Executive Order 14409
By the authority vested in me as President by the Constitution and the laws of the United States of America, it is hereby ordered:
Section 1. Background and Policy. The advent of large-scale quantum computers, particularly in the hands of adversaries, will pose a significant threat to widely used cryptographic security systems. Ongoing cyber activity against our Nation also presents the risk of adversaries collecting United States information now, and decrypting it later once large-scale quantum computers are operational. In light of these threats, the United States must take steps to strengthen cryptographic protections for the Nation's sensitive data, critical infrastructure, and digital economy.
It is the policy of the United States to safeguard national security and maintain technological leadership by responsibly and effectively executing the transition of Federal information systems to National Institute of Standards and Technology (NIST)-approved Federal Information Processing Standards (FIPS) for Post-Quantum Cryptography (PQC), and to assist critical infrastructure owners and operators with their transitions.
Sec. 2. Definitions. For purposes of this order:
(a) the term "agency" has the same meaning as it has in 44 U.S.C. 3502(1);
(b) the term "critical infrastructure" has the same meaning as it has in section 1016(e) of the USA Patriot Act of 2001 (42 U.S.C. 5195c(e));
(c) the term "high impact system" means an information system in which at least one security objective (i.e., confidentiality, integrity, or availability) is assigned a FIPS 199 potential impact value of "high";
(d) the term "high value asset" or "HVA" means Federal information or a Federal information system designated as a high value asset under Office of Management and Budget (OMB) Memorandum M-19-03, "Strengthening the Cybersecurity of Federal Agencies by Enhancing the High Value Asset Program," or any successor document;
(e) the term "information systems" has the same meaning as it has in 6 U.S.C. 650(14);
(f) the term "National Security Systems" has the same meaning as it has in 44 U.S.C. 3552(b)(6);
(g) the term "post-quantum cryptography" or "PQC" means those cryptographic algorithms or methods that are designed to be resistant to attack by both a quantum computer and a classical computer;
(h) the term "PQC migration lead" means the agency employee or detailee who reports to the agency's chief information officer and is responsible for overseeing agency-wide cryptographic inventory management, developing a prioritized PQC migration plan, and coordinating cross-agency efforts in PQC;
(i) the term "Cryptographic Module Validation Program" has the same meaning as it has in FIPS 140-3, "Security Requirements for Cryptographic Modules," or any successor policy;
(j) the term "digital signature" has the same meaning as it has in FIPS 186-5, "Digital Signature Standard (DSS)," or any successor policy; and
(k) the term "key establishment" has the same meaning as it has in FIPS 203, "Module-Lattice-Based Key-Encapsulation Mechanism Standard," or any successor policy.
Sec. 3. Coordinating the PQC Transition. (a) The Director of OMB and the National Cyber Director, in consultation with the Assistant to the President for National Security Affairs and the Administrator of the Office of Electronic Government, OMB, shall lead the strategic coordination and oversight of the national PQC migration policy and strategy set forth in this order, ensuring its alignment with broader cybersecurity goals.
(b) The Secretary of Commerce, through the Director of NIST, and in consultation with the Director of the National Security Agency (NSA) and the Secretary of Homeland Security, through the Director of the Cybersecurity and Infrastructure Security Agency (CISA), shall provide agencies on an ongoing basis with comprehensive technical guidance on PQC implementation, including best practices in implementation and risk management strategies.
