
<rss version="2.0" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:content="http://purl.org/rss/1.0/modules/content/" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:media="http://search.yahoo.com/mrss/">
    <channel>
        <title><![CDATA[ The Cloudflare Blog ]]></title>
        <description><![CDATA[ Get the latest news on how products at Cloudflare are built, technologies used, and join the teams helping to build a better Internet. ]]></description>
        <link>https://blog.cloudflare.com</link>
        <atom:link href="https://blog.cloudflare.com/" rel="self" type="application/rss+xml"/>
        <language>en-us</language>
        <image>
            <url>https://blog.cloudflare.com/favicon.png</url>
            <title>The Cloudflare Blog</title>
            <link>https://blog.cloudflare.com</link>
        </image>
        <lastBuildDate>Sat, 04 Jul 2026 20:37:01 GMT</lastBuildDate>
        <item>
            <title><![CDATA[The White House's post-quantum executive order is an important milestone. It’s time to get to work]]></title>
            <link>https://blog.cloudflare.com/post-quantum-eo-2026/</link>
            <pubDate>Tue, 23 Jun 2026 18:25:18 GMT</pubDate>
            <description><![CDATA[ The new executive order sets a 2030 migration deadline and establishes a powerful foundation for post-quantum resilience. We look at what it gets right, where it can go further, and our migration playbook for government and industry. ]]></description>
            <content:encoded><![CDATA[ <p>On June 22, 2026, President Trump signed <a href="https://www.whitehouse.gov/presidential-actions/2026/06/securing-the-nation-against-advanced-cryptographic-attacks/">Executive Order 14412</a>, "Securing the Nation Against Advanced Cryptographic Attacks." The order sets a December 31, 2030, deadline for federal agencies to transition their most sensitive systems to <i>post-quantum encryption</i>, and a December 31, 2031, deadline for <i>post-quantum authentication</i>. The EO also directs federal contractors to comply with post-quantum Federal Information Processing Standards (<a href="https://csrc.nist.gov/projects/post-quantum-cryptography">FIPS</a>) by the end of 2030.</p><p>We welcome this executive order. The U.S. government has a long track record of using federal leadership and procurement to drive adoption of new technologies across the broader industry. We've seen this work with <a href="https://obamawhitehouse.archives.gov/sites/default/files/omb/assets/egov_docs/transition-to-ipv6.pdf">IPv6</a>, with routing security and the Resource Public Key Infrastructure (<a href="https://csrc.nist.gov/pubs/sp/800/189/final">RPKI</a>), and with <a href="https://obamawhitehouse.archives.gov/sites/default/files/omb/memoranda/fy2008/m08-23.pdf">DNSSEC</a>, and we’re glad to see this tradition continue with post-quantum cryptography.</p><p>The EO is especially important at this moment because the timeline for <i>Q-Day</i>, the day that quantum computers can <a href="https://blog.cloudflare.com/the-quantum-menace/#shors-algorithm">break</a> the public-key cryptography used across the Internet, has been accelerated. In April 2026, Cloudflare <a href="https://blog.cloudflare.com/post-quantum-roadmap/">moved our own target for full post-quantum security to 2029</a>, following research breakthroughs from <a href="https://research.google/blog/safeguarding-cryptocurrency-by-disclosing-quantum-vulnerabilities-responsibly/">Google</a> and <a href="https://arxiv.org/abs/2603.28627">Oratomic</a>. This EO updates guidance from 2024, when the National Institute of Standards and Technology (NIST) <a href="https://nvlpubs.nist.gov/nistpubs/ir/2024/NIST.IR.8547.ipd.pdf"><u>stated</u></a> that the classical public key cryptography used across the Internet (namely RSA and Elliptic Curve Cryptography, which can be broken once powerful quantum computers become available) should be deprecated by 2030 and disallowed by 2035. </p><p>The Internet’s transition to post-quantum encryption is well underway, while the transition to post-quantum authentication has only just begun. Today, <a href="https://radar.cloudflare.com/post-quantum">over two-thirds</a> of browser traffic to Cloudflare's network is protected with post-quantum encryption, and <a href="https://developers.cloudflare.com/ssl/post-quantum-cryptography/pqc-cloudflare-products/">most of our products</a> support post-quantum key agreement. Our <a href="https://blog.cloudflare.com/post-quantum-sase/">SASE platform, Cloudflare One</a>, provides post-quantum encryption across all major on-ramps and off-ramps, including <a href="https://blog.cloudflare.com/post-quantum-zero-trust/">TLS</a>, <a href="https://blog.cloudflare.com/post-quantum-warp/">MASQUE</a>, and <a href="https://blog.cloudflare.com/post-quantum-ipsec/">IPsec</a>. We've recently started <a href="https://blog.cloudflare.com/bootstrap-mtc/"><u>deploying</u></a> post-quantum authentication and aim to be fully post-quantum secure by 2029. The EO is an excellent foundation and builds on work from the previous two Administrations. We've been doing the work the EO is asking federal agencies to do <a href="https://blog.cloudflare.com/the-tls-post-quantum-experiment/"><u>since 2019</u></a>, we have some thoughts on what the order gets right, we see opportunities for the Office of Management and Budget (OMB) to strengthen and facilitate cost-effective agency migration, and we provide a roadmap for how organizations and agencies can advance their transition most effectively.</p>
    <div>
      <h2>The EO’s requirements for federal systems</h2>
      <a href="#the-eos-requirements-for-federal-systems">
        
