Accelerating Post-Quantum Readiness Timelines: A New White House Executive Order on Securing Against Advanced Cryptographic Attacks

The Quantum Threat Is No Longer Hypothetical

On June 22, 2026, the White House signed an Executive Order titled "Securing the Nation Against Advanced Cryptographic Attacks" — a landmark directive that signals the U.S. government's recognition that the quantum era is not a distant future threat, but a present-day risk that demands immediate action.

At the heart of this concern is a well-documented adversarial strategy known as "Harvest Now, Decrypt Later" (HNDL). Nation-state actors are actively exfiltrating and storing encrypted government and enterprise data today, with the intent to decrypt it once sufficiently powerful quantum computers become available. The data being harvested — communications, credentials, intellectual property, national security information — may remain sensitive for decades.

The Executive Order sets a clear deadline: federal agencies must migrate their most sensitive systems to post-quantum encryption by December 31, 2030, and to post-quantum authentication by December 31, 2031. Federal contractors are bound by the same timeline. Every agency must designate a PQC Migration Lead within 30 days of the signing.

The question for every government agency and enterprise security team is no longer whether to migrate — it is how, and how fast.

The Legislative and Standards Framework

The EO sits within a broader legislative and technical framework that organizations must navigate:

Where Zscaler Stands: A Purpose-Built Response

Zscaler has been anticipating this moment. Long before the EO was signed, Zscaler invested in building a post-quantum cryptography strategy that maps directly to both the legislative requirements and the operational realities that agencies and enterprises face. Here is how Zscaler's platform responds at every layer of the mandate.

PQC Visibility — Know Your Cryptographic Posture

Addresses: Quantum Computing Cybersecurity Readiness Act | EO Requirement: Cryptographic inventory & risk assessment

You cannot protect what you cannot see. The first step to PQC compliance is understanding your current cryptographic footprint — identifying every system, application, and connection that relies on classical encryption that will eventually be vulnerable to quantum attacks.

Zscaler launched its PQC Visibility Report — a dedicated dashboard within the Zscaler Zero Trust Exchange that gives security teams a real-time view of:

• Which users and devices are initiating quantum-safe (PQC-enabled) TLS connections
• Which applications and destinations are already quantum-ready
• Where classical cryptography (RSA, ECC) remains in use and is most exposed
• Traffic breakdowns across the enterprise to help prioritize migration efforts

This capability enables organizations to build a Cryptographic Bill of Materials (CryptoBOM) — a structured inventory of all encryption dependencies across the enterprise. In partnership with HCLTech, Zscaler now offers service-led crypto-discovery engagements to help enterprises create and operationalize their CryptoBOM as the foundation for a full PQC migration roadmap.

"The mandate is clear: before you can migrate, you must inventory. Zscaler's PQC Visibility gives organizations the starting point the law requires."

Inline PQC Inspection — Protect Traffic in Motion

Addresses: Quantum Encryption Readiness and Resilience Act | EO Requirement: Encryption of sensitive systems using quantum-resistant algorithms | Standard: NIST FIPS 203 (ML-KEM)

In February 2026, Zscaler became the first Security Service Edge (SSE) provider to launch full inline PQC traffic inspection — a breakthrough that redefines what enterprise and government security infrastructure can do.

How It Works

The Zscaler Zero Trust Exchange sits inline between users and the internet, acting as a "quantum-safe intermediary" or Crypto-Translator:

1. Decrypt — Zscaler intercepts and decrypts inbound TLS traffic, including traffic protected by quantum-safe algorithms (ML-KEM / FIPS 203)
2. Inspect — Full deep content inspection is applied: threat detection, data loss prevention, URL filtering, and policy enforcement
3. Re-encrypt — Traffic is re-encrypted using the appropriate algorithm before being forwarded to its destination

This architecture solves one of the thorniest challenges in enterprise PQC migration: legacy server compatibility. Many backend servers and SaaS applications are adhering to become quantum-ready. Zscaler's Zero Trust Exchange bridges this gap — establishing a PQC-secured connection with the modern client while maintaining a compatible classical TLS connection with the legacy server. This means organizations can begin protecting their users from HNDL attacks today, without waiting for every server and application in their ecosystem to be upgraded.

