TL;DR: The Executive Order on securing the nation against advanced cryptographic attacks pushes organisations to turn post-quantum cryptography strategy into execution, with milestones aimed at 2030 for key exchange and 2031 for digital signatures, according to Keyfactor. The real issue is crypto-agility, because inventory, ownership, and reporting now determine whether migration can happen fast enough.
NHIMG editorial — here’s why we think this discussion matters
Questions worth separating out
Q: How should security teams prepare for post-quantum cryptography migration?
A: Start with a complete cryptographic inventory, then rank dependencies by business criticality and replacement complexity.
Q: Why does crypto-agility matter for identity and access programmes?
A: Crypto-agility matters because identity systems depend on certificates, signatures, and trust chains that must be replaced without service disruption.
Practitioner guidance
- Inventory cryptographic dependencies across the estate Map certificates, keys, signatures, and trust relationships across workloads, applications, devices, and identity systems.
- Prioritise the highest-friction trust paths first Focus early on code signing, device authentication, service-to-service identity, and customer-facing TLS paths because these dependencies are hardest to replace under live traffic.
- Establish cryptographic ownership and reporting Assign a business owner and a technical owner for each cryptographic domain, then create reporting that shows which systems rely on long-lived algorithms, embedded keys, or manually managed certificates.
What to expect at the briefing
Keyfactor's full webinar covers the operational detail this post intentionally leaves for the source:
- Milestone guidance for moving from PQC strategy to execution across security and infrastructure teams
- Practical steps for inventorying cryptographic assets before migration planning begins
- Discussion of ownership and reporting requirements introduced by the Executive Order
- Implementation considerations for large-scale cryptographic migration and crypto-agility
👉 Register for Keyfactor's webinar on the Executive Order and advanced cryptographic threats →
Pqc readiness and crypto-agility under the new EO?
Explore further
Crypto-agility has become an identity governance problem, not just a cryptography problem. The EO is pushing organisations to discover where trust depends on keys, certificates, and signatures before those dependencies become migration blockers. That means the governance unit of work is the cryptographic asset, its owner, and its lifecycle, not the algorithm in isolation. The implication is that IAM and machine identity teams now share accountability for cryptographic readiness.
A few things that frame the scale:
- 72% of organisations have experienced or suspect they have experienced a breach of non-human identities, with 46% confirmed and 26% suspected, according to The 2024 ESG Report: Managing Non-Human Identities.
- Enterprises that have experienced a compromised NHI averaged 2.7 separate incidents in the past 12 months, which shows how quickly weak identity governance compounds across environments.
A question worth separating out:
Q: Who should own PQC readiness in an enterprise?
A: PQC readiness should be jointly owned by security architecture, identity teams, and the business services that rely on cryptography. The technical team can map dependencies, but the business owner must define criticality and acceptable migration timing. Shared ownership is essential because the risk spans identity, application trust, and service continuity.
👉 Read our full editorial: Advanced cryptographic threats raise the bar for PQC readiness