      </a>
    </div>
    <p>The bulk of the EO's binding requirements are aimed at two categories of federal systems: High Value Assets (HVAs) and high impact systems. HVAs are federal information or systems <a href="https://www.whitehouse.gov/wp-content/uploads/2018/12/M-19-03.pdf">designated by OMB</a> as the government's crown jewels: systems whose compromise would significantly affect national security, foreign relations, or public confidence. These include databases that hold millions of federal employee records, systems that process classified intelligence, or platforms that manage federal financial transactions. Meanwhile, high impact systems are those where confidentiality, integrity, or availability is rated "high" under <a href="https://csrc.nist.gov/pubs/fips/199/final">FIPS 199</a>, meaning a breach could cause severe harm including loss of life, major financial damage, or significant degradation of an agency's ability to carry out its mission.</p><p>The EO has the power to bind federal agencies, but not other organizations (i.e., critical infrastructure, state, local, tribal and territorial governments, academia, civil society). That’s why the EO only gives these deadlines to federal agencies:</p><table><tr><td><p><b>Date</b></p></td><td><p><b>Requirement</b></p></td></tr><tr><td><p>July 2026</p></td><td><p>Each federal agency head identifies a PQC migration lead and provides their name and contact details to OMB and the National Cyber Director.</p></td></tr><tr><td><p>September 2026</p></td><td><p>OMB issues guidance requiring each agency to: (1) review their inventory of HVAs and high impact systems; (2) plan for PQC migration; and (3) submit that plan to OMB and the National Cyber Director.</p></td></tr><tr><td><p>December 2030</p></td><td><p>All HVAs and high impact systems must be transitioned to PQC for key establishment.</p></td></tr><tr><td><p>December 2031</p></td><td><p>All HVAs and high impact systems must be transitioned to PQC for digital signatures.</p></td></tr></table><p>National Security Systems are explicitly excluded from these deadlines. They are on a separate, classified track managed by the NSA with deadlines between 2030 and 2033 <a href="https://media.defense.gov/2025/May/30/2003728741/-1/-1/0/CSA_CNSA_2.0_ALGORITHMS.PDF"><u>already set in 2022</u></a>.</p>
    <div>
      <h2>Two migrations: encryption and authentication. Both should begin now.</h2>
      <a href="#two-migrations-encryption-and-authentication-both-should-begin-now">
        
      </a>
    </div>
    <p>The EO splits the PQC migration into two phases: post-quantum key establishment (encryption) by 2030, and post-quantum digital signatures and certificates (authentication) by 2031. This accurately reflects the availability of post-quantum encryption across the Internet today. Our own <a href="https://blog.cloudflare.com/post-quantum-roadmap/"><u>deadline</u></a> for full post-quantum readiness (including authentication) is 2029, but we are amongst the earliest adopters in the industry. </p><p>We are also happy to see the EO focusing on <a href="https://csrc.nist.gov/projects/post-quantum-cryptography">NIST-standardized post-quantum cryptographic algorithms</a> and not Quantum Key Distribution (QKD), since QKD <a href="https://blog.cloudflare.com/you-dont-need-quantum-hardware/">does not operate at Internet scale</a> due to its need for specialized hardware and dedicated physical links between sender and receiver.  </p><p>Now let’s have a deeper look at the two migrations called for and required in the EO: post-quantum encryption and post-quantum authentication.</p><p><b>Post-quantum encryption</b> is needed today to stop <a href="https://en.wikipedia.org/wiki/Harvest_now,_decrypt_later"><u>harvest-now-decrypt-later attacks</u></a>, where an adversary collects encrypted traffic today and decrypts it later once quantum computers are powerful enough. Post-quantum encryption is especially valuable for organizations handling data that will still have value to adversaries 3-10 years from now, like government agencies, banks, healthcare organizations, defense contractors, and telecom providers.</p><p><b>Post-quantum authentication </b>stops an adversary that has a quantum computer from forging certificates to impersonate servers, generating malicious code signatures, or gaining unauthorized access to systems.  Post-quantum authentication is needed only after Q-Day risk materializes, because it stops attacks that are possible only once a cryptographically-relevant quantum computer (CRQC) exists. </p><p>It’s important to put the migration timelines in context with advancements in quantum computing. In addition to yesterday’s EO on post-quantum security, President Trump also signed an <a href="https://www.whitehouse.gov/presidential-actions/2026/06/ushering-in-the-next-frontier-of-quantum-innovation/"><u>EO</u></a> to accelerate deployment and commercialization of quantum computing, sensing, and networking. The fact that the EO sets a 2031 deadline for post-quantum authentication tells us something important: the U.S. government believes there is a non-negligible chance that a CRQC could be operational around that time.  </p>
    <div>
      <h4>Road to Quantum Safety</h4>
      <a href="#road-to-quantum-safety">
        
