President Trump’s Cybersecurity Executive Order Brings Quantum Change

Well, it certainly isn’t an entertaining read. President Trump’s latest cybersecurity executive order amends President Biden’s Executive Order 14144 rather than repealing it with a series of line-by-line amendments making for a bit of a scavenger hunt when reading it. The best approach is to open both executive orders side by side (hopefully you have a dual monitor set up) and go through them one step at a time. Even doing so, the order is difficult to follow as the reader works through what has been stricken, amended, replaced, and kept intact. For those in the quantum community, attention should be paid to the amendments in Section 4(f), fully replaced by the new Trump Administration Order. The new language introduces a requirement for federal agencies to transition to Transport Layer Security (TLS) 1.3 “to prepare for transition to PQC.” This development is significant for the cybersecurity community concerned with quantum cryptography (which should be the WHOLE community), but it also introduces the potential for misunderstanding and distraction. So, whether you have a dual screen or not, let’s walk through the order and talk about what this update to the federal government’s preparations for post-quantum cryptography mean for our security. Frontier Foundry has covered the quantum cryptography topic extensively. If you need a refresher, check out our pieces below: The Next Q Clearance Quantum Encryption in the Grocery Store Day Zero Quantum Computing Dilemma Changes The first major change signals the Trump Administration’s view of quantum computing as risk-first and risk-centric. The new EO removes the following sentence from the original: “Alongside their benefits, quantum computers pose significant risk to the national security, including the economic security, of the United States.” Phrases like this are intentionally added to federal government policies to signal both the opportunities and risks of technologies. Mature quantum computing does in fact offer benefits to industry that should not be ignored. The markets do not view quantum computing as risk-first as demonstrated by market movements after a select quantum companies announced advancements against the error correction problem in late 2024 and early 2025. The federal government took care to ensure the benefits of quantum computing were stated clearly when it released National Security Memorandum-10 , a document cited in the very paragraph in question in the new EO. This might seem like a small change, but there is a risk here. If industry and the cybersecurity community are getting mixed messaging about the opportunities versus risks of quantum computing, preparation and innovation may suffer. Consistency in technology policy matters. Prior to this change, the federal government acknowledged the opportunities and promoted US leadership in quantum computing research. The new executive order reads like quantum computing is all risk, which requires different approaches from industry, policy makers, and cybersecurity officials. It also begs the question of whether this is opening the door to further policy action that is risk-based. The order goes on to strike 5 sub-paragraphs under Section 4(f) and replace them with two. First, what was removed: (ii) Within 90 days of a product category being placed on the list described in subsection (f)(i) of this section, agencies shall take steps to include in any solicitations for products in that category a requirement that products support PQC. (iii) Agencies shall implement PQC key establishment or hybrid key establishment including a PQC algorithm as soon as practicable upon support being provided by network security products and services already deployed in their network architectures. (iv) Within 90 days of the date of this order, the Secretary of State and the Secretary of Commerce, acting through the Director of NIST and the Under Secretary for International Trade, shall identify and engage foreign governments and industry groups in key countries to encourage their transition to PQC algorithms standardized by NIST. (v) Within 180 days of the date of this order, to prepare for transition to PQC, the Secretary of Defense with respect to National Security Systems (NSS), and the Director of OMB with respect to non-NSS, shall each issue requirements for agencies to support, as soon as practicable, but not later than January 2, 2030, Transport Layer Security protocol version 1.3 or a successor version. Paragraph (ii) was replaced by paragraph (v), but paragraphs (iii) – (iv) were completely stripped out. Reading the above, it is clear that the Trump EO removes the directives for agencies to take specific actions within a specific timeline. Paragraph (iv) was intended to have the National Institute for Standards and Technology (NIST) drive an effort to engage foreign governments and industry groups to encourage the transition to NIST’s newly standardized PQC algorithms. The removal of this paragraph is significant. As reported in May 2025, NIST has lost several key personnel in its Computer Security Division (CSD) due to broad federal government layoffs. These are the very people that ran the process to standardize the PQC algorithms. They are also the people that would have run the process called for in paragraph (iv). Leaving staffing aside for a moment, an internet-wide encryption transition is a team sport. Creating a quantum resistant internet that we can trust with our data cannot be achieved by a US effort alone. International partnerships are essential to the process and to our security. It is the WORLD WIDE web, after all. The second significant removal is the requirement for agencies to produce procurement requirements for products that support PQC. This was an important addition because the federal government’s purchasing power is large and far reaching enough to create a market demand on its own. If companies are not able to sell to the federal government unless they support PQC, a lot of products will suddenly support PQC. That action will ripple out into the rest of the market and help spur change without heavy handed regulation. Stripping the requirement for agencies to purchase products that support PQC removes another action that the US had at its disposal to move the needle on PQC transition. Without international partnerships and without the ability to use federal purchasing power, PQC transition will almost certainly slow. Finally, what stayed the same. Paragraph (i) was changed only to add the Director of the National Security Agency as a required consultation for DHS and CISA to