TLS 1.3 and Hybrid Key Exchange

Zscaler's inline inspection engine supports hybrid PQC key exchange — combining classical elliptic-curve cryptography (ECC) with ML-KEM (FIPS 203). This hybrid approach ensures:

• Full compatibility with major browsers (Chrome, Firefox, Safari)
• Quantum-safe protection for users who support it
• Graceful fallback for environments still in transition

Quantum-Safe Traffic Forwarding — Securing Site-to-Site Connectivity

Addresses: EO requirement to protect sensitive government network infrastructure

Beyond user-to-app traffic, organizations must also protect network-to-network communications. Zscaler's implementation of Post-Quantum Pre-shared Keys (PPK) as defined in RFC 8784 secures IPsec tunnels against future quantum attacks on IKEv2 key exchanges.

Strengthening Zscaler's Federal Impact

Ensuring a quantum-resistant network fabric is essential for federal agencies and organizations with decentralized operations, including branch offices, data centers, and hybrid cloud environments. By focusing on the network itself rather than just the endpoints, Zscaler provides comprehensive protection across the entire infrastructure.

Building on its established federal presence, Zscaler is dedicated to bringing its full suite of PQC capabilities to the public sector. We are working to ensure these solutions meet rigorous FedRAMP authorization standards, making them accessible to defense, civilian, and intelligence agencies well in advance of the 2030 deadline. This commitment provides federal PQC migration leads with a reliable, authorized, and future-proof roadmap to compliance.

The Zero Trust Advantage for Quantum Security

Zscaler's PQC functionalities are natively integrated into the Zero Trust Exchange—the world's largest security cloud—rather than existing as bolt-on features. This deep architectural integration offers a distinct advantage for organizations managing the complex transition to post-quantum cryptography.

This is particularly critical for federal agencies and enterprises with distributed branch offices, data centers, and hybrid cloud environments — ensuring that the network fabric itself is quantum-resistant, not just the endpoints.

Zscaler has strong federal presence and is committed to ensure Zscaler comprehensive  capabilities PQC solution to ensure these capabilities meet FedRAMP authorization requirements and are available to civilian, defense, and intelligence community customers well ahead of the 2030 mandate. This commitment ensures that federal agencies designating their PQC migration leads today will have a credible, authorized path to compliance through the Zscaler platform.

Zscaler's PQC features are built directly into the Zscaler Zero Trust Exchange—the globe's most expansive security cloud—rather than being secondary add-ons. This native integration provides a significant architectural edge for organizations navigating the transition to post-quantum cryptography.

Why the Zero Trust Architecture Is the Right Foundation

Zscaler's PQC capabilities are not bolt-on additions — they are natively embedded in the Zscaler Zero Trust Exchange, the world's largest security cloud. This architectural advantage matters enormously for PQC migration:

• Inline by design: Every user connection passes through Zscaler, meaning PQC inspection is applied universally without endpoint agents or network re-architecture.
• Scalable at cloud speed: The Zero Trust Exchange processes hundreds of billions of transactions per day, providing the throughput required to handle the computational overhead of PQC algorithms without degrading user experience.
• Policy-driven: Security teams can enforce quantum-safe TLS requirements selectively — by user, group, application, or data classification — enabling a phased and controlled migration.
• Unified visibility: A single pane of glass for both classical and quantum-safe traffic means no blind spots during the transition period.

The Bottom Line: Act Now, Don't Wait for 2030

The 2030 deadline may feel distant, but the HNDL threat is happening right now. Data being transmitted over classical encryption today is being harvested by adversaries who are betting that quantum computers will be ready before organizations are. Every day of delay is data at risk.

Zscaler's message to government agencies and enterprises is straightforward: you don't have to wait to get protected. The tools to see your cryptographic exposure, inspect quantum-safe traffic inline, and secure your network fabric are available today. The path to EO compliance runs through Zero Trust — and Zscaler is ready to walk that path with you.

To learn more about Zscaler's Post-Quantum Cryptography solutions, request a PQC Readiness Assessment, or explore the PQC Visibility Report in your Zscaler tenant, visit www.zscaler.com