      </a>
    </div>
    
          <figure>
          <img src="https://cf-assets.www.cloudflare.com/zkvhlag99gkb/4ZPdZZj0jIz2ZFsgOdTLnW/b3633cb8438622a4af0bba1ad63c799d/Screenshot_2026-06-29_at_12.23.04.png" />
          </figure><p>What about the state of these two technologies? The migration to post-quantum authentication is a bigger challenge than post-quantum encryption for a few reasons, including:</p><ul><li><p>Post-quantum <a href="https://csrc.nist.gov/pubs/fips/204/final">ML-DSA</a> digital signatures are larger than classic digital signatures, which could have an impact on performance of some systems, for instance in short-lived TLS connections. That’s why we are working with Google Chrome on <a href="https://blog.cloudflare.com/bootstrap-mtc/">Merkle Tree Certificates</a> to solve the performance problem for TLS. </p></li><li><p>The dependency chain for post-quantum authentication is longer, requiring coordinated upgrades across clients, servers, <a href="https://letsencrypt.org/2026/06/03/pq-certs">certificate authorities</a>, <a href="https://blog.cloudflare.com/azul-certificate-transparency-log/">certificate transparency logs</a>, root stores, and browsers. </p></li><li><p>There is only limited ecosystem deployment of post-quantum authentication so far, as compared to the <a href="https://radar.cloudflare.com/post-quantum"><u>much broader deployment</u></a> of post-quantum encryption.</p></li></ul><p>It is interesting that the EO sets a one-year gap between the encryption and authentication deadlines. One extra year of calendar time is tight, so this work cannot proceed sequentially. The ecosystem needs to start working on both of these targets concurrently, or we will miss this 2031 deadline. </p><p>Cryptographic deployment across the Internet cannot happen without standards developed by the <a href="https://www.ietf.org/"><u>Internet Engineering Task Force</u></a> (IETF). They are working to transition their protocols to post-quantum cryptography.  The TLS community is ahead, with the <a href="https://datatracker.ietf.org/group/plants/about/">IETF PLANTS working group</a> making good progress on post-quantum certificates for TLS. There is much work to do here, and we look forward to supporting the IETF in its efforts. </p>
    <div>
      <h2>Supply chain pressure that helps everyone</h2>
      <a href="#supply-chain-pressure-that-helps-everyone">
        
      </a>
    </div>
    <p>The EO includes requirements for federal contractors, which may turn out to be the most impactful part of the EO. </p><p>Namely, the <a href="https://www.acquisition.gov/far-council-members">FAR Council</a> must publish proposed rules requiring "covered contractors" to comply with NIST FIPS incorporating PQC algorithms by December 31, 2030 (<a href="https://www.whitehouse.gov/presidential-actions/2026/06/securing-the-nation-against-advanced-cryptographic-attacks/">Sec. 6(c)</a>). The FAR Council must also publish proposed rules requiring contractors to implement vulnerability disclosure programs that cover cryptographic vulnerabilities (<a href="https://www.whitehouse.gov/presidential-actions/2026/06/securing-the-nation-against-advanced-cryptographic-attacks/">Sec. 6(d)</a>). These proposed rules need to go through notice-and-comment rulemaking, but the EO has a December 31, 2030, target which is still important. This deadline is one year earlier than federal agencies are required to complete their post-quantum authentication migration, so that federal contractors will be ready before agencies hit their own deadlines.</p><p>Federal agencies can only migrate to PQC if the products they buy support PQC. To put this into practice, CISA <a href="https://www.cisa.gov/resources-tools/resources/product-categories-technologies-use-post-quantum-cryptography-standards"><u>released</u></a> its <i>Product Categories for Technologies That Use Post-Quantum Cryptography Standards</i>, drawing a clear line between technologies where PQC is already "widely available" versus those still "transitioning." The "widely available" list includes cloud platforms (IaaS, PaaS), web browsers and servers, chat and messaging software, and endpoint security products like full disk encryption. For these categories, CISA's guidance is clear: organizations should procure only PQC-capable products. The "transitioning" list, where PQC is not yet widely available, includes networking hardware (routers, firewalls, switches), identity and access management systems (HSMs, certificate authorities, identity providers), email servers and clients, and database systems.</p><p>By telling contractors their products must be PQC-compliant by 2030, and directing agencies to immediately favor PQC-capable vendors in mature markets, the federal framework forces the vendor ecosystem to ship PQC-capable products on a fixed timeline. Products that vendors build to federal requirements will end up used by hospitals, banks, universities, and small businesses, which makes PQC support more broadly available. Cloudflare is among the many vendors subject to these requirements, and because networking software and cloud services are already designated by CISA as widely available PQC categories, we've already shipped post-quantum encryption across <a href="https://developers.cloudflare.com/ssl/post-quantum-cryptography/pqc-cloudflare-products/">most of our products</a> at <a href="https://blog.cloudflare.com/post-quantum-crypto-should-be-free/">no extra cost</a>. </p>
    <div>
      <h2>Critical infrastructure and PQ for everyone</h2>
      <a href="#critical-infrastructure-and-pq-for-everyone">
        
