The Two Orders That Were Signed Together

On June 22, 2026, the United States issued two Executive Orders on the same day. The first is Ushering in the Next Frontier of Quantum Innovation, Executive Order 14411. Eleven sections, twenty-plus named agencies, dozens of milestones running from 60 days to September 30, 2028. Post-quantum cryptography appears in that order once, inside Section 7, as an item the Director of National Intelligence is to identify the national security implications of. Identification, not migration.

The second is Securing the Nation Against Advanced Cryptographic Attacks, Executive Order 14409. Seven sections, OMB and the National Cyber Director coordinating, the Federal Acquisition Regulatory Council writing the procurement clause, NIST writing the technical guidance, NSA reporting annually on National Security Systems. High Value Assets and high impact systems on PQC key establishment by December 31, 2030. The same systems on PQC digital signatures by December 31, 2031. A FAR rule binding covered contractors to NIST FIPS with PQC algorithms by December 31, 2030.

Six days earlier, ANSSI's chief of staff made the 2027 French certification cutoff public. Hybrid composition mandatory. Signatures as well as key establishment.

Three instruments. Three timelines. They do not align.

What the cryptographic order actually binds

EO 14409 is the procurement instrument. It names FIPS 140-3, FIPS 186-5, FIPS 199, FIPS 203, the Cryptographic Module Validation Program, the Federal Acquisition Regulation. It uses statutory cybersecurity authorities under 6 U.S.C. 1526(c) for OMB guidance and OMB Memorandum M-19-03 as the HVA definitional anchor.

Within 30 days each agency head must identify a PQC migration lead who reports to the agency chief information officer. Within 90 days OMB issues guidance directing each agency to inventory HVAs and high impact systems and submit a migration plan. Within 180 days NIST starts a PQC migration pilot on its own systems, finishing no later than December 31, 2027. Within 180 days the FAR Council publishes a proposed rule requiring covered contractors to comply by December 31, 2030, with NIST FIPS incorporating PQC algorithms. Within 270 days the FAR Council publishes a second proposed rule binding contractor vulnerability disclosure programs to incorporate cryptographic vulnerability reporting, including testing for lack of encryption and use of non-FIPS algorithms.

Within 270 days CISA, in coordination with NIST, releases public guidance describing the minimum elements for a cryptographic bill of materials. Automated assessment of the cryptographic assets utilized by a hardware or software element. The architectural primitive a sovereign procurement floor would need.

The order does not name NSM-10. It does not name CNSA 2.0. It does not name FIPS 204 or FIPS 205. It does not use the term hybrid composition. It does not name NIST PIV. The instrument is anchored on FIPS 203 for key establishment and FIPS 186-5 for digital signatures, with NIST guidance to populate the rest.

What the quantum innovation order does

EO 14411 is the capability instrument. It builds a national center at Energy to assess the performance of quantum computing systems within 180 days. It directs the Secretary of War to identify at least three next-generation quantum sensor projects to be fielded by September 30, 2028. It initiates a network of National QIST Workforce Development Institutes through the National Science Foundation. It reconstitutes the National Quantum Initiative Advisory Committee with a revised membership list within 210 days. It directs the Secretary of State to deliver 120-day alignment recommendations for a new international instrument called Pax Silica.

Inside Section 7 of EO 14411, the Director of National Intelligence, in coordination with the ESIX Subcommittee and consultation with State, Commerce, and Energy, is directed to identify the national security implications of the increasing scale and performance of commercial quantum computers, including the implications for the migration to post-quantum cryptography. Identification, not migration. No date.

The two instruments separate cleanly. One builds capability. The other binds the federal cryptographic posture. The cryptographic posture clause was not absent on June 22. It was placed in a parallel instrument signed the same day.

