The Clock is Ticking: High-Value Assets (HVA) Must Migrate to PQC

Vikram Chandrasekaran
Vikram Chandrasekaran
Jun 25, 2026
5mins
Share this post:
hva-must-migrate-to-pqc

On June 22, 2026, President Trump signed Executive Order 14409 — Securing the Nation Against Advanced Cryptographic Attacks. If you are part of Data security or in charge for PQC, it is no more going to be a project which is run on silo with less intent rather It is a firm directive with hard deadlines with the entire window much shorter than expected.

The order is bringing more clarity that the world of quantum computers is here with Harvest Now decrypt later with the timeline for decryption coming soon with innovation in quantum computers. EO 14409 calls this out explicitly — and it puts agencies on notice that the time to act is not when quantum computing matures. The time to act is now.

At Fortanix, we anticipated the shift to post-quantum cryptography early and have continuously evolved our platform accordingly. Our solutions now support the full range of NIST-approved post-quantum algorithms, enabling agencies to discover, assess, and remediate cryptographic risk through a structured, phased migration. Let us walk through what the EO requires, and where Fortanix maps directly to those requirements.

What the Executive Order Requires

The order lays out a clear timeline for federal agencies and, through procurement rules, their contractors:

  • Within 30 days: Agencies must name a PQC Migration Lead
  • Within 90 days: OMB issues guidance requiring agencies to inventory all High Value Assets (HVAs) and High Impact Systems.
  • By December 31, 2030: All HVAs and high impact systems must use PQC for key establishment.
  • By December 31, 2031: All HVAs and high impact systems must use PQC for digital signatures.
  • Within 180 days: FAR amendments will require covered contractors to comply with NIST FIPS PQC standards by the same 2030 deadline.
  • Within 270 days: CISA releases the minimum elements for a CRYPTOGRAPHIC BILL OF MATERIALS (CBOM), enabling automated assessment of cryptographic assets in hardware and software.

A Cryptographic discovery leading to a CRYPTOGRAPHIC BILL OF MATERIALS (CBOM) is no longer optional — it is the foundation of an effective migration. No enterprise can migrate without first understanding its cryptographic delta, and if that delta is incomplete, every subsequent step in the migration loses its effectiveness.

The Real Challenge: Most Organizations Do Not Know Their Cryptographic Estate

Here is where things get honest. Most enterprises, including federal agencies, do not have end to end picture of all their cryptographic estate. Let's also accept that it's difficult for enterprises to arrive at the delta because the Crypto assets are spread in various technology stacks such as HSMs, Network layer, Databases, Cloud, File Systems, Code Repositories, 3rd party Apps, Main Frames and many more.

As cryptography was adopted, every application had different means with some doing using native encryption or leveraging software based crypto stores.

That is not a failure of intent. It is a function of scale. EO 14409 does not give you credit for good intentions. It sets deadlines. This is exactly the problem that Fortanix’s solutions were designed to solve: to provide enterprise with a tool to do cryptographic lifecycle governance & Management.

Fortanix Key Insight: Cryptographic Discovery and PQC Readiness

Key Insight gives security teams the ability to discover, classify, and assess cryptographic assets across the entire enterprise cloud, on-premises, and hybrid.

Key Insight helps Organizations:

  • Discovers cryptographic assets across multi-cloud (AWS, Azure, GCP, OCI), HSMs, databases, file systems, code repositories, PKI infrastructure, network level, and application code.
  • Detects violation types that directly map to EO risk categories: PQC_VULNERABLE, WEAK_KEY_SIZE, EXPIRED_KEYS, EXPIRED_CERTIFICATE, STATIC_IV, HARDCODED_KEY, SHARED_KEYS and more.
  • Classifies assets by PQC ready vs not ready, exactly the kind of tiering the EO demands for HVAs versus standard systems.
  • Assists in generating a comprehensive CRYPTOGRAPHIC BILL OF MATERIALS (CBOM). When CISA releases its CRYPTOGRAPHIC BILL OF MATERIALS (CBOM) guidance within 270 days, organizations with Key Insight deployed will have a head start that others cannot replicate overnight.
  • Key Insight will allow you to bring the import CRYPTOGRAPHIC BILL OF MATERIALS (CBOM) from other sources into Key Insight to make it your single source of truth across the organization.
  • Using rich analytics and integrations (like CMDB and DSPM tools), Key Insight helps prioritize PQC migration so that high value assets are migrated first with others following.
  • Key Insight further helps integrate into existing ticketing and CMDB systems to assist in filing, tracking and in the actual migration to a PQC ready state
  • With rich integrations to various tech stacks, it can help to drastically reduce manual overhead. ITSM integration, for example, automatically routes violations into ticketing queues, so remediation is not a manual process waiting for someone to check and monitor a dashboard.

The EO 14409 requires agencies to review their HVA inventory and develop a prioritized PQC migration plan within 90 days of OMB guidance. Discovery is continuous, not a one-time snapshot. Discovery/Re-Discovery, Assessment/Re-assessment, Tracking and migration is a multi-year journey towards a PQC ready state.

Fortanix Data Security Manager: Crypto Agility for PQC Transition:

Discovering your cryptographic landscape is step one. Step two is migrating using Fortanix Data Security Manager which supports all more than 200+ integrations & all approved PQC Algorithms.

DSM is a next-gen Hardware Security Module with built-in Key Management. It is FIPS 140-2 Level 3 validated (with FIPS 140-3 in progress), which matters significantly in the context of this EO 14409.

The order specifically references the Cryptographic Module Validation Program under FIPS 140-3 as the standard for compliant modules, and Section 6 directs NIST to accelerate those validations.