      </a>
    </div>
    <p>The EO also speaks to <a href="https://www.law.cornell.edu/uscode/text/42/5195c">critical infrastructure</a>: energy, financial services, water, transportation, telecommunications, healthcare, and other systems whose failure would have a serious or significant impact on the country. While the EO has no hard migration deadline for critical infrastructure owners and operators, the EO directs certain federal agencies to "assist" critical infrastructure owners and operators with their PQC migration plans (<a href="https://www.whitehouse.gov/presidential-actions/2026/06/securing-the-nation-against-advanced-cryptographic-attacks/">Sec. 5(a)</a>).</p><p>While the EO focuses mostly on federal agencies and critical infrastructure in the U.S., post-quantum cryptography is important to every Internet-connected individual and organization. Harvest-now-decrypt-later attacks are a risk today. And after Q-Day, the risk of unauthorized access by an adversary armed with a quantum computer will impact any organization, big or small. When we <a href="https://blog.cloudflare.com/introducing-universal-ssl/">launched free universal SSL in 2014</a>, our CEO Matthew Prince wrote:</p><blockquote><p>Having cutting-edge encryption may not seem important to a small blog, but it is critical to advancing the encrypted-by-default future of the Internet. Every byte, however seemingly mundane, that flows encrypted across the Internet makes it more difficult for those who wish to intercept, throttle, or censor the web.</p></blockquote><p>We feel the same way about post-quantum cryptography. That’s why every post-quantum upgrade we build is available to all customers, on every plan, at no additional cost.</p>
          <figure>
          <img src="https://cf-assets.www.cloudflare.com/zkvhlag99gkb/399EKuhN38jLx1pAGEgx3z/1f93784f4c98df9a108b5c8d1803218b/BLOG-3360_3.png" />
          </figure>
    <div>
      <h2>Opportunities for OMB’s implementation guidance</h2>
      <a href="#opportunities-for-ombs-implementation-guidance">
        
      </a>
    </div>
    <p>The EO sets the direction, and now OMB has 90 days to provide important clarifications and operational guidance to achieve the most effective PQC migration across federal agencies (<a href="https://www.whitehouse.gov/presidential-actions/2026/06/securing-the-nation-against-advanced-cryptographic-attacks/">Sec. 4(b)</a>). Based on what we've learned from our own PQC migration, here are a few elements that we suggest that guidance should include:</p><p><b>Define what it means to “transition.” </b>The EO requires agencies to "transition" their systems to PQC, but it never defines what "transition" means. Does it mean the system supports PQC algorithms? That it prefers them? Or that classical cryptography has been disabled entirely?</p><p>These are very different security postures. A system that supports ML-KEM but still allows a classical-only TLS handshake is vulnerable to <a href="https://en.wikipedia.org/wiki/Downgrade_attack">downgrade attacks</a>. An adversary capable of intercepting traffic could force the connection back to classical key exchange. The system would have "transitioned" to PQC in name, but still be vulnerable to the same quantum attacks the order is trying to prevent.</p><p>History is instructive. When SSLv3 was deprecated after the <a href="https://blog.cloudflare.com/padding-oracles-and-the-decline-of-cbc-mode-ciphersuites/"><u>POODLE attack</u></a> in 2014, servers kept SSLv3 enabled for backwards compatibility, allowing attackers to force connections to downgrade and then exploit SSLv3's weaknesses. It took years for the ecosystem to actually turn SSLv3 off. To avoid repeating this pattern, we need a clear definition of “done” that includes disabling quantum-vulnerable cryptography to prevent downgrades.</p><p><b>Crypto agility</b>: <a href="https://en.wikipedia.org/wiki/Cryptographic_agility"><u>Crypto agility</u></a> is the ability to swap cryptographic algorithms without re-architecting your systems. The EO mandates migrating to specific NIST crypto standards, but says nothing about building systems that can swap cryptographic algorithms if these algorithms need to change in the future. Crypto agility doesn't mean supporting every algorithm at once. It means building systems so that when the community converges on a better algorithm in the future, the upgrade is a configuration change, not a re-architecture. The OMB should include this in its guidance.</p><p><b>CBOM or quantum impact inventory? </b>The EO directs CISA and NIST to publish guidance on the minimum elements for a cryptographic bill of materials (CBOM) within 270 days (<a href="https://www.whitehouse.gov/presidential-actions/2026/06/securing-the-nation-against-advanced-cryptographic-attacks/">Sec. 5(d)</a>). A CBOM is an inventory of the cryptographic algorithms, protocols, and implementations used in a given hardware or software product, similar to a <a href="https://www.cisa.gov/sbom">software bill of materials (SBOM)</a>.</p><p>In theory, CBOMs are a good idea. In practice, we'd caution against treating exhaustive cryptographic inventories as a prerequisite for action. A detailed CBOM of every algorithm in every library in every product takes a long time to produce, it can take federal agencies an entire procurement cycle of discovery tooling and consulting, and it potentially becomes stale by the time the inventory is complete. Also, a CBOM doesn’t list systems that should be using cryptography but are not. And a CBOM lists keys without an <a href="https://arxiv.org/abs/2603.22442"><u>understanding of their purpose</u></a>, making them less useful for organizations trying to understand the risk associated with a quantum-vulnerable key. </p><p>We think that a quantum impact inventory is a more productive framing. What would be the impact if the system or its data is compromised? How likely is that to happen? What measures can be taken to mitigate the risk, whether a drop-in replacement, a software update, or a compensating control like tunneling traffic over bulk post-quantum connection or isolating it from the Internet? How feasible is each option and what dependency chain does it create? Identifying these informs where to take action first. You can fill in the details of a full CBOM over time if that makes sense for your organization, but you should start by discovering your most exposed and impactful systems.</p><p><b>Making post-quantum cryptography affordable to all.</b> True national resilience fails if post-quantum cryptography is treated as a gated luxury rather than a universal baseline. OMB policy must resist vendor lock-in or toll booths that leave underfunded critical infrastructure behind or increase technical debt at federal agencies. </p>
    <div>
      <h2>What to do now: don't wait for 2030</h2>
      <a href="#what-to-do-now-dont-wait-for-2030">
        
