The Quantum Threat Is No Longer HypotheticalOn June 22, 2026, the White House signed an Executive Order titled “Securing the Nation Against Advanced Cryptographic Attacks” — a landmark directive that signals the U.S. government’s recognition that the quantum era is not a distant future threat, but a present-day risk that demands immediate action.At the heart of this concern is a well-documented adversarial strategy known as “Harvest Now, Decrypt Later” (HNDL). Nation-state actors are actively exfiltrating and storing encrypted government and enterprise data today, with the intent to decrypt it once sufficiently powerful quantum computers become available. The data being harvested — communications, credentials, intellectual property, national security information — may remain sensitive for decades.The Executive Order sets a clear deadline: federal agencies must migrate their most sensitive systems to post-quantum encryption by December 31, 2030, and to post-quantum authentication by December 31, 2031. Federal contractors are bound by the same timeline. Every agency must designate a PQC Migration Lead within 30 days of the signing.The question for every government agency and enterprise security team is no longer whether to migrate — it is how, and how fast. The Legislative and Standards FrameworkThe EO sits within a broader legislative and technical framework that organizations must navigate:The Quantum Computing Cybersecurity Readiness ActThis Act requires federal agencies and contractors to inventory their cryptographic assets — to know what encryption is in use, where it lives, and which systems are most at risk from a quantum attack. You cannot migrate what you cannot see.The Quantum Encryption Readiness and Resilience ActThis Act focuses on operational resilience — ensuring that once an inventory is established, agencies can actively transition to quantum-resistant algorithms and verify that their network communications are being protected by those standards in practice.NIST FIPS 203 — The New StandardThe National Institute of Standards and Technology (NIST) has finalized FIPS 203, which standardizes ML-KEM (Module-Lattice-Based Key Encapsulation Mechanism) — a quantum-resistant algorithm for key exchange. This is the technical cornerstone of post-quantum cryptography compliance. Any solution claiming PQC compliance must support and enforce FIPS 203. Where Zscaler Stands: A Purpose-Built ResponseZscaler has been anticipating this moment. Long before the EO was signed, Zscaler invested in building a post-quantum cryptography strategy that maps directly to both the legislative requirements and the operational realities that agencies and enterprises face. Here is how Zscaler’s platform responds at every layer of the mandate. PQC Visibility — Know Your Cryptographic PostureAddresses: Quantum Computing Cybersecurity Readiness Act | EO Requirement: Cryptographic inventory & risk assessmentYou cannot protect what you cannot see. The first step to PQC compliance is understanding your current cryptographic footprint — identifying every system, application, and connection that relies on classical encryption that will eventually be vulnerable to quantum attacks.Zscaler launched its PQC Visibility Report — a dedicated dashboard within the Zscaler Zero Trust Exchange that gives security teams a real-time view of:Which users and devices are initiating quantum-safe (PQC-enabled) TLS connectionsWhich applications and destinations are already quantum-readyWhere classical cryptography (RSA, ECC) remains in use and is most exposedTraffic breakdowns across the enterprise to help prioritize migration effortsThis capability enables organizations to build a Cryptographic Bill of Materials (CryptoBOM) — a structured inventory of all encryption dependencies across the enterprise. In partnership with HCLTech, Zscaler now offers service-led crypto-discovery engagements to help enterprises create and operationalize their CryptoBOM as the foundation for a full PQC migration roadmap.”The mandate is clear: before you can migrate, you must inventory. Zscaler’s PQC Visibility gives organizations the starting point the law requires.” Inline PQC Inspection — Protect Traffic in MotionAddresses: Quantum Encryption Readiness and Resilience Act | EO Requirement: Encryption of sensitive systems using quantum-resistant algorithms | Standard: NIST FIPS 203 (ML-KEM)In February 2026, Zscaler became the first Security Service Edge (SSE) provider to launch full inline PQC traffic inspection — a breakthrough that redefines what enterprise and government security infrastructure can do.How It WorksThe Zscaler Zero Trust Exchange sits inline between users and the internet, acting as a “quantum-safe intermediary” or Crypto-Translator:Decrypt — Zscaler intercepts and decrypts inbound TLS traffic, including traffic protected by quantum-safe algorithms (ML-KEM / FIPS 203)Inspect — Full deep content inspection is applied: threat detection, data loss prevention, URL filtering, and policy enforcementRe-encrypt — Traffic is re-encrypted using the appropriate algorithm before being forwarded to its destinationThis architecture solves one of the thorniest challenges in enterprise PQC migration: legacy server