produce a list of products that support PQC. In the previous order, that list was what was to be used to create procurement requirements, but that piece is removed so what happens to this list now is unclear. The former paragraph (v) becomes paragraph (ii) and the section on quantum ends. Before closing the door here, let’s talk about the new paragraph (ii). It directs agencies to transition to TLS 1.3 before January 2030 to prepare for the PQC transition. While this requirement was in the Biden version, this is significant and warrants a closer look. Share TLS 1.3 According to Cloudflare , TLS is “a widely adopted security protocol designed to facilitate privacy and data security for communications over the Internet.” We use TLS now, but it is TLS 1.2. TLS 1.3 is a 2018 upgrade to the security protocol that removes many outdated and insecure features of TLS 1.2. To be clear, TLS 1.3 is a very good security upgrade because it eliminates entire classes of attack by removing weak cryptographic algorithms like RC4, SHA-1, DSS, and AES-CBC with MAC-then-Encrypt. TLS 1.3 only allows cipher suites that offer strong security and are based on Authenticated Encryption with Associated Data (AEAD) modes. TLS 1.3 offers a great upgrade to TLS 1.2…but it is not quantum resistant. TLS 1.3 requires Perfect Forward Secrecy (PFS) exclusively using ephemeral Diffie-Hellman or Elliptic Curve Diffie-Hellman Ephemeral for key exchange. Diffie-Hellman and Elliptic Curve are both vulnerable to quantum attacks using Shor’s Algorithm . No quantum computer is currently capable of this, but they will be. And the entire point of the PQC transition is to prevent these attacks before the hardware catches up. TLS 1.3 is a noble pursuit, but it risks some confusion over what is needed to transition to PQC. The EO promotes a “hybrid approach” to PQC transition, which is aimed at mitigating potential problems with performance given the longer key lengths of the NIST PQC algorithms. Research is ongoing on how to mitigate this problem, and the hybrid approach could be part of the answer. However, the bottom line is that TLS 1.3 still depends on vulnerable cryptography. The messaging around this requirement should be clear that the transition to TLS 1.3 by 2030 alone does not solve the PQC challenge. It is a part of a hybrid strategy that just got more difficult to fully understand with the removal of other sections of the cybersecurity EO. Leave a comment What it Means Looking at the new quantum language in the EO, a few points are clear: The federal government is looking at quantum computing through a risk-first lens. Procurement requirements for products that support PQC are not likely in this administration. International and industry partnerships around PQC are being deprioritized. The major actionable requirements have been reduced to TLS 1.3 transition in the next 5 years. Taken together, the combined additions and subtractions of this section of the cybersecurity EO alone create a potentially confusing and disabling effect on PQC transition efforts. The removal of specific tools like federal procurement requirements, industry partnerships, and international partnerships is severely limiting. And while the effort to move to TLS 1.3 is a net security benefit, it risks some important decision makers and cybersecurity professionals thinking incorrectly that the job is done once this implementation is complete. Here’s how we need to interpret what’s going on: First, we need to be clear that TLS 1.3 is not quantum resistant and that while it is more secure than TLS 1.2, it still relies on vulnerable algorithms. TLS 1.3 is a good platform on which to build the hybrid approach to PQC, but it must be paired with specific steps to integrate and implement the NIST PQC algorithms. While it is fair to note there may be some slowing of performance due to the increased key lengths, that research is ongoing and the story is not written. We should not jump to conclusions about the final outcome of this implementation before it is complete. More importantly, we should prioritize security because quantum computing is coming and 2030 may be too late. Second, the US cannot go it alone on PQC transition. Industry partnerships are always important to inform good policy, but the PQC transition requires a critical mass of partners to engage in quantum transition activities. NIST has been developing the PQC algorithms since 2015 and spent millions of dollars on the process. The prioritization of these algorithms should get AT LEAST equal billing with the TLS 1.3 transition for a true hybrid approach. As it stands now, DHS, CISA, and NSA are required to create a list of product categories that support PQC…and theeeeennnn…? Well, nothing. By the language of the order, that list won’t be used for anything. We will have it, but it won’t inform procurement, international engagements, nor industry partnerships. So, really, the only real action here is the TLS 1.3 transition by 2030. A large-scale transition to TLS 1.3 could reach anywhere from hundreds of thousands to tens of millions of dollars for large organizations with a global presence. That’s a big investment in a definitively not quantum safe technology and a lot of eggs in one basket that has holes in it we know about. Quantum computing is a difficult concept and there’s no definite timeline. This makes transition planning inherently difficult because it always feels like it can wait. Things like TLS 1.3 suddenly feel more urgent because they can be seen as part of a hybrid approach. No matter how long we kick the can, we cannot escape the requirement to do two difficult things: Transition to the NIST PQC algorithms Prioritize cryptographic agility Those two actions are harder to implement than they are to type, but they are important. The worst outcome from the EO is that these are seen as not necessary or not a “now problem.” They are now problems. The longer we wait, the more we will have to rush as the years tick by. Quantum computing is not ready to break encryption today, but it is coming, and the innovators are not taking a tactical pause. Some will read the EO and think that TLS 1.3 will save them. Some will read this post and think it is alarmist. Are you willing to bet your security and either of those assumptions? Connect with us: Substack , LinkedIn , Bluesky , X , Website To learn more about the AI products we offer, please visit our product page. Nick Reese is the cofounder and COO of Frontier Foundry and an adjunct professor of emerging technology at NYU. He is a veteran and a former US government policymaker on cyber and technology issues. Visit his LinkedIn here .