      </a>
    </div>
    <p>You do not have to wait for 2030 or an exhaustive cryptographic inventory to start your migration. History has shown that updating cryptography is <a href="https://blog.cloudflare.com/sha-1-deprecation-no-browser-left-behind/"><u>hard</u></a> and can take a <a href="https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-131Ar2.pdf"><u>long</u></a> <a href="https://blog.cloudflare.com/radius-udp-vulnerable-md5-attack/"><u>time</u></a>; other organizations should start sorting out their migrations as well. So as we wait for OMB guidance for federal agencies, here’s what we recommend for all organizations:</p><p><b>Protect your Internet traffic now.</b> Start with traffic that crosses the public Internet, because that is the easiest for adversaries to harvest now and the most immediately at risk. If your web traffic flows through Cloudflare, your connections are largely protected with post-quantum encryption. If your enterprise network uses <a href="https://blog.cloudflare.com/post-quantum-sase/">Cloudflare One</a>, your private network traffic is also protected. If your provider doesn't support post-quantum encryption, switch to one that does. Even if the individual applications running inside your network haven't been upgraded yet, start <a href="https://blog.cloudflare.com/post-quantum-warp/">tunneling your traffic</a> through post-quantum encrypted infrastructure to protect it in bulk, even if individual systems are not yet inventoried and upgraded.</p><p><b>Update procurement.</b> Make "post-quantum encryption by default, at no additional cost, with a clear roadmap for post-quantum authentication and crypto agility" a requirement in every technology procurement. If your vendor charges extra for post-quantum security or doesn't have a roadmap or plan, ask why or find another vendor.</p><p><b>Quantum impact inventory.</b> For traffic that stays inside your private network perimeter and is not exposed to the public Internet, the harvest-now-decrypt-later risk is lower because an adversary would need to be on your network to capture it. But you still need to know what cryptography your internal systems use, so you can plan your migration. Use a <i>quantum impact inventory </i>as a tool to prioritize your efforts, for example focusing on systems or connections that handle sensitive data or are exposed on the public Internet. </p><p><b>Plan for authentication now.</b> The 2031 deadline for post-quantum authentication will come faster than you think. Start identifying your long-lived keys, root certificates, and code-signing infrastructure. These are the highest-priority targets for a quantum attacker, and they have the longest dependency chains to upgrade. Now is a great time to update your software libraries and automate certificate provisioning even if post-quantum certificates are not yet available in your ecosystem. And make sure your vendors are planning to be ready for the looming post-quantum authentication deadline.</p>
    <div>
      <h2>Aligning policy and international standards</h2>
      <a href="#aligning-policy-and-international-standards">
        
      </a>
    </div>
    <p>At the same time, work should also start now on aligning global government policy with international standards. We were glad to see that Section 5(b) directs the State Department to engage foreign governments and industry groups to encourage adoption of NIST-standardized PQC algorithms. </p><p>Here’s why this matters. Cryptography migrations cannot be run in a vacuum, with each country operating within its own borders. A TLS connection between a U.S. person and a server abroad only works if both ends negotiate the same cryptography. NIST has been running open international cryptographic competitions for decades. The <a href="https://csrc.nist.gov/projects/cryptographic-standards-and-guidelines/archived-crypto-projects/aes-development">AES competition</a> (1997-2001) produced the encryption standard used across the Internet today, selecting a cipher designed by Belgian cryptographers. The <a href="https://csrc.nist.gov/projects/hash-functions/sha-3-project">SHA-3 competition</a> (2007-2012) produced the latest hash standard, selecting an algorithm designed by a Belgian-Italian team. The <a href="https://csrc.nist.gov/projects/post-quantum-cryptography">PQC competition</a> (2016-2024) followed the same open model: anyone could submit, anyone could analyze, and the winning algorithms were designed by international teams. ML-KEM, the key agreement standard now being deployed across the Internet, was created largely by European cryptographers. These are open, internationally vetted algorithms. NIST organized the competitions, but the results belong to the global cryptographic community. </p><p>The risk ahead is fragmentation. If different jurisdictions mandate different algorithms, the result is cipher bloat and increased attack surface: more code to write, test, and audit, more surface for <a href="https://en.wikipedia.org/wiki/Downgrade_attack">downgrade attacks</a>, and slower deployment for everyone. We've <a href="https://blog.cloudflare.com/post-quantum-sase/#but-what-about-interoperability">seen this happen</a> firsthand in IPsec, where the lack of an interoperable standard led vendors to ship proprietary PQ key agreement algorithms that couldn’t interoperate, delaying the migration by years. The TLS community went the opposite way, converging on a single hybrid key agreement (<a href="https://datatracker.ietf.org/doc/draft-ietf-tls-ecdhe-mlkem/">X25519MLKEM768</a>), and deployment followed quickly.</p><p>We are big fans of <a href="https://www.nist.gov/"><u>NIST</u></a>, and especially its leadership in vetting standards globally and standardizing cryptography worldwide. We encourage the Trump Administration to work with Congress to ensure that NIST has appropriate resources, staffing, and tooling to meet current and emerging deliverables in this EO and others, like America's <a href="https://www.whitehouse.gov/wp-content/uploads/2025/07/Americas-AI-Action-Plan.pdf"><u>AI Action Plan</u></a>.</p><p>We'd like to see State Department-led engagement drive real alignment: adoption of the same NIST algorithms across allied nations, alignment on timelines, and mutual recognition of cryptographic algorithms and modules. The Internet is one network, and its cryptography should be one standard.</p>
    <div>
      <h2>Speeding up CMVP</h2>
      <a href="#speeding-up-cmvp">
        