compatibility. Many backend servers and SaaS applications are adhering to become quantum-ready. Zscaler’s Zero Trust Exchange bridges this gap — establishing a PQC-secured connection with the modern client while maintaining a compatible classical TLS connection with the legacy server. This means organizations can begin protecting their users from HNDL attacks today, without waiting for every server and application in their ecosystem to be upgraded. TLS 1.3 and Hybrid Key ExchangeZscaler’s inline inspection engine supports hybrid PQC key exchange — combining classical elliptic-curve cryptography (ECC) with ML-KEM (FIPS 203). This hybrid approach ensures:Full compatibility with major browsers (Chrome, Firefox, Safari)Quantum-safe protection for users who support itGraceful fallback for environments still in transition Quantum-Safe Traffic Forwarding — Securing Site-to-Site ConnectivityAddresses: EO requirement to protect sensitive government network infrastructureBeyond user-to-app traffic, organizations must also protect network-to-network communications. Zscaler’s implementation of Post-Quantum Pre-shared Keys (PPK) as defined in RFC 8784 secures IPsec tunnels against future quantum attacks on IKEv2 key exchanges. Strengthening Zscaler’s Federal ImpactEnsuring a quantum-resistant network fabric is essential for federal agencies and organizations with decentralized operations, including branch offices, data centers, and hybrid cloud environments. By focusing on the network itself rather than just the endpoints, Zscaler provides comprehensive protection across the entire infrastructure.Building on its established federal presence, Zscaler is dedicated to bringing its full suite of PQC capabilities to the public sector. We are working to ensure these solutions meet rigorous FedRAMP authorization standards, making them accessible to defense, civilian, and intelligence agencies well in advance of the 2030 deadline. This commitment provides federal PQC migration leads with a reliable, authorized, and future-proof roadmap to compliance. The Zero Trust Advantage for Quantum SecurityZscaler’s PQC functionalities are natively integrated into the Zero Trust Exchange—the world’s largest security cloud—rather than existing as bolt-on features. This deep architectural integration offers a distinct advantage for organizations managing the complex transition to post-quantum cryptography.This is particularly critical for federal agencies and enterprises with distributed branch offices, data centers, and hybrid cloud environments — ensuring that the network fabric itself is quantum-resistant, not just the endpoints.Zscaler has strong federal presence and is committed to ensure Zscaler comprehensive capabilities PQC solution to ensure these capabilities meet FedRAMP authorization requirements and are available to civilian, defense, and intelligence community customers well ahead of the 2030 mandate. This commitment ensures that federal agencies designating their PQC migration leads today will have a credible, authorized path to compliance through the Zscaler platform.Zscaler’s PQC features are built directly into the Zscaler Zero Trust Exchange—the globe’s most expansive security cloud—rather than being secondary add-ons. This native integration provides a significant architectural edge for organizations navigating the transition to post-quantum cryptography. Why the Zero Trust Architecture Is the Right FoundationZscaler’s PQC capabilities are not bolt-on additions — they are natively embedded in the Zscaler Zero Trust Exchange, the world’s largest security cloud. This architectural advantage matters enormously for PQC migration:Inline by design: Every user connection passes through Zscaler, meaning PQC inspection is applied universally without endpoint agents or network re-architecture.Scalable at cloud speed: The Zero Trust Exchange processes hundreds of billions of transactions per day, providing the throughput required to handle the computational overhead of PQC algorithms without degrading user experience.Policy-driven: Security teams can enforce quantum-safe TLS requirements selectively — by user, group, application, or data classification — enabling a phased and controlled migration.Unified visibility: A single pane of glass for both classical and quantum-safe traffic means no blind spots during the transition period. The Bottom Line: Act Now, Don’t Wait for 2030The 2030 deadline may feel distant, but the HNDL threat is happening right now. Data being transmitted over classical encryption today is being harvested by adversaries who are betting that quantum computers will be ready before organizations are. Every day of delay is data at risk.Zscaler’s message to government agencies and enterprises is straightforward: you don’t have to wait to get protected. The tools to see your cryptographic exposure, inspect quantum-safe traffic inline, and secure your network fabric are available today. The path to EO compliance runs through Zero Trust — and Zscaler is ready to walk that path with you.To learn more about Zscaler’s Post-Quantum Cryptography solutions, request a PQC Readiness Assessment, or explore the PQC Visibility Report in your Zscaler tenant, visit www.zscaler.com