For PQC migration, DSM helps in several different ways:

  • PQC Algorithm Support: DSM supports NIST-standardized PQC algorithms for various use cases such as key encapsulation and digital signatures as referenced in the EO's definitions.
  • Crypto-Agility by Design: The EO 14409 migration timeline spans multiple years, and hybrid environments, where classical and PQC algorithms coexist, will be the reality for most of that period. DSM is built for crypto-agility, allowing teams to manage legacy and PQC keys within a single platform rather than building parallel infrastructure.
  • Policy Enforcement: DSM enforces key usage policies, expiration schedules, and algorithm restrictions at the platform level. With multiple logical segregation capability, it makes it easy to create multiple policy to segregate platform and track the migration in phases.
  • Multi-Cloud Key Management: The order acknowledges that cloud-based technologies represent a major cost-saving migration opportunity. While it highlights this, Data Sovereignty has become the most importance as well. DSM provides the ability to do BYOK/HYOK across all major vendors which allows organizations to secure their Cryptographic Key material that is used in Cloud Environment.
  • Confidential Computing Integration: For highly sensitive workloads, DSM can be used with confidential computing environments to help protect data and cryptographic operations in use, including AI workloads, model protection, and sensitive inference pipelines.
  • Further, Fortanix’s Key Insight and DSM products integrate to help organizations maintain a consistent policy that they comply with and assist in easy click migrations.

The CRYPTOGRAPHIC BILL OF MATERIALS (CBOM) Requirement: Getting Ahead of It

One provision in the EO deserves particular attention: Section 5(d) requires CISA and NIST to release minimum elements for a Cryptographic Bill of Materials within 270 days. A CRYPTOGRAPHIC BILL OF MATERIALS (CBOM) is similar to a Software Bill of Materials, it comprises all the cryptographic components in a system, enabling enterprises for risk assessment.

This is not a simple checkbox but is the heart of where you want to be at the end of your PQC migration. A CRYPTOGRAPHIC BILL OF MATERIALS (CBOM) is what turns post-quantum migration from a vague organizational aspiration into an executable project. Without it, you are guessing at scope.

With it, you know exactly which systems rely on RSA-2048 for key establishment, which certificates are within 90 days of expiration, and which applications are embedding cryptographic keys in source code and many more critical interconnects.

Fortanix Key Insight discovers and generates the data that feeds a CRYPTOGRAPHIC BILL OF MATERIALS (CBOM). The violation detection engine does not just flag problems, it catalogs cryptographic assets with enough metadata to build and maintain a living inventory.

Organizations that deploy Key Insight now will be positioned to produce a CRYPTOGRAPHIC BILL OF MATERIALS (CBOM) the day CISA's guidance drops, rather than starting from zero.

What does this mean for Federal Contractors?

The order is not only a federal agency issue. It also creates meaningful implications for contractors.

The order directs the FAR Council to publish a proposed rule requiring covered contractors to comply with NIST FIPS standards, including applicable PQC standards, by December 31, 2030.

This means contractors supporting federal environments should begin preparing now, especially if they provide software, infrastructure, cloud services, security products, cryptographic services, AI systems, or systems that store or process sensitive government data.

For contractors, the starting point is the same: know where cryptography exists, understand which assets are quantum-vulnerable, prioritize high-value systems, and create a migration roadmap.

Practical Starting Point

Organizations that meet the 2030 and 2031 deadlines comfortably will not be the ones that begin in 2029. They will be the ones that start discovery, inventory, and planning now.

A practical starting sequence:

  • Deploy Key Insight to start your cryptographic discovery across your environment and assess the estate.
  • Establish the CRYPTOGRAPHIC BILL OF MATERIALS (CBOM) data foundation now, ahead of CISA's formal guidance.
  • Integrate remediation workflows with ServiceNow or your existing ITSM platform to operationalize ongoing compliance.
  • Begin migrating key management infrastructure to DSM, enabling PQC algorithm support alongside existing classical algorithms.
Short Recap

The new PQC order is the clearest signal that the U.S. government views post-quantum cryptographic readiness as a national security risk. The deadlines are real and shorter than what Enterprises would have expected.

The cryptographic inventory problem that sits as the center of all this problem is real.

Fortanix built Key Insight and Data Security Manager to solve this class of problem. Discovery, assessment, remediation, and enforcement, across the full cryptographic lifecycle, across every environment where your data lives.

We will give you the tools to enable you to have a head start in this long complex migration.

Post Quantum Redines
Share this post:

Platform

Fortanix Platform

Confidential AI

Data Security Manager

Confidential Computing Manager

Armet AI

Key Insight

Open Source Platform

Enclave Development Platform®

Solutions

Use Cases

Legacy to Cloud Infrastructure Migration

Regulatory Compliance

Post-Quantum Readiness

Secure, Data-Driven Innovation

Company

About Us

Partners

Careers

Confidential Computing

University

Blog

FAQ

Contact Us

Awards

Events

Webinars

Press

News

Services

Media Kit

Newsletters

Customers

Resources

Support

Fortanix-logo

4.6

star-ratingsgartner-logo

As of January 2026

SOCISOPCI DSS CompliantFIPSGartner Logo

US

Europe

India

Singapore

4500 Great America Parkway, Ste. 270
Santa Clara, CA 95054

+1 408-214 - 4760|info@fortanix.com

High Tech Campus 5,
5656 AE Eindhoven, The Netherlands

+31850608282

UrbanVault 460,First Floor,C S TOWERS,17th Cross Rd, 4th Sector,HSR Layout, Bengaluru,Karnataka 560102

+91 080-41749241

T30 Cecil St. #19-08 Prudential Tower,Singapore 049712