      </a>
    </div>
    <p>As a final note, the EO directs NIST to revise the processes used by the <a href="https://csrc.nist.gov/Projects/cryptographic-module-validation-program">Cryptographic Module Validation Program (CMVP)</a> to accelerate validations of cryptographic modules (<a href="https://www.whitehouse.gov/presidential-actions/2026/06/securing-the-nation-against-advanced-cryptographic-attacks/">Sec. 6(b)</a>). Having bumped up against the CMVP program for years, we are extremely happy to see this in the order.</p><p>CMVP exists for a good reason. Federal agencies and their contractors need a way to verify that the cryptography inside a product actually does what it claims: that AES is implemented correctly or that random number generators have enough entropy. CMVP has been tuned for a steady state where cryptography doesn’t change much.</p><p>Going forward, CMVP needs to be adjusted to accept the realities of the impending migration. We welcome the <i>FedRAMP update stream</i> that allows updated modules to be used immediately before final validation. This allows faster adoption of post-quantum cryptography, and correction of implementation errors that were missed in validation. Similar allowances for CMVP are essential.</p>
    <div>
      <h2>Go forth and PQ all the things</h2>
      <a href="#go-forth-and-pq-all-the-things">
        
      </a>
    </div>
    <p>This post-quantum EO is a meaningful step. It sets real deadlines and creates supply chain pressure that will accelerate adoption across the industry. </p><p>For organizations starting their own migration, we suggest you start by protecting your public Internet traffic along with updates to your procurement requirements, followed by a quantum impact inventory to figure out where to focus next. Do not let cryptography inventory slow you down from deploying post-quantum encryption across your most sensitive systems immediately. </p><p>Cryptographic deployment across the Internet depends on standards developed by the <a href="https://www.ietf.org/"><u>IETF</u></a>. The TLS community <a href="https://datatracker.ietf.org/wg/lamps/about/"><u>is</u></a> <a href="https://datatracker.ietf.org/group/plants/about/"><u>further along</u></a>, but there is lots more work to do across other protocol communities, and we look forward to supporting those efforts.</p><p>Let us go forth and PQ all the things, quickly and together. Free TLS helped encrypt the web. Free post-quantum cryptography will help secure it for what comes next.</p><p>You can get started now on Cloudflare by visiting our <a href="https://www.cloudflare.com/pqc/">PQC page</a>. </p> ]]></content:encoded>
            <category><![CDATA[Post-Quantum]]></category>
            <category><![CDATA[Security]]></category>
            <category><![CDATA[Cryptography]]></category>
            <category><![CDATA[Policy & Legal]]></category>
            <category><![CDATA[Government Innovation]]></category>
            <category><![CDATA[Impact]]></category>
            <guid isPermaLink="false">6ecffq4Al52D0ka1U4p2OR</guid>
            <dc:creator>Sharon Goldberg</dc:creator>
            <dc:creator>Vincent Voci</dc:creator>
        </item>
        <item>
            <title><![CDATA[The White House AI Action Plan:  a new chapter in U.S. AI policy]]></title>
            <link>https://blog.cloudflare.com/the-white-house-ai-action-plan-a-new-chapter-in-u-s-ai-policy/</link>
            <pubDate>Fri, 25 Jul 2025 01:52:00 GMT</pubDate>
            <description><![CDATA[ The White House AI Action Plan is a pivotal policy document outlining the current administration's priorities and deliverables in AI to establish American AI as the gold standard for AI worldwide. ]]></description>
            <content:encoded><![CDATA[ <p>On July 23, 2025, the White House <a href="https://www.ai.gov/action-plan"><u>unveiled its AI Action Plan</u></a> (Plan), a significant policy document outlining the current administration's priorities and deliverables in Artificial Intelligence. This plan emerged after the White House received over <a href="https://www.whitehouse.gov/articles/2025/04/american-public-submits-over-10000-comments-on-white-houses-ai-action-plan/"><u>10,000 public comments in response to a February 2025 Request for Information (RFI)</u></a>. Cloudflare’s <a href="https://files.nitrd.gov/90-fr-9088/Cloudflare-AI-RFI-2025.pdf"><u>comments</u></a> urged the White House to foster conditions for U.S. leadership in AI and support open-source AI, among other recommendations. </p><p>There is a lot packed into the three pillar, 28-page Plan. </p><ul><li><p>Pillar I: Accelerate AI Innovation. Focuses on removing regulations, enabling AI adoption and developing, and ensuring the availability of open-source and open-weight AI models.</p></li><li><p>Pillar II: Build American AI Infrastructure. Prioritizes the construction of high-security data centers, bolstering critical infrastructure cybersecurity, and promoting Secure-by-Design AI technologies. </p></li><li><p>Pillar III: Lead in International AI Diplomacy and Security. Centers on providing America’s allies and partners with access to AI, as well as strengthening AI compute export control enforcement. </p></li></ul><p>Each of these pillars outlines policy recommendations for various federal agencies to advance the plan’s overarching goals. There’s much that the Plan gets right. Below we cover a few parts of the Plan that we think are particularly important. </p>
    <div>
      <h3><b>Encouraging U.S. technology leadership</b></h3>
      <a href="#encouraging-u-s-technology-leadership">
        
