Post-quantum cryptography starts with your PKI estate

President Trump signed two executive orders on quantum technology in June 2026. One sets a target to build a research-grade quantum computer by 2028. The other moves the federal government onto post-quantum cryptography (PQC), with key establishment due by the end of 2030 and digital signatures by the end of 2031. The capability timeline keeps moving, and most organizations still can't say what cryptography they run or where it lives. Mapping your public key infrastructure (PKI) estate is the work that has to start now.

• The 2028 order is about building a quantum computer for research. The 2030 and 2031 deadlines are about migrating federal systems off the cryptography a quantum computer could break.
• Google has set its own 2029 deadline to finish migrating, a year ahead of the federal key-establishment date. That is a strong signal for any organization holding data that has to stay private for years.
• You can't migrate cryptography you can't see. A live inventory of certificates, keys, and dependencies comes before any algorithm swap.

On June 22, 2026, the White House signed two executive orders on quantum technology, and the two deadlines inside them are easy to confuse.

The first order sets a target to build a quantum computer powerful enough for scientific research by 2028. The second, Executive Order 14409, moves the federal government onto post-quantum cryptography. Federal high-value and high-impact systems must use PQC for key establishment by the end of 2030 and for digital signatures by the end of 2031.

The acceleration in quantum policy should be welcomed. Government, industry, and academia have done important work, but the pace hasn't always matched the scale of the risk. The only certainty for quantum is that the timeline will keep moving, and recent developments show the window for action is narrowing, not widening.

The new focus on post-quantum readiness matters. Ambition has to be matched by execution and funding. Governments need to stay properly resourced to set policy, coordinate critical infrastructure, and help the wider economy move securely. The private sector will keep investing, but this transition can't be left to market momentum alone.

That point carries weight right now, because the agency tasked with coordinating much of this critical infrastructure work, CISA, is being asked to do more with a smaller budget and a smaller team. Direction without resourcing slows everyone down.

The 2031 federal target is an important marker, but it shouldn't be read as a comfortable deadline. Google has already set a 2029 timeline for its own post-quantum migration, which raises a fair question. Why would any organization with long-life sensitive data wait?

For organizations, the message is simple. This is not a problem for the next decade. Anyone holding data that needs to stay private for years should be planning against a 2029 to 2031 window now.

The challenge is that post-quantum migration is not just about buying new algorithms. Cryptography is buried across certificates, keys, applications, APIs, cloud services, suppliers, devices, and third-party systems. In many organizations, that estate has never been fully mapped. You cannot migrate what you cannot see.

The work that matters now is visibility. That means a live inventory of cryptographic assets, PKI, certificates, keys, owners, dependencies, and renewal paths. It's like securing a building before a new class of lock-picking tool becomes available. Most organizations can't yet tell you how many doors they have, where they are, or who holds the keys.

The algorithm swap is the visible part of post-quantum migration, but it's the last part. The work that decides whether you hit a 2029 to 2031 window is the discovery that comes first.

Red Sift Certificates brings public and private cryptographic assets into one continuous inventory, with dedicated views for PQC readiness and certificate lifecycle compliance, so you can see your estate before you start moving it. For the full picture on the threat model, the NIST algorithms, and how to build cryptographic agility, read our post-quantum cryptography guide.