Source linked

US Post-Quantum EO Sets 2030 Deadline but Cloudflare Says Start Now

blog.cloudflare.com@quiet_leopard2 hours ago·Technology Policy·2 comments

Executive Order 14409 mandates federal agencies to adopt post-quantum encryption by 2030 and authentication by 2031, but Cloudflare warns the real challenge is defining 'transition' and avoiding downgrade attacks.

executive order 14409cloudflarenistcisaombpost quantum cryptography

Two-thirds of browser traffic to Cloudflare's network already uses post-quantum encryption, yet the US government is only now setting a 2030 deadline for federal agencies to catch up. President Trump signed Executive Order 14409 on June 22, 2026, requiring all High Value Assets and high impact federal systems to transition to post-quantum key establishment by December 31, 2030, and post-quantum digital signatures by December 31, 2031. The order also directs federal contractors to comply with post-quantum FIPS by the end of 2030.

The Real Gap: Encryption vs. Authentication, and What "Transition" Means

The EO splits the migration into two phases, which accurately reflects the state of deployment today. Post-quantum encryption is widely available - Cloudflare ships it by default on most products. Authentication is the harder problem. Post-quantum ML-DSA signatures are larger than classical ones, and the ecosystem dependency chain is longer: clients, servers, certificate authorities, CT logs, root stores, and browsers all need coordinated upgrades. The one-year gap between the 2030 and 2031 deadlines is tight. Both migrations must run concurrently, not sequentially.

But the EO never defines what "transition" means. Does a system that supports ML-KEM but still allows a classical-only TLS handshake count as transitioned? That's a downgrade attack waiting to happen. Cloudflare points to the SSLv3 POODLE debacle: servers kept SSLv3 enabled for years after deprecation, allowing forced downgrades. Without a clear definition that includes disabling quantum-vulnerable cryptography, the order risks creating a paper-trail compliance exercise instead of actual security.

Supply Chain Pressure Will Drive PQC to Everyone

The most impactful part of the EO may be its contractor requirements. The FAR Council must publish rules requiring covered contractors to comply with NIST PQC FIPS by December 31, 2030 - one year before agencies' own authentication deadline. CISA's product categorization already labels cloud platforms, web browsers, and endpoint security as "widely available" PQC categories; agencies should procure only PQC-capable products in those areas. Products built for federal requirements will trickle down to hospitals, banks, and small businesses.

Cloudflare also flags a critical omission: crypto agility. The EO mandates specific NIST algorithms but says nothing about building systems capable of swapping algorithms later. Locking into fixed standards without upgrade paths repeats the mistakes of the past. OMB's 90-day implementation guidance should mandate crypto agility, not just algorithm compliance.

Don't Wait for an Exhaustive Cryptographic Inventory

Cloudflare cautions against treating a Cryptographic Bill of Materials (CBOM) as a prerequisite for action. A detailed CBOM of every library in every product takes too long and goes stale. Instead, they recommend a quantum impact inventory: identify the systems where compromise would cause the most harm, then prioritize mitigations - whether drop-in replacements, software updates, or tunneling traffic through bulk post-quantum infrastructure.

For organizations starting now: protect public Internet traffic first. If you're on Cloudflare, most of that is already post-quantum encrypted. Update procurement to require post-quantum encryption by default at no extra cost. Plan for authentication now - identify long-lived keys, root certificates, and code-signing infrastructure. The 2031 deadline will come faster than anyone expects.

International Alignment Matters More Than Ever

The State Department is directed to engage foreign governments to encourage adoption of NIST-standardized PQC algorithms. Cloudflare warns against fragmentation: if different jurisdictions mandate different algorithms, the result is cipher bloat, increased attack surface, and slower deployment. The TLS community converged on a single hybrid key agreement (X25519MLKEM768) and deployment followed quickly. The Internet is one network, its cryptography should be one standard.

Free TLS helped encrypt the web. Free post-quantum cryptography, delivered by vendors like Cloudflare who treat it as a universal baseline rather than a paid upgrade, will secure it for what comes next.

Source: The post-quantum EO is an important milestone. Now it's time to get to work
Domain: blog.cloudflare.com

Read original source ->

External source stays available while the OJO article and comment thread stay local.

More in Technology Policy

view topic
Appia Foundation Aims to Build the Missing Trust Layer for AI Assessment

The Appia Foundation, hosted by the Linux Foundation, will develop open modular specifications to translate international standards into practical AI assessment criteria across the value chain.

Mozilla's Plan to Kill CAPTCHAs Without Sacrificing Privacy

Mozilla and Cloudflare are designing an anti-bot system that uses anonymous credentials and rate limits instead of device attestation or user tracking.

Clarity Act Has 5 Weeks Left, 4 Unresolved Fights Including Trump Ethics Knot

Senate Democrats, Republicans, and the White House are still wrangling over ethics rules, DeFi liability, and stablecoin yield with a July vote deadline looming.

EU Parliament Clears Digital Euro by 2029 to Break Visa and Stablecoin Grip

Nearly two-thirds of eurozone card transactions run through Visa and Mastercard. The EU's new legal framework for a digital euro aims to end that dependence and counter stablecoins like USDT and USDC.

Comments load interactively on the live page.