Engineering · Post 3 · Regulatory

What EO 14412 Actually Requires of Your Crypto Stack

The June 22 executive order starts four clocks and points a proposed FAR rule at every covered federal contractor. Here is what it requires, who it touches, and what to do in the next 90 days. A practitioner’s read, not a law firm’s.

~7 minute readBoubacar Barry, Founder

On June 22, 2026, the White House signed Executive Order 14412, “Securing the Nation Against Advanced Cryptographic Attacks” (Federal Register, June 25, 2026). You may have seen it cited as “EO 14409” in vendor blogs. The official number in the Federal Register is 14412. If a vendor cannot get the number right, be careful with their reading of the deadlines.

We terminate hybrid X25519 + ML-KEM-768 TLS in production and export CycloneDX CBOMs as a product feature, so this post is the operational read: the clocks the order starts, the context most coverage misses, and the artifact every obligation starts from.

The clocks EO 14412 starts

Source: Federal Register doc 2026-12909, June 25, 2026

Read the order →
DeadlineRequirement
~Jul 22, 2026Every federal agency names a PQC migration lead. From now on there is a person in every agency whose job includes asking vendors about post-quantum readiness.
~Sep 20, 2026OMB issues government-wide migration guidance. The document that translates the order into procurement language. When it lands, expect questionnaires.
~Mar 2027CISA and NIST publish minimum elements for a cryptographic bill of materials (CBOM). The industry gets a standard answer to “prove what cryptography you use.”
Dec 31, 2030PQC key establishment required on high-value and high-impact federal systems. Digital signatures follow by December 31, 2031.

1. If you sell to the government, 2030 is your deadline too

The order directs a proposed FAR rule, expected around December 2026, that would require covered federal contractors to comply with NIST FIPS, including the post-quantum standards, by December 31, 2030.

If you sell to the government, the 2030 deadline is not the agency’s problem. It is yours. And the practical enforcement arrives earlier than 2030: agency PQC leads exist within 30 days, OMB guidance within 90, and both flow into the security questionnaires you answer to keep your contracts.

2. The context most coverage misses

The order did not appear in a vacuum. Three other clocks were already running.

First, PCI DSS 4.0 requirement 12.3.3 has required a documented, annually reviewed inventory of all cryptographic cipher suites and protocols since March 31, 2025. If you touch cardholder data, you already owe your assessor a crypto inventory every year.

Second, FIPS 140-2 certificates move to NIST’s Historical List on September 21, 2026. Agencies should not include them in new procurements after that date. If your product’s crypto module validation is 140-2, your federal buyers are already asking questions.

Third, NIST’s draft transition guidance (IR 8547, still a draft as of this writing) sets the direction everyone is planning against: quantum-vulnerable algorithms like RSA and ECDSA deprecated after 2030 and disallowed after 2035. The EU’s coordinated roadmap points the same way, with member states expected to have national transition plans by the end of 2026. One order, three reinforcing clocks. The common denominator is that all of them begin with the same artifact.

You cannot migrate cryptography you have not found.

3. Everything starts with the inventory

A real inventory covers every TLS endpoint you expose, every cipher suite and protocol version you accept, every certificate and its key type, every place a vendor terminates crypto on your behalf, and every embedded library doing signing or key exchange in your own code.

Most organizations that attempt this by hand produce a spreadsheet that is stale before it is reviewed. The format that survives contact with auditors, and with the coming CISA/NIST minimum elements, is a machine-readable CBOM. CycloneDX 1.6 already supports this today; we know because we export it from our own gateway as a product feature.

A word of honesty about what an inventory will show you: most estates are further behind than they think, and some of the remediation is not in your hands. Hybrid post-quantum key exchange is deployable at your network perimeter today (browsers have negotiated X25519MLKEM768 by default since Chrome 131). But the hop from your edge to an upstream SaaS or model provider is only as modern as that provider’s stack. Anyone who tells you they can make your estate “quantum-proof” end to end this year is selling something that does not exist. What you can do this year is measure precisely, fix the perimeter, and put dated commitments against every dependency you cannot fix yourself.

4. Why this matters even though Q-day is not tomorrow

Nobody credible claims a cryptanalytically relevant quantum computer exists today. The order is built on two quieter arguments.

Harvest now, decrypt later: traffic recorded today can be decrypted whenever the capability arrives. If you hold data whose confidentiality must survive 10 to 20 years (health records, financial identity, defense engineering data), the exposure window already includes you.

Migration takes longer than certainty: the last broad crypto migrations (SHA-1, TLS 1.0/1.1) took large organizations five to ten years. Starting when the threat is proven means finishing late by definition. That is the entire logic of the 2030 and 2031 dates.

5. What to do in the next 90 days

If you are a federal contractor or you sell into regulated industries, the practical sequence is short.

01

Name an owner

Even if it is a fraction of one engineer. The agencies were given 30 days to do this; give yourself the same.

02

Build the inventory

Automated discovery across your external estate first, because that is what buyers and attackers see, then internal. Export it as a CBOM so you never have to build it twice.

03

Map it against your clocks

The FAR rule if you sell federal, PCI 12.3.3 if you touch cards, IR 8547 and the EU roadmap for everything else.

04

Put dated asks to your vendors

Your migration ends where their roadmaps end, so get those roadmaps in writing.

05

Fix the perimeter now

Hybrid key exchange at the edge is a solved problem in 2026, and it takes the most exposed hop off the table while the rest of the plan runs.

Where we fit, stated plainly

Scrutari builds a Rust gateway that terminates hybrid X25519 + ML-KEM-768 TLS at the edge today and exports a CycloneDX CBOM of the crypto in its data path. We also run a fixed-fee, two-week Quantum-Readiness Assessment: full cryptographic inventory, EO 14412 and PCI 12.3.3 gap analysis, and a prioritized migration roadmap, delivered by the people who ship these primitives in production.

Want to see where you stand?

Our automated CBOM scan of your external estate is free, and the summary lands in your planning deck, not ours.