[#item_full_content] The Quantum Threat Is No Longer HypotheticalOn June 22, 2026, the White House signed an Executive Order titled “Securing the Nation Against Advanced Cryptographic Attacks” — a landmark directive that signals the U.S. government’s recognition that the quantum era is not a distant future threat, but a present-day risk that demands immediate action.At the heart of this concern is a well-documented adversarial strategy known as “Harvest Now, Decrypt Later” (HNDL). Nation-state actors are actively exfiltrating and storing encrypted government and enterprise data today, with the intent to decrypt it once sufficiently powerful quantum computers become available. The data being harvested — communications, credentials, intellectual property, national security information — may remain sensitive for decades.The Executive Order sets a clear deadline: federal agencies must migrate their most sensitive systems to post-quantum encryption by December 31, 2030, and to post-quantum authentication by December 31, 2031. Federal contractors are bound by the same timeline. Every agency must designate a PQC Migration Lead within 30 days of the signing.The question for every government agency and enterprise security team is no longer whether to migrate — it is how, and how fast. The Legislative and Standards FrameworkThe EO sits within a broader legislative and technical framework that organizations must navigate:The Quantum Computing Cybersecurity Readiness ActThis Act requires federal agencies and contractors to inventory their cryptographic assets — to know what encryption is in use, where it lives, and which systems are most at risk from a quantum attack. You cannot migrate what you cannot see.The Quantum Encryption Readiness and Resilience ActThis Act focuses on operational resilience — ensuring that once an inventory is established, agencies can actively transition to quantum-resistant algorithms and verify that their network communications are being protected by those standards in practice.NIST FIPS 203 — The New StandardThe National Institute of Standards and Technology (NIST) has finalized FIPS 203, which standardizes ML-KEM (Module-Lattice-Based Key Encapsulation Mechanism) — a quantum-resistant algorithm for key exchange. This is the technical cornerstone of post-quantum cryptography compliance. Any solution claiming PQC compliance must support and enforce FIPS 203. Where Zscaler Stands: A Purpose-Built ResponseZscaler has been anticipating this moment. Long before the EO was signed, Zscaler invested in building a post-quantum cryptography strategy that maps directly to both the legislative requirements and the operational realities that agencies and enterprises face. Here is how Zscaler’s platform responds at every layer of the mandate. PQC Visibility — Know Your Cryptographic PostureAddresses: Quantum Computing Cybersecurity Readiness Act | EO Requirement: Cryptographic inventory & risk assessmentYou cannot protect what you cannot see. The first step to PQC compliance is understanding your current cryptographic footprint — identifying every system, application, and connection that relies on classical encryption that will eventually be vulnerable to quantum attacks.Zscaler launched its PQC Visibility Report — a dedicated dashboard within the Zscaler Zero Trust Exchange that gives security teams a real-time view of:Which users and devices are initiating quantum-safe (PQC-enabled) TLS connectionsWhich applications and destinations are already quantum-readyWhere classical cryptography (RSA, ECC) remains in use and is most exposedTraffic breakdowns across the enterprise to help prioritize migration effortsThis capability enables organizations to build a Cryptographic Bill of Materials (CryptoBOM) — a structured inventory of all encryption dependencies across the enterprise. In partnership with HCLTech, Zscaler now offers service-led crypto-discovery engagements to help enterprises create and operationalize their CryptoBOM as the foundation for a full PQC migration roadmap.”The mandate is clear: before you can migrate, you must inventory. Zscaler’s PQC Visibility gives organizations the starting point the law requires.” Inline PQC Inspection — Protect Traffic in MotionAddresses: Quantum Encryption Readiness and Resilience Act | EO Requirement: Encryption of sensitive systems using quantum-resistant algorithms | Standard: NIST FIPS 203 (ML-KEM)In February 2026, Zscaler became the first Security Service Edge (SSE) provider to launch full inline PQC traffic inspection — a breakthrough that redefines what enterprise and government security infrastructure can do.How It WorksThe Zscaler Zero Trust Exchange sits inline between users and the internet, acting as a “quantum-safe intermediary” or Crypto-Translator:Decrypt — Zscaler intercepts and decrypts inbound TLS traffic, including traffic protected by quantum-safe algorithms (ML-KEM / FIPS 203)Inspect — Full deep content inspection is applied: threat detection, data loss prevention, URL filtering, and policy enforcementRe-encrypt — Traffic is re-encrypted using the appropriate algorithm before being forwarded to its destinationThis architecture solves one of the thorniest challenges in enterprise PQC migration: legacy server