Blog Zscaler

Recevez les dernières mises à jour du blog de Zscaler dans votre boîte de réception

Products & Solutions

Accelerating Post-Quantum Readiness Timelines: A New Executive Order on Securing Against Advanced Cryptographic Attacks

JOSE PADIN, YAROSLAV ROSOMAKHO, SATISH MADIRAJU
juillet 13, 2026 - 8 Min de lecture

The Quantum Threat Is No Longer Hypothetical

On June 22, 2026, the President signed two Executive Orders signaling that the quantum era is rapidly approaching and demands action. The first, “Securing the Nation Against Advanced Cryptographic Attacks” (EO 14412), accelerates the federal government’s migration to post-quantum cryptography. The second, “Ushering in the Next Frontier of Quantum Innovation” (EO 14413), establishes a whole-of-government quantum strategy covering research, commercialization, supply chain resilience, and workforce development.

EO 14412 sets a clear deadline: federal agencies must migrate their most sensitive systems to post-quantum cryptography (PQC) for key establishment by December 31, 2030, and to PQC for digital signatures by December 31, 2031. The EO also directs the Federal Acquisition Regulatory (FAR) Council to propose a rule requiring covered federal contractors to comply with National Institute of Standards and Technology (NIST) Federal Information Processing Standards (FIPS), including PQC algorithms, by December 31, 2030. Every agency must designate a PQC Migration Lead within 30 days of the signing.

Underlying these EOs is a well-documented threat called "Harvest Now, Decrypt Later" (HNDL): Nation-state actors are actively exfiltrating and storing encrypted government and enterprise data today, with the intent to decrypt it once sufficiently powerful quantum computers become available. The data being harvested—from credentials, intellectual property, to national security information—can have a shelf-life of decades.

The question for every government agency and enterprise security team is no longer whether to migrate; it is how and how fast.

The Legislative and Standards Framework

The Cybersecurity EO (14412) sits within a broader legislative and technical framework that organizations must navigate:

The Quantum Computing Cybersecurity Preparedness Act (P.L. 117–260)

This law, enacted in December 2022, requires federal agencies to inventory their cryptographic assets to know what encryption is in use, where it lives, and which systems are most at risk from a quantum attack. You cannot migrate what you cannot see.

OMB M–26–15: Execution of the Migration to Post-Quantum Cryptography

Two days after EO 14412 was signed, OMB issued Memorandum M-26-15, translating the EO’s deadlines into a five-phase migration framework. Agencies must submit PQC Migration Plans to OMB within 120 days. The memo calls for automated cryptographic inventory and discovery tools, integration of PQC into Zero Trust architectures, and coordination with FedRAMP-authorized cloud service providers on shared PQC migration responsibilities. M-26-15 treats PQC as a foundational dependency for a durable Zero Trust architecture, reinforcing that organizations cannot achieve a mature zero-trust posture without quantum-resistant cryptography.

NIST PQC Standards

NIST has finalized FIPS 203, which standardizes ML-KEM (Module-Lattice-Based Key Encapsulation Mechanism), a quantum-resistant algorithm for key establishment. This is the standard that addresses the EO's nearer-term 2030 deadline and is the foundation for Zscaler's current PQC capabilities. NIST has also finalized standards for post-quantum digital signatures, which address the EO's 2031 deadline.

Taken together, these requirements create a clear operational mandate. The next question is which security architectures can deliver PQC capabilities at the scale and speed these timelines demand. 

Where Zscaler Stands: A Purpose-Built Response

Long before the EO was signed, Zscaler invested in building post-quantum cryptography capabilities that address key establishment requirements at the center of the EO’s nearer-term 2030 deadline and the operational realities that agencies and enterprises face. Here is how Zscaler's platform responds to the key establishment requirements that take effect first.

PQC Visibility - Know Your Cryptographic Posture

Addresses: Quantum Computing Cybersecurity Preparedness Act | EO Requirement: Cryptographic inventory & risk assessment

The first step to PQC compliance is understanding your current cryptographic footprint, identifying every system, application, and connection that relies on classical key establishment and digital signatures that will eventually be vulnerable to quantum attacks.

OMB M-26-15 acknowledges that manual inventory processes are insufficient at federal scale. Zscaler's inline architecture addresses this directly: it provides automated, continuous cryptographic discovery based on actual traffic, giving organizations ground-truth visibility into cryptographic capabilities across users, devices, and specific transactions. 

Zscaler launched its PQC Visibility Report, a dedicated dashboard within the Zscaler Zero Trust Exchange that gives security teams a real-time view of:

  • Which users and devices are initiating TLS connections with PQC key establishment
  • Use of legacy TLS protocol versions that cannot adopt PQC
  • Where classical key establishment remains in use and is most exposed
  • Traffic breakdowns across the enterprise to help prioritize migration efforts

All the relevant information is readily available in the detailed transaction logs and can be streamed through Zscaler's Nanolog service at any scale. This enables organizations to build a Cryptographic Bill of Materials (CryptoBOM), a structured inventory of all encryption dependencies across the enterprise. In partnership with HCLTech, Zscaler now offers service-led crypto-discovery engagements to help enterprises create and operationalize their CryptoBOM as the foundation for a full PQC migration roadmap.

Zscaler's PQC Visibility Report gives organizations the ground-truth inventory that both the Preparedness Act and M-26-15 require as the foundation for migration. 

PQC Visibility Reporting

Inline PQC Inspection - Protect Traffic in Motion

Addresses: EO Requirement: Transition of high-value assets and high-impact systems to PQC for key establishment | Standard: NIST FIPS 203 (ML-KEM)

In February 2026, Zscaler became the first Security Service Edge (SSE) provider to launch full inline PQC traffic inspection, a breakthrough that redefines what enterprise and government security infrastructure can do.

