic inventories, and prioritize high-impact systems. CISA also published “Post-Quantum Considerations for Operational Technology” in late 2024, warning that OT systems face unique challenges due to legacy platforms, long lifecycles, and strict safety requirements, and may be “the last remaining platforms to achieve post-quantum cryptographic standards.” The GSA PQC Buyer’s Guide (2025) provides practical procurement guidance for agencies navigating the transition.

Sector-specific landscape: no private-sector mandates yet, but the walls are closing in

No US sector has a binding, mandatory PQC adoption requirement for private-sector entities as of February 2026. Federal agencies bear the direct compliance burden; the private sector faces indirect pressure through procurement requirements, supervisory expectations, and evolving standards of care.

In the financial sector, the OCC became the first banking regulator to address PQC in its Fall 2022 Semiannual Risk Perspective, calling on banks to monitor quantum risks. The Federal Reserve’s July 2025 Cybersecurity and Financial System Resilience Report identified quantum computing as a “significant emerging risk area.” The SEC’s cybersecurity disclosure rules (effective September 5, 2023) do not mention PQC specifically, but require public companies to disclose processes for assessing material cybersecurity risks — quantum threats could trigger disclosure obligations if deemed material to investors. Notably, the SEC has begun signaling PQC expectations in the digital assets space: proposed regulatory frameworks for digital asset custody reference NIST PQC algorithms (specifically naming CRYSTALS-Kyber) and CNSA 2.0 compatibility as security considerations. Several recent S-1 registration statements from companies pursuing IPOs now explicitly disclose their use of hybrid encryption schemes combining PQC algorithms with classical cryptography — a sign that quantum readiness is becoming a material disclosure issue for public companies. FINRA published a comprehensive report on quantum implications for the securities industry in October 2023, recommending cryptographic inventory and migration planning but emphasizing it “does not create new legal or regulatory requirements.” The G7 Cyber Expert Group released a financial sector PQC roadmap on January 13, 2026, co-chaired by the US Treasury and Bank of England, targeting critical systems for migration by 2030–2032 and full transition by 2035. The FS-ISAC has published multiple PQC guidance documents through 2024–2025.

Healthcare operates under HIPAA’s technology-neutral “reasonable safeguards” standard, which currently does not mandate PQC. Proposed 2025 HIPAA updates emphasize AES-256 and TLS 1.3 but do not require quantum-resistant algorithms. However, the “reasonable safeguard” standard evolves with technology — as PQC becomes baseline practice, failure to implement it could constitute a deficiency. The FDA’s 2023 premarket cybersecurity guidance for medical devices requires lifecycle security and will eventually flow PQC requirements through FIPS 140-3 validation and Cryptographic Bills of Materials. More broadly, CISA’s formal determination that PQC-capable products are “widely available” in specific categories is establishing a new benchmark for what courts and regulators may consider the reasonable standard of care. If a healthcare organization — or any enterprise handling long-lived sensitive data — suffers a breach involving data encrypted with deprecated algorithms in a product category CISA has declared PQC-capable, plaintiffs’ attorneys and regulators will have a powerful reference point for arguing the organization failed to meet the prevailing security standard.

The cyber insurance market is beginning to reflect this shift. Underwriters in 2026 are increasingly incorporating quantum readiness into their risk assessment questionnaires during policy renewals. Organizations unable to demonstrate a coherent PQC transition plan — beginning with a cryptographic inventory — may face higher premiums or explicit policy exclusions for quantum-related exposure. This creates a financial incentive that operates independently of any regulatory mandate.

For federal contractors, PQC is not yet a contractual requirement. CMMC (final program rule effective December 16, 2024; DFARS acquisition rule effective November 10, 2025) is based on NIST SP 800-171 Rev 2, which references classical cryptographic requirements. PQC requirements will flow to contractors when SP 800-171 is updated — no firm timeline exists. FedRAMP similarly awaits updates to NIST SP 800-53 and FIPS 140-3 validated PQC implementations, expected no earlier than 2027. Trump’s EO 14306 removed the mandatory procurement trigger, meaning agencies have discretion rather than obligation to require PQC in solicitations.

Critical infrastructure faces advisory but not mandatory PQC pressure. NERC’s January 2026 CIP Roadmap identifies quantum computing as an “Emerging Security Risk” but includes no specific CIP requirements. No PQC-specific regulations exist for telecommunications, transportation, or energy sectors. State-level PQC legislation is nonexistent — no US state has enacted quantum-specific cryptographic requirements.

Internationally, the EU published a coordinated PQC implementation roadmap on June 23, 2025, targeting critical infrastructure quantum-resistance by 2030 — more aggressive than US civilian timelines. The UK NCSC set a three-phase schedule: core migration plan by 2028, priority upgrades by 2031, complete migration by 2035. US CISOs with international operations should anticipate that EU timelines may create compliance obligations that precede domestic mandates.

Comprehensive chronological timeline of US PQC policy actions

What is legally required right now, what is recommended, and what has been rescinded

Understanding the distinction between mandatory obligations, advisory guidance, and rescinded provisions is the single most important analytical exercise for any CISO assessing their organization’s PQC posture.

