In this edition: President Trump signed Executive Order, setting the first enforceable federal completion deadlines for post-quantum migration: key establishment by December 2030, digital signatures by December 2031, with contractors pulled in through FAR amendments and a new cryptographic-bill-of-materials mandate. I predicted this almost exactly a month ago. I walk through what the order does, why the 2030 headline matters well beyond the agencies it legally binds, and where the open-source PQC Migration Framework already answers the questions it makes mandatory. France's ANSSI confirmed PQC certification requirements from 2027 days earlier. I also cover why implementation risk is now the binding constraint: Daniel Bernstein's ML-DSA key recovery in under a second, the open reproduction of Google's ECC circuits and where the qubit count floors out, and CNSA 2.0 in the new picture. The Flapdoodle: vendors selling "mathematically proven unbreakable" cryptography against the standard the EO just mandated, and fabricated quantum salary guides.

The EO That Moved the Date

If you have been using the US government’s 2035 timeline as a reason to put off your post-quantum migration, that excuse is gone. On June 22, President Trump signed Executive Order “Securing the Nation Against Advanced Cryptographic Attacks,” and the date that matters is now 2030. Every federal high-value asset and high-impact system must complete PQC migration for key establishment by 31 December 2030 and for digital signatures by 31 December 2031. Federal contractors face a 2030 compliance deadline through mandatory Federal Acquisition Regulation amendments.

This is not the first piece of US federal PQC policy. NSM-10 and OMB M-23-02 have required agencies to inventory their cryptography and plan their migrations since 2022, and National Security Systems have had hard dates under CNSA 2.0. I keep a running map of the whole US PQC regulatory framework. What EO changes is the nature of the obligation, not the scope. NSM-10 and M-23-02 already targeted high-value and high-impact systems, but their requirement was to inventory and plan, with 2035 as an aspiration to be met "as feasible." That is a planning mandate with a soft horizon: an agency could file annual inventories and call itself compliant without completing a single migration. The order replaces it with a completion mandate, hard 2030 and 2031 dates, named accountable officials, and FAR rules extending the same deadline to contractors. The scope barely moved. The enforceability did, and the finish line jumped five years closer.

Each agency must appoint a PQC migration lead within 30 days. OMB has 90 days to issue binding migration guidance. NIST must run a pilot migration on its own systems by end of 2027. The order names Harvest Now, Decrypt Later explicitly as a present-tense threat.

I Called This a Month Ago

On May 24, I published a piece arguing that PQC deadlines were about to compress and specifically flagged a draft US executive order pulling federal migration toward 2030. Four weeks later the order is signed, with the dates almost exactly where I expected. The deadlines have been moving in one direction for two years. The signals were public for anyone willing to read them instead of the reassuring headline number.

The Two Sharpest Edges

Two provisions deserve attention beyond the headline dates. The contractor mandate requires the FAR Council to publish a proposed rule compelling covered contractors to comply with NIST FIPS incorporating PQC by 31 December 2030. That reaches every company selling to the federal government, turning a federal completion deadline into a contractual obligation across the defense industrial base and the wider federal supply chain.

The cryptographic bill of materials (CBOM) mandate is the other. Within 270 days, CISA and NIST must define minimum CBOM elements for automated assessment of cryptographic assets in hardware and software. You cannot migrate what you cannot see, and discovery has been the part organizations consistently underestimate. A standardized CBOM is the most consequential part of the order, and the least discussed.

A companion order, EO, was signed the same day to fund a science-grade quantum computer and refresh the national strategy. The same administration is pushing to build the machine and to defend against it.

The 2030 Headline Travels Further Than the Order

The legal force of EO is narrow: it binds federal agencies and, through the FAR, their contractors. It has no hold on a German manufacturer, a Brazilian bank, or a private US company outside the federal supply chain. What it changes is the pressure environment around all of them. For three years, the most common reason I heard for deferring a migration was some version of “the US government says 2035.” That number was NSM-10's "as feasible" aspiration, a planning horizon rather than a completion deadline, but boards reached for it because it was convenient. The executive order deleted five years from that excuse.