      </a>
    </div>
    <p>The Plan takes the position that the U.S. is in a global race to achieve AI dominance, and that it is a national priority for U.S. technology companies to be the gold standard for AI globally. Through the Plan, President Trump commits his Administration to support American workers, technology, and energy to achieve that objective. </p><p>We share the view that governments have a helpful role to play in shaping rules and regulations that will enable private-sector innovation to flourish. For Cloudflare’s network to continue to operate globally, we need the U.S. government to shape and influence the right regulatory conditions. They should balance national and economic security concerns, promote consensus industry-led international standards, and support interoperable regulatory regimes. </p><p>Far too often in recent years, we’ve observed policy developments that have unnecessarily increased restrictions on U.S. technology providers and have made it challenging to operate. Protectionist mandates, including data sovereignty requirements, customer data retention policies, various supervisory and government access requirements, do little to improve security or innovation and have unintended consequences. Protectionism increases costs for businesses, limits access to world-class technologies, and increases cybersecurity risk. </p><p>Implementing policies that guarantee access to global, distributed edge-compute networks and the freedom to choose the best technology for users' needs will help ensure the right conditions to enable AI to flourish. </p>
    <div>
      <h3><b>The AI ecosystem needed to spur innovation and development</b></h3>
      <a href="#the-ai-ecosystem-needed-to-spur-innovation-and-development">
        
      </a>
    </div>
    <p>The Plan endorses open-source and open-weight AI models to spur innovation and to benefit commercial and government adoption. The plan recommends ensuring access to computing resources to increase capability in the start-up and academic worlds. </p><p>Cloudflare shares the view that open-source AI models play a crucial role in driving innovation. As recognized in the Plan, these models offer companies flexibility, freeing them from dependence on closed providers and enabling the use of AI with sensitive data where exporting to closed models might not be possible. That’s why Cloudflare includes access to more than fifty open-source models as part of our <a href="https://developers.cloudflare.com/workers-ai/"><u>Workers AI model catalog</u></a>. </p><p>However, access to open-source models alone is not enough to harness AI’s potential. A complete ecosystem is needed to build and deploy the AI applications and tools that will usher in the new age imagined by the Plan. Cloudflare’s global network, with our GPU-powered inference, can play an essential role. Having a distributed network like ours which allows AI inference at the edge is critical for fast, efficient AI development and for building the next generation of AI applications.</p><p>Open ecosystems are deeply embedded in Cloudflare's DNA. Our developer platform democratizes access, providing powerful tools for anyone to build and deploy applications. We offer global network infrastructure that removes complexities and reduces barriers. This lets AI developers innovate freely, using many different AI models, without relying on gatekeepers. Our commitment to making these tools easy to use mirrors the Plan’s call to foster innovation and support U.S. AI leadership by enabling developers to use open-source AI models to build, deploy, and scale new AI applications globally. </p>
    <div>
      <h3><b>Enhancing cybersecurity with AI</b></h3>
      <a href="#enhancing-cybersecurity-with-ai">
        
      </a>
    </div>
    <p>The Plan stresses <a href="https://www.cloudflare.com/learning/ai/what-is-ai-security/">the importance of cybersecurity for AI i</a>n several ways. There are two we want to highlight. </p><p>First, it endorses the use of AI technologies for the <a href="https://www.cloudflare.com/the-net/government/critical-infrastructure/">cybersecurity of critical infrastructure</a>. The use of AI-assisted cyber-defense tools are force multipliers for network defenders, and will be absolutely necessary for all organizations — but particularly critical infrastructure — to protect against cyber threats. </p><p>Cloudflare’s network uses predictive AI and machine learning to block 247 billion cyberattacks daily. Under the theory of <a href="https://blog.cloudflare.com/defensive-ai/"><u>Defensive AI</u></a>, Cloudflare uses information to constantly improve the effectiveness of our security solutions. With <a href="https://blog.cloudflare.com/ai-labyrinth/"><u>AI Labyrinth</u></a>, we’ve even created a new tool that uses AI to trap AI. It is a new, next generation honeypot and cybersecurity defensive tool that leverages AI to confuse crawlers and bots that ignore "no crawl" directives. Instead of <a href="https://www.cloudflare.com/learning/ai/how-to-block-ai-crawlers/">blocking these bots</a>, AI Labyrinth directs bots into an endless maze of convincing, AI-generated pages. </p><p>Second, to address potential vulnerabilities in AI technologies, the Plan tasks the U.S. government with ensuring that they are secure-by-design. </p><p>To <a href="https://www.cloudflare.com/ai-security/">secure AI</a>, Cloudflare has been active in shaping the cybersecurity and risk management of AI technologies. We have supported and provided feedback to the U.S. National Institute of Standards and Technology’s efforts to develop a Cybersecurity Profile for Artificial Intelligence. This is critically important and builds on our <a href="https://blog.cloudflare.com/tag/cisa/"><u>Secure-by-Design</u></a> commitment. </p><p>We look forward to working with the Administration on the proposed AI information sharing and analysis center and the proposed vulnerability information exchange. </p>
    <div>
      <h3><b>Cloudflare stands ready to accelerate AI adoption in government</b></h3>
      <a href="#cloudflare-stands-ready-to-accelerate-ai-adoption-in-government">
        