Mandatory for federal agencies (enforceable legal obligations):

• The Quantum Computing Cybersecurity Preparedness Act requires agencies to maintain cryptographic inventories, develop migration plans, and report annually to Congress. This is federal law — no executive order can override it. OMB migration guidance was due by approximately August 2025 under the Act’s one-year post-standards deadline.
• OMB M-23-02 requires annual cryptographic inventory submissions through 2035, designation of migration leads, and funding assessments. Not rescinded.
• NSM-10 requires FCEB agencies to submit annual inventories of quantum-vulnerable systems and develop transition plans. Not rescinded; explicitly referenced in Trump’s EO 14306.
• EO 14306 requires support for TLS 1.3 or successor by January 2, 2030 across all federal systems.
• CNSA 2.0 mandates PQC algorithm adoption for all National Security Systems on the aggressive timeline detailed above, with new acquisitions required to be CNSA 2.0 compliant by January 1, 2027.
• FIPS 140-2 sunset moves all remaining certificates to Historical status on September 21, 2026 — after that date, only FIPS 140-3 validated modules may be used for new procurement. While not PQC-specific, this deadline directly constrains the PQC migration timeline.

Recommended but not mandatory (guidance and advisory provisions):

• The CISA PQC product categories list identifies where PQC-capable products are available. CISA recommends agencies “should acquire only PQC-capable products” in listed categories, but no procurement mandate exists following Trump’s removal of the solicitation trigger. However, individual agencies may impose their own PQC procurement requirements through acquisition regulations — the USDA AGAR is the first confirmed example.
• NIST IR 8547’s deprecation timeline (2030) and disallowance date (2035) are in draft and not yet binding, though they signal NIST’s direction for mandatory federal standards.
• All sector-specific PQC guidance (OCC, Fed, SEC, FINRA, FFIEC, HIPAA) is advisory. No US private-sector PQC mandate exists.
• NIST SP 1800-38, CSWP 39, and SP 800-227 provide best-practice guidance for migration planning and implementation.

Removed or scaled back (previously proposed requirements that were eliminated):

• The mandatory procurement trigger — Biden’s requirement for agencies to include PQC in solicitations within 90 days of CISA listing — was removed by EO 14306.
• The “as soon as practicable” hybrid adoption mandate — directing agencies to implement PQC/hybrid key establishment immediately upon vendor support — was removed by EO 14306.
• International PQC promotion provisions — requiring State and Commerce to engage foreign governments on NIST algorithm adoption — were removed by EO 14306.
• No Biden-era PQC deadlines have been formally rescinded. The legal framework remains intact; what changed is the enforcement posture and prescriptive urgency.

Key uncertainties flagged during research:

Several important questions lack definitive public answers as of February 2026. Whether OMB issued the migration guidance required by the Quantum Computing Cybersecurity Preparedness Act by the August 2025 statutory deadline is unclear — no public record confirms it. Whether federal agencies are still submitting annual cryptographic inventories under M-23-02 is uncertain, though the DoD CIO’s November 2025 memo and vendor activity suggest at least partial compliance. The pending OMB draft memo and draft quantum executive order could significantly alter the landscape if finalized, potentially accelerating timelines or imposing new vendor requirements. The status of GAO’s January 2025 recommendation that the Office of the National Cyber Director lead PQC implementation remains unaddressed, particularly given ongoing vacancies in the National Cyber Director and CISA Director positions. And the extent to which CISA’s “widely available” product category determinations will function as a de facto legal standard of care in private-sector litigation and regulatory enforcement — particularly in sectors like healthcare and financial services — remains an open question with potentially significant liability implications.

Conclusion: the regulatory floor is firm, the enforcement ceiling is negotiable

The US PQC regulatory framework in early 2026 presents a paradox that CISOs must navigate carefully. The legal foundation is stronger than ever — enacted federal law, finalized NIST standards, and unrescinded presidential directives collectively mandate a 2035 migration target with near-term inventory and planning obligations. Yet the enforcement mechanism has been deliberately loosened, with the Trump administration removing prescriptive procurement mandates in favor of agency discretion and market-driven adoption.

For organizations selling to the federal government, CNSA 2.0’s January 2027 new-acquisition deadline for NSS is the most immediate hard deadline. For civilian-facing vendors, the absence of a procurement mandate creates a false sense of safety — CISA’s product categories list signals where the market is heading, and the pending OMB memo could reimpose vendor-facing requirements at any point. The DoD CIO’s November 2025 memo demonstrates that individual agencies can and will impose aggressive PQC timelines regardless of White House softening.

Three strategic realities should guide CISO decision-making. First, cryptographic inventory is non-negotiable — every major policy document, from M-23-02 to the Quantum Computing Cybersecurity Preparedness Act to the DoD CIO memo, begins with knowing what cryptography you have. Second, NIST IR 8547’s 2030 deprecation date, while still in draft, represents NIST’s considered technical judgment and will shape procurement, compliance, and audit expectations well before formal enforcement begins. Third, the harvest-now-decrypt-later threat does not wait for regulatory compliance deadlines — sensitive data encrypted with RSA or ECDH today is already at risk from adversaries with long-term strategic patience.

CISOs should also recognize that the removal of top-down procurement mandates has not eliminated procurement pressure — it has distributed it. The USDA’s AGAR clause demonstrates that individual agencies can and will impose PQC requirements through their own acquisition rules, creating an uneven but expanding compliance landscape. The September 21, 2026 FIPS 140-2 sunset adds another near-term pressure point: vendors without FIPS 140-3 validated modules will be locked out of federal procurement entirely, while FIPS 140-3 validated PQC implementations remain at least 12–18 months away for most vendors. And the emerging “Signature Gap” — where key encapsulation has outpaced digital signature adoption — means that even organizations that have begun PQC deployment may be operating in a dangerously half-migrated state.

The regulatory framework provides the floor; the threat landscape should set the ceiling.