June 20, 2025 •Evgeny Gervis
Earlier this month, the Trump administration issued an eagerly awaited update to Executive Order 14144, "Strengthening and Protecting Innovation in the Nation’s Cybersecurity." Given that the order was published four days before the end of Biden’s term, everyone was expecting either revisions or a cancellation. With the Trump administration’s focus on increased security, revision was probably the smart bet. That is what has now happened.
One of the most comprehensive pieces I found about this revision is by Emil Sayegh in Forbes. Entitled “Trump Drops A Cybersecurity Bombshell With Biden-Era Policy Reversal,” Sayegh writes
President Trump issued a new cybersecurity executive order on June 6, introducing major revisions to the Biden administration’s final cybersecurity directives. The order not only modifies key elements of Biden’s January 2025 framework but also signals a broader realignment of federal cybersecurity priorities. It shifts focus away from federal digital identity initiatives and revises compliance-heavy software security mandates. Officially titled “Sustaining Select Efforts To Strengthen The Nation’s Cybersecurity And Amending Executive Order 13694 And Executive Order 14144,” the order represents a strategic departure from prior approaches, emphasizing operational pragmatism over regulatory expansion.
Among other cyber threats, the original EO covered the risks posed by cryptanalytically relevant quantum computers (CRQCs) and the need for post-quantum cryptography (PQC) migration in civilian agencies and national security systems. What does this revision mean for PQC?
Specifically regarding Post-Quantum Cryptography, Sayegh writes
5. Post-Quantum Cryptography: A Deadline Remains But The Path Is Streamlined
While both administrations agree on the risk posed by quantum computing, Trump’s order simplifies the roadmap. By December 2025, CISA and NSA must publish a list of product categories ready for quantum-safe encryption. TLS 1.3 or its successor must be adopted by 2030. Oversight is split between NSA for national security systems and OMB for civilian agencies.
While it took out a reference to the previous administration, the Trump revision uses the same words to describe the extent and urgency of the CRQC threat in Section 4(f) as the Biden original. In fact, earlier in the EO in Section 1, the revision explicitly identifies China as the most active and persistent foreign nation cyber threat to the United States Government, the private sector, and critical infrastructure networks, along with Russia, Iran, and North Korea. Some analysts have pointed out it is highly unusual for a government document to be so explicit in naming countries by name. Still, given no one expects nefarious state actors to publicly announce they have achieved Q Day, if and when they do so, their unique inclusion can be seen as significant.
Section 4(f)(i) originally required CISA to create a list of product categories in which products that support PQC are widely available within 180 days of the Executive Order. The revision requires the same list to be produced by December 1, 2025. Given that most expected this revision, there is no practical difference between 180 days from June 6, 2024, and December 1, 2025. The revision also adds a requirement that CISA work with the NSA on the list.
Section 4(f)(ii) is probably the most significant PQC change. As originally worded, “Within 90 days of a product category being placed on the list described in subsection (f)(i) of this section, agencies shall take steps to include in any solicitations for products in that category a requirement that products support PQC”. The revision completely removed this section. I do not believe that this change reflects the Trump administration’s lack of focus on PQC migration, but rather the desire to provide agencies with more autonomy to make decisions at a local level in alignment with the high-level objectives laid out by the administration.
Agencies are required to only acquire products that utilize FIPS 140-certified encryption to protect government data in transit and at rest. Given that NIST published the first three PQC algorithm standards in August 2024, and the current FIPS 140-3 certification process takes 2-3 years, it is possible that FIPS 140-3 validated modules with PQC algorithms will not be available until 2027 at the earliest. Even with this change in the EO, other PQC mandates, including NSM-10 and the Quantum Computing Cybersecurity Preparedness Act, remain in effect. When FIPS 140-certified modules with PQC algorithms become available in products agencies need, agencies will buy them.
Section 4(f)(iii) is another interesting section. It originally said, “Agencies shall implement PQC key establishment or hybrid key establishment including a PQC algorithm as soon as practicable upon support being provided by network security products and services already deployed in their network architectures.” It too was removed and not replaced. Here too, I feel the goal was to allow agencies to make lower-level implementation decisions on their own, rather than micromanaging.
There are pros and cons to using hybrid mode, which involves combining classical and quantum-resistant cryptography in some manner. While enabling defense in depth, hybrid mode can also introduce complexity. As things stand today, hybrid mode is the only way to achieve FIPS 140 compliance when implementing PQC (e.g., to prevent leaks from Harvest Now Decrypt Later attacks).
At SafeLogic, we enable the optional use of hybrid PQC mode in both CryptoComply PQ TLS and CryptoComply v3.5. We believe that hybrid mode use can play a role in the transition to PQC by enabling both defense-in-depth and FIPS 140-3 compliance through the combined use of PQC with FIPS 140-3 validated classical cryptography. We leave the decision of whether to use hybrid mode to our customers.
The last significant deletion is Section 4(f)(iv), which required the promotion of NIST PQC standards to foreign governments and industry groups in key countries. NIST has already been working with these organizations. For example, a major change in FIPS 140-3 was alignment with the ISO/IEC 19790:2012 and ISO/IEC 24759:2017 international standards. These international standards were originally based on NIST’s FIPS 140-2.
Other sections of the EO related to PQC remain unchanged. The revision still calls for:
- Adoption of TLS 1.3 or a successor version by 1/2/2030 in Section 4(f)(ii)
- The Federal Government to take advantage of commercial security technologies in Section 4(g)
- The development of guidelines for secure management of cryptographic keys used by cloud service providers (Section 4(g)(i))
- Incorporation of those guidelines into FedRAMP (Section 4(g)(ii))
- Requiring agencies to follow cryptography best practices when using cloud services (Section 4(g)(iii)
In Sayegh’s conclusion, he says
Trump’s June 2025 cybersecurity order is more than a policy shift; it is a recalibration of federal cyber strategy that prioritizes execution over oversight, industry collaboration over mandates and sovereignty over standardization. For industry leaders, innovators and government stakeholders alike, the takeaway is clear: cybersecurity is no longer just about compliance. It is about preparedness, adaptability and national competitiveness in an AI-driven world.
That’s a good way to think about PQC and cryptography in general, as well. As a key security control that is foundational to enabling privacy and trust in the digital world, cryptography has never been just about compliance.
