US orders quantum-safe encryption by 2030, lining up with the ASD's deadline for Australia

US President Donald Trump signed an executive order on 22 June 2026 setting firm deadlines for federal agencies to move their most sensitive systems to post-quantum cryptography (PQC), encryption designed to withstand a future quantum computer. Key establishment must shift by 31 December 2030, and digital signatures by 31 December 2031. National security systems stay on a separate track.

The order pulls the US government's timeline forward by four to five years. The previous government-wide target, set by a 2022 national security memorandum, ran to 2035.

For Australian readers, the date is the part worth noting: it converges on a deadline the ASD has already set for organisations here.

A threat that does not need a quantum computer yet

The deadlines respond to a risk that exists today. An adversary can copy encrypted data now and store it until a large-scale quantum machine, known as a cryptographically relevant quantum computer (CRQC), can break it. Security agencies call this "harvest now, decrypt later".

Data with a long confidentiality shelf life, such as health records, financial data, intellectual property and government holdings, is exposed the moment it crosses the wire, regardless of where the eventual quantum machine is built.

What the US order requires

The near-term clock is short. Within 30 days, each agency must name a PQC migration lead who owns its cryptographic inventory and plan. Within 90 days, the Office of Management and Budget issues guidance requiring agencies to review their high-value assets and high-impact systems and submit a migration plan. NIST will run a pilot migration across some of its own systems by the end of 2027.

The order also reaches contractors. The Federal Acquisition Regulatory Council has 180 days to propose a rule giving "covered contractors" until 31 December 2030 to meet NIST's standards, including the PQC algorithms. A second proposed rule would fold cryptographic weaknesses, such as missing encryption or non-approved algorithms, into contractor vulnerability disclosure. Within 270 days, CISA and NIST are to publish the minimum elements of a cryptographic bill of materials (CBOM): a machine-readable inventory of the cryptography inside a piece of hardware or software.

The standards themselves are not new. NIST finalised its first PQC standards in August 2024: FIPS 203 (ML-KEM, formerly CRYSTALS-Kyber) for key establishment, and FIPS 204 (ML-DSA) and FIPS 205 (SLH-DSA) for digital signatures. The order turns ready standards into a schedule with consequences.

The Australian angle

Australia is not waiting on Washington. The ASD, through the Australian Cyber Security Centre (ACSC), updated its Planning for Post-Quantum Cryptography guidance in 2025 and recommends organisations stop using traditional asymmetric cryptography (RSA, Diffie-Hellman, ECDH and ECDSA) by the end of 2030. Its high-level milestones are a refined transition plan by the end of 2026, transition under way on critical systems by the end of 2028, and a completed migration by the end of 2030.

For Commonwealth entities, this is more than advice. The Information Security Manual (ISM) already requires new cryptographic equipment and software to support ASD-approved post-quantum algorithms, including ML-KEM-1024 and ML-DSA-87, by 2030, and flags the traditional algorithms that will not be approved beyond that date.

Two groups should pay particular attention. Australian vendors that sell to US federal agencies will inherit the new acquisition clause and its 2030 compliance line once the rule lands. And any organisation holding personal information has a separate reason to act: strong encryption forms part of the "reasonable steps" expected under the Privacy Act and feeds directly into how a breach is assessed under the OAIC's Notifiable Data Breaches scheme. APRA-regulated entities carry operational-risk obligations under CPS 230 that point the same way.

What to do now

The gating task is the same on both sides of the Pacific: know what cryptography you run, and where. You cannot replace weak algorithms against a deadline if you cannot find them.

Practical steps, drawing on the ASD's guidance:

• Inventory first. Build a cryptographic bill of materials covering every place key exchange and digital signatures happen, including TLS, VPNs, PKI, code signing, and long-lived backups and archives.
• Sequence by risk. The ASD's LATICE approach (locate, assess, triage, implement, communicate) puts critical systems and long-lived sensitive data at the front of the queue.
• Design for crypto-agility so algorithms can be swapped again as standards evolve.
• Use verified implementations. Adopt standardised, reputable libraries and follow vendor guidance rather than rushing ahead of tested code. The ASD does not recommend post-quantum/traditional hybrid schemes or quantum key distribution.

A companion order signed the same day, "Ushering in the Next Frontier of Quantum Innovation", backs the machines that make the migration urgent in the first place. The standards exist. The deadlines now exist in Washington and Canberra alike. What is left is the slow work of finding the cryptography already running in your environment, and that part starts now.