The government told federal agencies: by 2030, switch your most sensitive systems to encryption that quantum computers can't break. The problem is the order never says what "switched" means.

Imagine a bank that adds a new high-security vault but keeps the old combination lock on the front door. Technically it has "added" better security. But an attacker who knows the old combination still gets in. The bank hasn't actually upgraded anything that matters.

That's the risk security researchers are flagging. A government system could add quantum-resistant encryption while still accepting the old kind as a fallback. Any attacker who intercepts the connection can force it to use the old, breakable encryption. The system looks compliant. It isn't secure.

The Office of Management and Budget has 90 days to issue guidance that closes that gap, ideally by requiring agencies to turn off the old encryption entirely, not just add the new kind alongside it. Whether that requirement makes it into the guidance determines whether this executive order produces real security or just paperwork that says the right words.

Cloudflare, which has been deploying post-quantum encryption since 2019, moved its own internal deadline for full readiness to 2029, a year ahead of the federal mandate. The company cited recent research breakthroughs that accelerated timelines for when a quantum computer powerful enough to break current encryption could realistically exist.

A server that can fall back is still vulnerable

Cloudflare points to a specific vulnerability the order's language does not address: the downgrade attack. If a server supports post-quantum encryption but can still revert to the older kind, an attacker who intercepts the connection can force that reversion. The connection goes through. The data is protected only by the encryption that quantum computers are expected to break.

It has happened before. When an older web security protocol called SSLv3 was officially retired in 2014, many servers kept it running in the background for compatibility reasons. Attackers exploited that gap for years. Cloudflare argues the same pattern will repeat unless OMB guidance explicitly requires turning off older encryption, not just adding newer options.

Encryption and authentication are two separate problems

The order splits the migration into two phases: encryption by 2030, digital signatures and authentication by 2031. According to Cloudflare's data, more than two-thirds of browser traffic to its network already uses post-quantum key exchange. That part of the problem, at least for major platforms, is largely in hand.

Authentication is further behind. Verifying identity in a post-quantum world requires changes across multiple systems at once — the organizations that issue digital certificates, the browsers that accept them, and the servers that rely on them. Cloudflare is working with Google Chrome on a technical approach to speed that up for web traffic, but most of the industry hasn't started. The company says both tracks need to run at the same time or the 2031 authentication deadline will slip.

The contractor clause moves the private sector

The contractor clause may be the most consequential part of the order. Federal agencies have a mandate. Federal contractors now have a deadline: comply with post-quantum standards by 2030 or lose eligibility for government work.

The practical effect extends well beyond Washington. Products that technology vendors build to meet federal requirements tend to end up deployed in hospitals, banks, universities, and mid-market companies that face no direct mandate of their own. The Cybersecurity and Infrastructure Security Agency has already published a list separating technology categories where post-quantum encryption is considered ready to use from those still catching up. Cloud platforms and web servers are in the ready column. Networking hardware and email infrastructure are still catching up.

For any organization reviewing vendor contracts, that list is a starting point. If a vendor's product is in the ready category and post-quantum encryption still isn't available, there's a question worth asking.

Where to start before OMB issues guidance

Most organizations don't know exactly what encryption they're running or where. Cloudflare recommends starting with a targeted assessment: for each system, what happens if it's compromised, how exposed is it, and is there a post-quantum alternative available now. QSE Group offers a similar service through its Quantum Preparedness Assessment, which scores an organization's cryptographic exposure and produces a prioritized list of what to address first.

The more immediate concern, both companies argue, is data that's already in transit. An adversary can collect encrypted data today, store it, and decrypt it later once the right quantum hardware exists. For organizations handling sensitive information with a long shelf life, that's a risk that doesn't wait for 2030.

The standards will keep moving

The order points agencies to specific post-quantum algorithms approved by the National Institute of Standards and Technology. It says nothing about what happens when those standards get updated, which they will. Security experts recommend building systems that can swap out cryptographic algorithms without a full rebuild, so that future updates are a software change rather than a construction project. The order doesn't require it. Cloudflare argues it should.

The Internet Engineering Task Force is working on the underlying technical standards that make all of this possible across the internet. OMB has until mid-September to translate the executive order into concrete requirements. What those requirements actually say will determine how much of the order's intent survives contact with implementation.