Auditors, insurers, and clients who were also anchored to 2035 are recalibrating to the same 2030 headline, and the procurement reach into the contractor base means the deadline propagates through supply chains well past the agencies it formally binds. Your board will see “2030 deadline,” and the question that follows, are we exposed to this, lands on whoever owns security. The legal obligation extends only to federal agencies and their contractors, but the gravitational pull reaches well past them.

If You Don’t Know Where to Start

So the question has landed on your desk. The order specifies what to achieve and by when; it does not tell anyone how. That gap is what I built the open-source PQC Migration Framework to fill: how to run cryptographic discovery and produce a CBOM, how to sequence key-establishment and signature migration against 2030 and 2031, how to handle the hybrid decision, and how to stand up the governance. It is free under CC BY 4.0, with extensions for government, defense, critical infrastructure, financial services, telecommunications, and payments. If you are staring at a compressed deadline and an empty plan, start there.

If you need more than a framework, that is what my company, Applied Quantum, does: cryptographic discovery, CBOM architecture, migration planning, vendor due diligence, and board briefings. The deadline is fixed, the work is large, and the organizations that start while it is a program will not be doing it as a crisis in 2029.

France Confirms: PQC Certification From 2027

Days before the executive order, France’s ANSSI confirmed PQC requirements for product security certification from 2027, with all enterprise purchases expected to be quantum-safe by 2030. France had been signaling this since late last year; the news is the public, dated confirmation, and the convergence it creates. The US sets 2030 for federal key establishment, France sets 2030 for enterprise procurement, the EU’s roadmap targets 2030 for critical infrastructure, and Australia wants classical asymmetric cryptography gone by end of 2030. Four jurisdictions, arriving independently at the same year.

The Deadline Map, Redrawn

I maintain a Global PQC Deadlines Deep Dive mapping 60+ milestones across 15+ jurisdictions, and I am updating it now to reflect the executive order. The compression: September 2026, FIPS 140-2 sunset. November 2026, CMMC Level 2 enforcement. January 2027, CNSA 2.0 procurement gate and ANSSI certification. 2030, the convergence year. 2031, US federal digital signatures.

On hybrid, the jurisdictions still split: BSI and ANSSI mandate it, NCSC and CNSA 2.0 push pure PQC, Australia discourages it. No single global configuration satisfies all of them, which is why crypto-agility has moved from best practice to operational necessity. For the full mapping and the interactive Global PQC Migration Timeline, see the Deep Dive.

Why Implementation Is Now the Binding Constraint

The executive order mandates migration to NIST-standardized algorithms on a hard timeline. The algorithms are well-tested. The implementations are brand new, and that is where the near-term danger lives.

Daniel J. Bernstein published working attack code against two classes of ML-DSA (FIPS 204) software vulnerabilities, recovering the secret key in under one second on a laptop. His probability estimate: 25% of ML-DSA libraries will ship with severe vulnerabilities at initial release, and solo ML-DSA would produce an order of magnitude more breakable keys than hybrid Ed25519+ML-DSA over the next five years. In his framing, the near-term risk from our own implementation code exceeds the near-term risk from quantum computers by three orders of magnitude. I wrote my own analysis of why this settles the hybrid question for now: hybrid carries real cost (double the maintenance, new SOC monitoring for downgrade attacks), but Bernstein’s evidence is why we pay it through the code-maturation period. The EO’s CBOM and vulnerability-disclosure provisions point in the same direction: they treat implementation flaws as the live threat, alongside algorithm choice rather than as an afterthought.