Where the timelines do not align

ANSSI's certification cutoff is 2027. The NIST PQC migration pilot finishes no later than December 31, 2027. The FAR Council proposed rule binds covered contractors to comply by December 31, 2030. HVA key establishment transitions by December 31, 2030. HVA digital signatures transition by December 31, 2031.

Three structural mismatches sit inside that arithmetic.

The French certifier moves first. A US contractor selling a security product into the French market in 2027 must clear an ANSSI process that already requires hybrid composition. A US contractor selling the same product to a US federal HVA in 2027 has no procurement clause binding cryptographic posture until the FAR Council rule lands and takes effect, with the contractor compliance date set at December 31, 2030. The 2027 to 2030 gap is the operative window. During that window, the same product line, the same vendor, the same cryptographic stack, will be evaluated against two different procurement floors. The French one is anchored on a certifier. The US one is anchored on a future contracting clause.

The order ties contractor compliance to NIST FIPS incorporating PQC algorithms, but the FIPS surface as of June 22 is FIPS 203 for module-lattice key establishment and FIPS 186-5 for the digital signature standard. The ML-KEM and ML-DSA primitives sit inside that surface. SLH-DSA and stateful-hash signatures live in adjacent standards the order does not call out by number. The architectural question of whether a covered contractor must offer signatures with multiple algorithm families, or whether a single FIPS-incorporated algorithm clears the FAR floor, is left to the proposed rule.

The cryptographic bill of materials is the architectural primitive that would reconcile all three timelines. Automated assessment of the cryptographic assets utilized by a hardware or software element makes the certifier's question and the procurement officer's question the same question. Without it, a vendor at the FAR floor can claim FIPS-incorporated compliance against a system the procurement officer cannot independently inspect. With it, the procurement floor and the certifier's floor share a common artifact. The order names a 270-day deadline for CISA to publish the minimum elements. Whether those minimum elements support automated reconciliation with ANSSI's hybrid-composition requirement, or stop at a vendor declaration, is the architectural decision the next nine months will produce.

What composes with the two-order architecture

ANSSI's June 16 announcement moves the certifier upstream of the artifact. The NCSC UK blog of June 17 moves the defender's frame to the substrate around the model. The AISI Engineering Playbook release of June 18 treats the evaluation substrate itself as a separate governance object. EO 14409 places the architectural primitive of a cryptographic bill of materials inside a federal procurement instrument with a 270-day clock. EO 14411 places a national quantum performance assessment center inside a capability instrument with a 180-day clock.

The pattern across four jurisdictions and seven instruments is the same. The artifact is no longer the unit of governance. The substrate around the artifact is. The certifier writes against the substrate. The procurement officer writes against the substrate. The defender designs against the substrate. The evaluator publishes against the substrate.

The procurement floor for the US cryptographic posture is now drafted, but not yet binding. The procurement floor for the French certified posture is now public, with hybrid composition mandatory, anchored on 2027. The gap between drafted and binding is where the next nine months of contracting happens.

What remains on the table

• When the FAR Council publishes the proposed rule within 180 days, will the rule index covered contractor compliance on a static FIPS list, or on the architectural primitive of an automated cryptographic bill of materials reconcilable with foreign certifier processes?
• When CISA releases the cryptographic bill of materials minimum elements within 270 days, will those elements describe an artifact a procurement officer can independently inspect, or a vendor declaration the procurement officer accepts on faith?
• Does Pax Silica become the international surface where the ANSSI 2027 cutoff and the US 2030 to 2031 procurement floor are reconciled into a common architectural standard, or does it stop at capability alignment and route around the procurement-floor question?
• When NIST finishes its PQC migration pilot no later than December 31, 2027, will the pilot output bind the FAR rule in a measurable way, or will the FAR rule remain anchored on FIPS-incorporated algorithms without reference to migration-pilot outcomes?
• Why did the same administration sign two orders on the same day separating capability from procurement, and what does that separation imply about the speed at which the architectural primitive can be assembled?

The policy instruments and the deployment tempo are not aligned.