Breaking · Regulatory
Trump Just Signed a PQC Executive Order. Here's What Every Bank CISO Needs to Do This Week.
June 23, 2026 · PQCClear Editorial · 7 minute read
On June 22, 2026, President Trump signed an executive order titled Securing the Nation Against Advanced Cryptographic Attacks. It is the most consequential cybersecurity mandate for financial institutions since DORA — and most bank security teams haven't read it yet. This post breaks down exactly what the order says, what it means for mid-size banks and payment processors, and the three things every CISO should do before Friday.
What the Order Actually Says
The executive order does four things that matter to your institution.
01It sets hard federal deadlines for PQC migration
All federal high value assets must migrate to PQC for key establishment by December 31, 2030, and for digital signatures by December 31, 2031. These deadlines apply directly to federal agencies — but they cascade to every bank, payment processor, and fintech that touches federal systems or holds federal contracts.
02It mandates a Cryptographic Bill of Materials by name
Within 270 days, CISA must publish guidance on the minimum elements for a cryptographic bill of materials, specifically to “enable the automated assessment of cryptographic assets utilized by a hardware or software element.” The White House just told the entire industry: you need to know every cryptographic asset you own. Automated discovery is no longer optional.
03It extends compliance requirements to federal contractors via the FAR
Within 180 days, the Federal Acquisition Regulatory Council must publish a proposed rule requiring covered contractors to comply with NIST’s PQC FIPS standards by December 31, 2030. If your bank provides services to federal agencies, processes federal payments, or holds any federal contract — this rule applies to you. Your procurement and legal teams need to know this week.
04It names harvest-now-decrypt-later as an explicit national security threat
The order states directly that adversaries are “collecting United States information now, and decrypting it later once large-scale quantum computers are operational.” This is no longer theoretical language in an academic paper. It is the stated position of the United States government. If your board asks why PQC migration is urgent, hand them this document.
What This Means For Mid-Size Banks and Payment Processors
The order focuses on federal agencies — but its implications for financial services are immediate and significant.
If you are a federal contractor or process federal payments: The FAR rule coming within 180 days will create a direct contractual obligation to comply with NIST PQC standards by 2030. Your legal and procurement teams should flag this now and begin reviewing vendor contracts for cryptographic requirements.
If you are a regulated financial institution: The FFIEC, OCC, Fed, and FDIC watch White House cybersecurity orders closely. Examination guidance that references PQC migration planning is coming — likely within 12–18 months of this order. Examiners who ask about your PQC migration plan in 2027 will expect you to have one. The time to build it is now, not when the examination letter arrives.
If you store sensitive customer data long-term: Harvest-now-decrypt-later is not a future problem. Adversaries are recording your encrypted data today. Any customer record, transaction history, or financial data that needs to remain confidential for more than five years is already at risk.
The CBOM Mandate Changes Everything
The most overlooked provision in the order is Section 5(d): the requirement for CISA to define minimum elements for a Cryptographic Bill of Materials within 270 days.
This is significant for three reasons. First, it creates a federal standard for what a CBOM must contain. Once CISA publishes that guidance, it becomes the benchmark against which regulators, auditors, and examiners will measure your institution’s cryptographic inventory practices.
Second, it explicitly requires automated assessment capability. Manual spreadsheet-based cryptographic inventories will not meet the standard the White House is establishing.
Third, 270 days from June 22, 2026 is March 19, 2027. Less than nine months away. Financial institutions that want to align with federal guidance need to begin building their CBOM now.
Key Deadlines Every Bank Should Track
| Deadline | What happens | Your action |
|---|---|---|
| Jul 22, 2026 | Federal agencies name PQC migration lead | Designate your internal PQC lead now |
| Sep 20, 2026 | OMB issues agency migration guidance | Review for private sector implications |
| Dec 19, 2026 | FAR Council publishes contractor PQC rule | Legal review of all federal contracts |
| Mar 19, 2027 | CISA publishes CBOM minimum elements | Begin cryptographic inventory now |
| Dec 31, 2030 | PQC key establishment deadline | Full migration plan funded and running |
| Dec 31, 2031 | PQC digital signature deadline | All signing systems migrated |
Three Things Every Bank CISO Should Do This Week
- 01
Brief your board on Monday. Print the executive order. Add a one-page summary of what it means for your institution. Your board needs to know that PQC migration has moved from “emerging risk” to “presidential mandate.” This changes how you request budget.
- 02
Find out if you are a federal contractor. Many financial institutions don't have immediate visibility into every federal contract in their portfolio. Your legal and procurement teams need to audit this now.
- 03
Start your cryptographic inventory — even if imperfectly. The CBOM mandate is coming. The examination questions are coming. The institution that begins this week is nine months ahead of the institution that waits for CISA to publish guidance in March.
Get a CBOM and Quantum Readiness Score for every vendor
PQCClear helps mid-size banks assess the quantum readiness of every fintech vendor in their portfolio — generating a CBOM and Quantum Readiness Score for each one, mapped to DORA, FFIEC, and the new executive order requirements.
Request bank accessThe executive order referenced in this post is publicly available at whitehouse.gov. This analysis represents the editorial view of PQCClear and should not be construed as legal advice. Financial institutions should consult legal counsel regarding their specific compliance obligations.