On June 22, 2026, the President signed Executive Order 14412, "Securing the Nation Against Advanced Cryptographic Attacks," which directs the FAR Council to publish a proposed rule requiring covered contractors to comply, by December 31, 2030, with NIST's Federal Information Processing Standards (FIPS) — including all applicable FIPS incorporating post-quantum cryptography (PQC) algorithms. The order's stated concern is straightforward: adversaries can collect encrypted U.S. data now and decrypt it later, once large-scale quantum computers exist. The government's answer is to move federal systems — and the contractors that support them — off today's public-key cryptography.
What the Order Actually Requires of Contractors
Read Section 6. Two procurement directives, both aimed at the FAR Council, are what will eventually appear in your contracts:
- A FIPS/PQC compliance rule (Sec. 6(c)). Within 180 days of the order — roughly December 19, 2026 — the FAR Council, consulting CISA and NIST, must publish a proposed rule amending the FAR to require covered contractors to comply by December 31, 2030 with NIST's FIPS, including all applicable FIPS incorporating PQC-compliant algorithms.
- A vulnerability-disclosure rule (Sec. 6(d)). Within 270 days — roughly March 19, 2027 — the FAR Council must publish a proposed rule amending FAR requirements and contract clauses for contractor vulnerability disclosure programs (VDPs), to ensure covered contractors maintain VDPs consistent with NIST guidelines and that those VDPs take in reports of cryptographic vulnerabilities — expressly including testing for the lack of encryption and the use of non-FIPS-approved algorithms.
Note the second one carefully. It is not only about quantum. A VDP that must accept reports about missing encryption and non-approved algorithms is a rule about your everyday cryptographic hygiene, and it creates a documented channel through which those weaknesses get reported to you — and, therefore, become things you knew about.
The Rest of the Order Is Your Early-Warning System
The agency-facing sections tell you what is coming and roughly when. Within 30 days, each agency had to name a PQC migration lead. Within 90 days, OMB must issue guidance directing agencies to inventory their high-value assets and high-impact systems and transition them to PQC for key establishment by December 31, 2030 and for digital signatures by December 31, 2031. Within 270 days, CISA and NIST must publish public guidance on the minimum elements of a cryptographic bill of materials (CBOM) — a machine-readable inventory of the cryptography inside a hardware or software component.
Agencies with a 2030 deadline for their own systems will not wait for a final FAR clause to start pushing the requirement into solicitations, statements of work, and SBOM/CBOM deliverables. And NIST has been directed (Sec. 6(b)) to accelerate validations under the Cryptographic Module Validation Program — an acknowledgment that the validation queue is a bottleneck for exactly the products you will need to buy.
What This Changes Today — and What It Doesn't
Nothing in EO 14412 is a contract requirement yet. An executive order directs the executive branch; it does not amend the FAR. There is no clause to comply with, no representation to make, and no basis for a false-certification theory. The proposed rules are not even published.
What has changed is the runway. Two proposed rules with a fixed 2030 end-state are now scheduled, and a four-year cryptographic migration is not something a contractor completes in the comment period. The contractors who struggle in 2030 will be the ones who, in 2030, still cannot answer a simple question: where is cryptography used in our environment, and what algorithms are we using?
Three Practical Steps
1. Start a cryptographic inventory. Where do you use TLS, VPNs, code signing, document signing, hardware security modules, and embedded certificates? Which products, which versions, which algorithms and key lengths? This is the CBOM in embryo, and it is the prerequisite for everything else. If you already maintain a system security plan for NIST SP 800-171, you have a starting asset list. 2. Ask your vendors the question now. For every product in the path of federal data, ask the vendor for its PQC roadmap and its FIPS 140-3 validation status. Their answer is your timeline. Put it in writing and keep it — under a flowdown regime, their delay becomes your delay. 3. Look at your VDP. If you do not have a vulnerability disclosure policy, the Section 6(d) rule is your notice that you will need one. If you have one, confirm it can actually receive and triage a report that says "this endpoint uses a non-approved algorithm."
Read the order for what it is: not a new obligation, but a published schedule. Contractors who treat 2030 as far away will meet a proposed rule in December with no inventory, no vendor answers, and no plan. Use the comment periods — the FIPS/PQC rule will be the moment to tell the FAR Council what "covered contractor" and "applicable FIPS" should mean in practice, before those terms are fixed.
Key Takeaways
- EO 14412 (June 22, 2026) sets a December 31, 2030 FIPS/PQC compliance date for covered contractors — to be implemented through a FAR proposed rule the FAR Council must publish within 180 days (about December 19, 2026).
- A second proposed rule, due within 270 days (about March 19, 2027), would require contractor vulnerability disclosure programs to accept cryptographic-vulnerability reports, including missing encryption and non-FIPS-approved algorithms.
- Nothing is a contract requirement yet — but the migration is longer than the rulemaking. Begin a cryptographic inventory and press vendors on FIPS 140-3 validation and PQC roadmaps now; use the compliance tools you already have rather than waiting for a clause.
This article is educational information about federal procurement and cybersecurity requirements. It is not legal advice, and it does not create an attorney-client relationship.
Primary source: Executive Order 14412, "Securing the Nation Against Advanced Cryptographic Attacks" (June 22, 2026), whitehouse.gov.