Producing verifiable evidence of cryptographic posture before the standard that will grade it exists.
A practical framework for federal contractors, security teams, and compliance leaders. 13 pages. Every regulatory claim cited to the Federal Register.
Most published summaries of EO 14412 get the near-term deadlines wrong. These are drawn from the text as published at 91 FR 38483.
§4(a). This is a naming requirement — no inventory is due at 30 days, whatever a vendor selling inventory tooling may tell you.
OMB M-26-15, issued two days after the order. Plans are due around late October 2026 — and they have to describe a supply chain.
§5(d). CISA and NIST publish the minimum CBOM elements. Until then, nothing on earth can be certified against them.
The full timeline:
| Deadline | Section | Requirement |
|---|---|---|
| 30 days | §4(a) | Each agency head names a PQC migration lead and reports it to OMB and the National Cyber Director. |
| 90 days | §4(b) | OMB issues guidance requiring agencies to review their HVA inventory and submit a transition plan. |
| 180 days | §5(c) | The FAR Council publishes a proposed rule requiring covered contractors to comply with PQC FIPS by 31 Dec 2030. |
| 270 days | §5(d) | CISA and NIST publish the minimum elements for a Cryptographic Bill of Materials. |
| 31 Dec 2030 | §4(b)(ii) | HVAs and high-impact systems use PQC for key establishment. |
| 31 Dec 2031 | §4(b)(iii) | HVAs and high-impact systems use PQC for digital signatures. |
Section 6 of the paper is a full page of it. Here is the short version, because you should know before you read the rest.
The paper also discloses two defects in our own platform, including one in our signing path. If that seems like a strange thing for a vendor to publish, that is rather the point.
Thirteen pages. No email, no form, no account.
The full timeline, the NIST IR 8547 transition table, how the CycloneDX 1.7 Cryptography Registry makes EO 14412 deadlines mechanizable — and a full page on what this tool does not do.
Upload a CycloneDX or SPDX manifest. Get every cryptographic asset graded against NIST guidance and mapped to the EO 14412 deadline that actually applies to it. No account. No limit.
Run a free check