Skip to content

47-Day Certificates Are Coming. Are You Ready?

Act Now →

Are You a Covered Contractor? Post-Quantum Compliance for the Federal Supply Chain

Compliance

If your company sells anything to the US federal government- software, hardware, or a service- a new clause is heading for your contracts, and most vendors are not ready for it. On June 22, 2026, Executive Order 14412 started an 180-day clock for a Federal Acquisition Regulation rule that will require covered contractors to meet NIST post-quantum FIPS standards by December 31, 2030. A second rule will require them to report cryptographic weaknesses, including the use of non-FIPS-approved algorithms.

So the question every supplier to the government should be asking now is short and uncomfortable: are we a covered contractor, and if the rule lands the way the order describes, can we meet it on time?

What Is a Covered Contractor?

A “covered contractor” under Executive Order 14412 is a federal contractor that the forthcoming Federal Acquisition Regulation (FAR) rule will require to meet NIST post-quantum FIPS standards by a set deadline. In plain language, it is a company the rule will hold to the post-quantum FIPS deadline because of what it sells to the federal government.

The order directs the FAR Council to publish, within 180 days, a proposed rule requiring covered contractors to comply with NIST FIPS, including the post-quantum algorithms, by December 31, 2030. The precise boundary- which contract types, thresholds, and product categories are in and out- will be defined by the rulemaking itself, and that is the part to watch.

Two things are worth saying clearly. First, the clock is real: the FAR Council has 180 days from June 22, 2026 to publish the proposed rule. Second, the rule is proposed, not final, so anyone telling you they know the exact scope today is guessing. The honest posture is to assume you may be in scope if you sell to the government directly or indirectly, and to prepare on that basis rather than wait for the final text. The FAR generally applies to vendors selling into US procurement regardless of nationality, so non-US contractors should assume they may be in scope too.

If you sell to the federal government, post-quantum readiness is about to become a condition of the contract, not a nice-to-have.

Key Takeaways

  • The FAR Council has 180 days from June 22, 2026 to propose the contractor PQC rule.
  • The proposed contractor deadline is to comply with NIST post-quantum FIPS by December 31, 2030.
  • A second proposed rule, due within 270 days, adds vulnerability disclosure requirements covering cryptographic flaws and the use of non-FIPS-approved algorithms.
  • Scope likely reaches non-US contractors that sell into US public procurement.
  • Post-quantum capability becomes a condition of federal market access, which pulls the requirement down the supply chain.

The Two Proposed FAR Rules

The order points at two separate rules, and they do different jobs. One sets the cryptographic standard you have to meet. The other makes sure weaknesses get reported. They also run on separate clocks.

Proposed ruleWhat it would requireTiming
Rule 1: PQC FIPS complianceCovered contractors comply with NIST FIPS, including the post-quantum standards FIPS 203, 204, and 205, by December 31, 2030.Proposed rule due within 180 days of June 22, 2026
Rule 2: Vulnerability disclosureContractor vulnerability disclosure policies, aligned to NIST guidance, must accept reports of cryptographic weaknesses, including missing encryption and the use of non-FIPS-approved algorithms.Proposed rule due within 270 days of June 22, 2026

Read together, the two rules do more than set a deadline. The first says your products and systems must use approved post-quantum cryptography. The second says you have to be able to surface where they do not, including places that still run non-FIPS-approved algorithms or no encryption at all. You cannot satisfy either one without first knowing, in detail, what cryptography your products actually contain.

Customizable HSM Solutions

Get high-assurance HSM solutions and services to secure your cryptographic keys.

Why This Reaches Beyond Direct Contractors

It is tempting to read this as a problem only for the primes, the companies that hold the contract directly. It is not, for two reasons.

The first is the market forcing function. To keep selling to the government, vendors have to ship products that use post-quantum cryptography, and once a product is built that way, it tends to become the default for commercial buyers too. The federal deadline quietly sets the bar for everyone.

The second is the mechanics of federal contracting. FAR requirements typically flow down through subcontracts, so suppliers and subcontractors inherit obligations from the prime above them. A small vendor with no direct federal contract can still find the requirement written into a purchase order from a customer who does.

The rule names direct contractors. Flow-down clauses, and the market, name almost everyone behind them.

How To Prepare Before the Rule Is Final

You do not need the final text to start the work that matters, because the first steps are the same under any reasonable version of the rule.

  • Confirm your exposure: Establish whether you sell, directly or indirectly, into federal contracts, and where flow-down clauses might already reach you.
  • Inventory your cryptography: Build a cryptographic inventory, a CBOM, of the algorithms, keys, and certificates in your products and systems. You cannot certify what you have not cataloged.
  • Flag the gaps: Identify non-FIPS and quantum-vulnerable algorithms, since those are exactly what both proposed rules target.
  • Plan the migration: Map a path to the NIST post-quantum standards, FIPS 203 (ML-KEM), FIPS 204 (ML-DSA), and FIPS 205 (SLH-DSA), prioritizing the products closest to federal use.
  • Stand up a disclosure policy: Put a vulnerability disclosure policy in place, aligned to NIST guidance, that can receive and act on reports of cryptographic weaknesses.

None of this is wasted effort if the scope narrows. A current inventory, a migration plan, and a disclosure policy are what every version of this rule will expect, and they are useful for the EU and commercial requirements arriving on the same timeline.

How Encryption Consulting Helps

Becoming a defensible covered contractor is a program, and Encryption Consulting runs it end to end. Compliance Advisory maps your federal obligations and gets you ready for the FAR and FIPS requirements, so you know what the rule will expect and where you stand against it. CBOM Secure inventories the cryptography inside your products and systems and flags the non-FIPS and quantum-vulnerable algorithms the rules target. PQC Advisory plans and sequences the migration to FIPS 203, 204, and 205, and our code signing and FIPS-validated HSM services back the parts of your stack that need validated cryptography.

The first step is the same one the rules will demand: know exactly what cryptography your products contain, then close the gaps on a schedule you control rather than one set by a deadline.