All posts

Breaking · Regulatory

Trump Just Signed a PQC Executive Order. Here's What Every Bank CISO Needs to Do This Week.

June 23, 2026  ·  PQCClear Editorial  ·  7 minute read

On June 22, 2026, President Trump signed an executive order titled Securing the Nation Against Advanced Cryptographic Attacks. It is the most consequential cybersecurity mandate for financial institutions since DORA — and most bank security teams haven't read it yet. This post breaks down exactly what the order says, what it means for mid-size banks and payment processors, and the three things every CISO should do before Friday.

What the Order Actually Says

The executive order does four things that matter to your institution.

01It sets hard federal deadlines for PQC migration

All federal high value assets must migrate to PQC for key establishment by December 31, 2030, and for digital signatures by December 31, 2031. These deadlines apply directly to federal agencies — but they cascade to every bank, payment processor, and fintech that touches federal systems or holds federal contracts.

02It mandates a Cryptographic Bill of Materials by name

Within 270 days, CISA must publish guidance on the minimum elements for a cryptographic bill of materials, specifically to “enable the automated assessment of cryptographic assets utilized by a hardware or software element.” The White House just told the entire industry: you need to know every cryptographic asset you own. Automated discovery is no longer optional.

03It extends compliance requirements to federal contractors via the FAR

Within 180 days, the Federal Acquisition Regulatory Council must publish a proposed rule requiring covered contractors to comply with NIST’s PQC FIPS standards by December 31, 2030. If your bank provides services to federal agencies, processes federal payments, or holds any federal contract — this rule applies to you. Your procurement and legal teams need to know this week.

04It names harvest-now-decrypt-later as an explicit national security threat

The order states directly that adversaries are “collecting United States information now, and decrypting it later once large-scale quantum computers are operational.” This is no longer theoretical language in an academic paper. It is the stated position of the United States government. If your board asks why PQC migration is urgent, hand them this document.

What This Means For Mid-Size Banks and Payment Processors

The order focuses on federal agencies — but its implications for financial services are immediate and significant.

If you are a federal contractor or process federal payments: The FAR rule coming within 180 days will create a direct contractual obligation to comply with NIST PQC standards by 2030. Your legal and procurement teams should flag this now and begin reviewing vendor contracts for cryptographic requirements.

If you are a regulated financial institution: The FFIEC, OCC, Fed, and FDIC watch White House cybersecurity orders closely. Examination guidance that references PQC migration planning is coming — likely within 12–18 months of this order. Examiners who ask about your PQC migration plan in 2027 will expect you to have one. The time to build it is now, not when the examination letter arrives.

If you store sensitive customer data long-term: Harvest-now-decrypt-later is not a future problem. Adversaries are recording your encrypted data today. Any customer record, transaction history, or financial data that needs to remain confidential for more than five years is already at risk.

The CBOM Mandate Changes Everything

The most overlooked provision in the order is Section 5(d): the requirement for CISA to define minimum elements for a Cryptographic Bill of Materials within 270 days.

This is significant for three reasons. First, it creates a federal standard for what a CBOM must contain. Once CISA publishes that guidance, it becomes the benchmark against which regulators, auditors, and examiners will measure your institution’s cryptographic inventory practices.

Second, it explicitly requires automated assessment capability. Manual spreadsheet-based cryptographic inventories will not meet the standard the White House is establishing.

Third, 270 days from June 22, 2026 is March 19, 2027. Less than nine months away. Financial institutions that want to align with federal guidance need to begin building their CBOM now.

Key Deadlines Every Bank Should Track

DeadlineWhat happensYour action
Jul 22, 2026Federal agencies name PQC migration leadDesignate your internal PQC lead now
Sep 20, 2026OMB issues agency migration guidanceReview for private sector implications
Dec 19, 2026FAR Council publishes contractor PQC ruleLegal review of all federal contracts
Mar 19, 2027CISA publishes CBOM minimum elementsBegin cryptographic inventory now
Dec 31, 2030PQC key establishment deadlineFull migration plan funded and running
Dec 31, 2031PQC digital signature deadlineAll signing systems migrated

Three Things Every Bank CISO Should Do This Week

  1. 01

    Brief your board on Monday. Print the executive order. Add a one-page summary of what it means for your institution. Your board needs to know that PQC migration has moved from “emerging risk” to “presidential mandate.” This changes how you request budget.

  2. 02

    Find out if you are a federal contractor. Many financial institutions don't have immediate visibility into every federal contract in their portfolio. Your legal and procurement teams need to audit this now.

  3. 03

    Start your cryptographic inventory — even if imperfectly. The CBOM mandate is coming. The examination questions are coming. The institution that begins this week is nine months ahead of the institution that waits for CISA to publish guidance in March.

Get a CBOM and Quantum Readiness Score for every vendor

PQCClear helps mid-size banks assess the quantum readiness of every fintech vendor in their portfolio — generating a CBOM and Quantum Readiness Score for each one, mapped to DORA, FFIEC, and the new executive order requirements.

Request bank access

The executive order referenced in this post is publicly available at whitehouse.gov. This analysis represents the editorial view of PQCClear and should not be construed as legal advice. Financial institutions should consult legal counsel regarding their specific compliance obligations.