compatibility. Many backend servers and SaaS applications are adhering to become quantum-ready. Zscaler’s Zero Trust Exchange bridges this gap — establishing a PQC-secured connection with the modern client while maintaining a compatible classical TLS connection with the legacy server. This means organizations can begin protecting their users from HNDL attacks today, without waiting for every server and application in their ecosystem to be upgraded. TLS 1.3 and Hybrid Key ExchangeZscaler’s inline inspection engine supports hybrid PQC key exchange — combining classical elliptic-curve cryptography (ECC) with ML-KEM (FIPS 203). This hybrid approach ensures:Full compatibility with major browsers (Chrome, Firefox, Safari)Quantum-safe protection for users who support itGraceful fallback for environments still in transition Quantum-Safe Traffic Forwarding — Securing Site-to-Site ConnectivityAddresses: EO requirement to protect sensitive government network infrastructureBeyond user-to-app traffic, organizations must also protect network-to-network communications. Zscaler’s implementation of Post-Quantum Pre-shared Keys (PPK) as defined in RFC 8784 secures IPsec tunnels against future quantum attacks on IKEv2 key exchanges. Strengthening Zscaler’s Federal ImpactEnsuring a quantum-resistant network fabric is essential for federal agencies and organizations with decentralized operations, including branch offices, data centers, and hybrid cloud environments. By focusing on the network itself rather than just the endpoints, Zscaler provides comprehensive protection across the entire infrastructure.Building on its established federal presence, Zscaler is dedicated to bringing its full suite of PQC capabilities to the public sector. We are working to ensure these solutions meet rigorous FedRAMP authorization standards, making them accessible to defense, civilian, and intelligence agencies well in advance of the 2030 deadline. This commitment provides federal PQC migration leads with a reliable, authorized, and future-proof roadmap to compliance. The Zero Trust Advantage for Quantum SecurityZscaler’s PQC functionalities are natively integrated into the Zero Trust Exchange—the world’s largest security cloud—rather than existing as bolt-on features. This deep architectural integration offers a distinct advantage for organizations managing the complex transition to post-quantum cryptography.This is particularly critical for federal agencies and enterprises with distributed branch offices, data centers, and hybrid cloud environments — ensuring that the network fabric itself is quantum-resistant, not just the endpoints.Zscaler has strong federal presence and is committed to ensure Zscaler comprehensive capabilities PQC solution to ensure these capabilities meet FedRAMP authorization requirements and are available to civilian, defense, and intelligence community customers well ahead of the 2030 mandate. This commitment ensures that federal agencies designating their PQC migration leads today will have a credible, authorized path to compliance through the Zscaler platform.Zscaler’s PQC features are built directly into the Zscaler Zero Trust Exchange—the globe’s most expansive security cloud—rather than being secondary add-ons. This native integration provides a significant architectural edge for organizations navigating the transition to post-quantum cryptography. Why the Zero Trust Architecture Is the Right FoundationZscaler’s PQC capabilities are not bolt-on additions — they are natively embedded in the Zscaler Zero Trust Exchange, the world’s largest security cloud. This architectural advantage matters enormously for PQC migration:Inline by design: Every user connection passes through Zscaler, meaning PQC inspection is applied universally without endpoint agents or network re-architecture.Scalable at cloud speed: The Zero Trust Exchange processes hundreds of billions of transactions per day, providing the throughput required to handle the computational overhead of PQC algorithms without degrading user experience.Policy-driven: Security teams can enforce quantum-safe TLS requirements selectively — by user, group, application, or data classification — enabling a phased and controlled migration.Unified visibility: A single pane of glass for both classical and quantum-safe traffic means no blind spots during the transition period. The Bottom Line: Act Now, Don’t Wait for 2030The 2030 deadline may feel distant, but the HNDL threat is happening right now. Data being transmitted over classical encryption today is being harvested by adversaries who are betting that quantum computers will be ready before organizations are. Every day of delay is data at risk.Zscaler’s message to government agencies and enterprises is straightforward: you don’t have to wait to get protected. The tools to see your cryptographic exposure, inspect quantum-safe traffic inline, and secure your network fabric are available today. The path to EO compliance runs through Zero Trust — and Zscaler is ready to walk that path with you.To learn more about Zscaler’s Post-Quantum Cryptography solutions, request a PQC Readiness Assessment, or explore the PQC Visibility Report in your Zscaler tenant, visit www.zscaler.com