How It Works

The Zscaler Zero Trust Exchange sits inline between users and the internet, acting as a "quantum-safe intermediary" or Crypto-Translator:

  1. Decrypt: Zscaler intercepts and decrypts inbound TLS traffic, including traffic protected by quantum-safe key establishment (ML-KEM / FIPS 203 hybrid with ECDHE)
  2. Inspect: Full deep content inspection is applied: threat detection, data loss prevention, URL filtering, and policy enforcement
  3. Re-encrypt: Traffic is re-encrypted using the appropriate algorithm before being forwarded to its destination. Zscaler uses quantum-safe key establishment with the servers that support such capability.
Quantum-Ready Inspection with Zscaler

This architecture solves one of the thorniest challenges in enterprise PQC migration: legacy server compatibility. Many backend servers and SaaS applications have not yet adopted PQC key establishment. Zscaler's Zero Trust Exchange bridges this gap, establishing a PQC-secured connection with the modern client while maintaining a compatible classical TLS connection with the legacy server. This means organizations can begin protecting their users from HNDL attacks today, without waiting for every server and application in their ecosystem to be upgraded.

TLS 1.3 and Hybrid Key Exchange

Zscaler's inline inspection engine supports hybrid PQC key establishment, combining classical Elliptic-Curve Diffie-Hellman with Ephemeral Keys (ECDHE) with ML-KEM (FIPS 203). The hybrid approach is widely recognized as more safe and prudent compared to direct migration to pure PQC, since it offers defense-in-depth: compromising a properly implemented hybrid scheme requires an attacker to break both the classical and PQC algorithms. It provides full compatibility with modern web browsers (Chrome, Edge, Firefox, Safari) and follows the current recommendations of the Internet Engineering Task Force (IETF).

OMB M-26-15 recognizes hybrid architecture as a valid transitional model and specifies TLS 1.3 as the foundation for deploying PQC at the network level, with a January 2, 2030 adoption deadline for all agencies.

Upcoming: Crypto Policy Profiles

Not all PQC requirements are the same. IETF recommends hybrid key exchange, which pairs ML-KEM with classical ECDHE for broad compatibility across the public internet. NIST's CNSA 2.0 suite, on the other hand, calls for pure ML-KEM in national security systems, removing the classical component entirely.

Zscaler is developing Crypto Policy Profiles that will give security teams granular control over which cryptographic standard is enforced, and where. Administrators will be able to define policies that require hybrid key exchange for general enterprise traffic while mandating pure ML-KEM for connections that fall under CNSA 2.0 requirements. Policies can be scoped by user group, application, data classification, or compliance regime.

For federal customers operating under both the EO's 2030 deadline and CNSA 2.0 guidance, this flexibility is essential. It allows a single platform to satisfy divergent cryptographic mandates without forcing a one-size-fits-all approach across the organization.

Why the Zero Trust Architecture Is the Right Foundation

Zscaler's PQC capabilities are natively embedded in the Zscaler Zero Trust Exchange, the world's largest security cloud. This architectural advantage matters for PQC migration:

  • Inline by design: Every user connection passes through Zscaler, meaning PQC inspection is applied universally without endpoint agents or network re-architecture.
  • Scalable at cloud speed: The Zero Trust Exchange processes hundreds of billions of transactions per day, providing the throughput required to handle the computational overhead of PQC algorithms without degrading user experience.
  • Policy-driven: Security teams can enforce quantum-safe TLS requirements selectively, scoping by user, group, application, or data classification to enable a phased and controlled migration.
  • Unified visibility: A single pane of glass for both classical and quantum-safe traffic means no blind spots during the transition period.
  • Cryptographic agility: PQC research remains an active topic and NIST is working on standardizing additional algorithms. Zscaler cloud always adopts the latest security guidelines to ensure that customers do not need to worry about unexpected disruptions if the recommended approach to PQC changes.

The Bottom Line: Act Now, Don't Wait for 2030

The 2030 deadline may feel distant, but the HNDL threat is happening right now. Data being transmitted over channels established with classical key exchange today is being harvested by adversaries who are betting that quantum computers will be ready before organizations are. Every day of delay puts additional data at risk.

Zscaler's message to government agencies and enterprises is straightforward: you don't have to wait to get protected. The tools to see your cryptographic exposure, inspect quantum-safe traffic inline, and secure your network fabric are available today. The path to PQC compliance runs through Zero Trust, and Zscaler is ready to walk that path with you.

To learn more about Zscaler's Post-Quantum Cryptography solutions, request a PQC Readiness Assessment, or explore the PQC Visibility Report in your Zscaler tenant. A future blog entry will cover PQC migration recommendations specific to FedRAMP and Department of War organizations.

form submtited
Merci d'avoir lu l'article

Cet article a-t-il été utile ?

Clause de non-responsabilité : Cet article de blog a été créé par Zscaler à des fins d’information uniquement et est fourni « en l’état » sans aucune garantie d’exactitude, d’exhaustivité ou de fiabilité. Zscaler n’assume aucune responsabilité pour toute erreur ou omission ou pour toute action prise sur la base des informations fournies. Tous les sites Web ou ressources de tiers liés à cet article de blog sont fournis pour des raisons de commodité uniquement, et Zscaler n’est pas responsable de leur contenu ni de leurs pratiques. Tout le contenu peut être modifié sans préavis. En accédant à ce blog, vous acceptez ces conditions et reconnaissez qu’il est de votre responsabilité de vérifier et d’utiliser les informations en fonction de vos besoins.

Recevez les dernières mises à jour du blog de Zscaler dans votre boîte de réception

En envoyant le formulaire, vous acceptez notre politique de confidentialité.