Google’s Secret ECC Circuits: Open, Reproduced, and Approaching a Floor

In March, Google Quantum AI showed that Shor’s algorithm could break 256-bit elliptic curve cryptography with roughly 1,175 logical qubits and about 2.6 million Toffoli gates, but hid the designs behind zero-knowledge proofs. Two months later, the secret was out. André Schrottenloher at Inria independently built circuits matching Google’s qubit counts and beating them on gates: 1,462 logical qubits and roughly 1.9 million Toffoli gates per point addition for secp256k1. Craig Gidney confirmed the match and conceded the ZKP approach had failed. Trail of Bits had already found bugs in the ZKP prover that allowed forging a proof claiming zero Toffoli gates.

The circuits for breaking ECC-256 are now fully open. The resource-estimate trajectory, from 20 million physical qubits in 2019 to under 500,000 physical qubits today, keeps compressing, and harvest-now-decrypt-later is already happening, which is precisely why the executive order names it as a present threat.

How far does this fall? A public scoreboard at ecdsa.fail tracks the logical-qubit cost as researchers shave it down, and I worked through where the floor sits. The logical-qubit count is approaching an arithmetic floor near 500, set by the irreducible width of the modular arithmetic. But a leaner logical circuit often raises the bar to building the machine, because squeezing the qubit count demands higher gate fidelity and deeper circuits, pushing physical-qubit and error-correction requirements up. The logical number shrinking toward 500 and the physical machine remaining enormously hard are both true at once. You don’t need a Q-Day prediction to justify acting. The threat is concrete, the circuits are open, and the deadline is set.

CNSA 2.0 in the New Picture

The executive order clarifies: National Security Systems stay under CNSA 2.0, not the new 2030/2031 schedule. CNSA 2.0 remains the most operationally specific mandate anywhere: ML-KEM-1024 and ML-DSA-87 only, SLH-DSA excluded, January 2027 procurement gate, hard deadlines running 2030 through 2035.

Bernstein’s findings create a direct tension here. CNSA 2.0 pushes pure ML-DSA into environments where the code has had the least time to mature and a key recovery does the most damage. The validation gap bites too: no FIPS 140-3 module with PQC support is validated yet, earliest realistic validation mid-2027, after the procurement gate. The order directs NIST to revise the CMVP within 180 days to accelerate validations. Whether that closes the gap in time is the open question.

Coming Soon: Quantum Ready

My book Quantum Ready ships in the next few weeks. It covers the full path from board mandate through discovery, hybrid deployment, vendor governance, and building crypto-agility as a permanent capability. The executive order just turned “we should plan for this” into a dated federal mandate, and the book is the structured way from one to the other. Sign up at quantumready.com to be notified at launch.

Quantum Flapdoodle: “Mathematically Proven Unbreakable,” and Other Fictions

The executive order mandates migration to NIST-standardized algorithms. Right on cue, four companies pitched me partnership deals for proprietary post-quantum cryptography in a single morning, most promising “mathematically proven unbreakable” encryption. No such thing exists. Every one was a proprietary algorithm with no NIST standardization and no national-agency review, and the history of proprietary cryptography is a graveyard of schemes their vendors swore were unbreakable until someone competent looked.

What the NIST process bought was years of public cryptanalysis, the only thing that earns confidence in a primitive, and the EO just made those algorithms a federal requirement. The one-afternoon test: is the algorithm NIST-standardized or nationally approved? Is the specification public? Has it survived independent peer review? Three no’s and you are looking at the same con every broken proprietary cipher started as.

While we’re auditing confident claims: I reverse-engineered five quantum salary guides from recruitment agencies, and none are based on actual salary data. The numbers follow a formula: general software benchmark plus a 15 to 30% “quantum premium,” rounded to the nearest $5,000. When I asked for datasets, none could produce them. Fabricated benchmarks set unrealistic expectations and reinforce the perception of quantum as a gold-rush field, a fitting close for an edition about the distance between a confident claim and an evidenced one.

If you found this edition useful, forward it to a colleague whose PQC program is still planning to 2035. They need to see the new dates. If I got something wrong, hit reply. I read everything and correct publicly. The full PostQuantum.com resource library is at postquantum.com, and the open-source migration framework is at pqcframework.com.

— Marin