      </a>
    </div>
    <p>The Plan envisions the federal government playing a key role in accelerating AI adoption. Cloudflare can help. As the Plan notes, integrating AI can significantly enhance public service, making government more efficient and effective. Most, if not all, federal agencies now have Chief AI Officers, indicating a clear commitment to this technological shift. The government can further its efforts by fostering information sharing between government agencies, promoting best practices, and training its workforce to maximize AI’s efficiency gains.</p><p>Cloudflare can be a key partner in this journey. Our platform provides the secure, reliable, and scalable infrastructure necessary for federal agencies to deploy AI applications with full-stack AI building blocks. <a href="https://www.cloudflare.com/cloudflare-for-government/"><u>Cloudflare is FedRAMP Moderate authorized</u></a>, and we are committed to <a href="https://www.cloudflare.com/learning/privacy/what-is-fedramp/">FedRAMP</a> High. By leveraging Cloudflare’s global network, federal agencies can ensure their AI initiatives are resilient and accessible, driving greater public benefit. </p>
    <div>
      <h3><b>The need to balance the export of AI with export controls</b></h3>
      <a href="#the-need-to-balance-the-export-of-ai-with-export-controls">
        
      </a>
    </div>
    <p>To lead on AI internationally, the Plan outlines a dual strategy, presenting two approaches in tension with each other: aggressive AI export to allies and partners, and stringent restrictions on exporting AI compute and semiconductors. On one hand, the Plan emphasizes that providing the full U.S. AI technology stack is crucial to prevent allies from turning to rivals. This aims to solidify a global AI alliance and ensure the enduring diffusion of American technology.</p><p>Conversely, the plan calls for strengthening export control enforcement and plugging loopholes to prevent export of sensitive technologies. The administration seeks to use export controls — restrictions on what goods a company can export — to deny foreign adversaries access to certain resources for both geostrategic competition and national security concerns. The challenge arises because overly stringent export controls, while aiming to deny access to adversaries, may inadvertently make it harder to export AI even to allies. </p><p>This dual approach highlights a critical tightrope walk. Cloudflare, along with many other industry players, will be watching closely to see how the administration balances these competing goals. Providing individuals across the world with access to resources that enable them to innovate and build applications close to their end users aligns with our mission to help build a better, more connected Internet. Having a globally distributed network like ours also enables U.S. AI companies to deploy their services globally. Although we appreciate the need for restricting access to sensitive compute resources, overly broad or imprecise controls could inadvertently stifle innovation and impede the open exchange of ideas crucial for AI development. The implementation of export controls must be meticulously balanced to target adversaries effectively without unwittingly hindering the very innovation and secure global digital ecosystem it seeks to protect. </p><p>A reassuring aspect of the Plan is its clear recognition of the private sector's indispensable role. The document repeatedly emphasizes the need for collaboration with industry and consultation with leading technology companies across various recommended policy actions. For instance, it specifically calls for establishing programs within the Department of Commerce to gather proposals from industry consortia for AI export packages. Furthermore, for strengthening AI compute export control enforcement, it advises exploring new measures “in collaboration with industry.” This commitment to partnership is essential to navigate the complexities of AI development and deployment. This collaboration with industry will ensure that policies are technically feasible, globally effective, and avoid unforeseen negative impacts on the digital economy and cybersecurity.</p>
    <div>
      <h3><b>Shaping the future of AI together</b></h3>
      <a href="#shaping-the-future-of-ai-together">
        
      </a>
    </div>
    <p>The Plan represents a critical moment for U.S. AI leadership, and Cloudflare stands ready to partner in shaping the future of this critical technology. We applaud the Plan’s focus on accelerating AI development, building robust infrastructure, and leading global diplomacy. The Internet's global nature means that achieving these goals requires a delicate balance, particularly as the business model for the AI-powered web rapidly evolves. </p><p>Cloudflare champions an approach that fosters innovation while upholding an open, secure, and interoperable Internet. By prioritizing consensus-driven standards and ensuring that regulations do not inadvertently create barriers to a globally distributed AI infrastructure, we help ensure continued U.S. technological leadership and a sustainable, beneficial AI ecosystem.</p> ]]></content:encoded>
            <category><![CDATA[AI]]></category>
            <category><![CDATA[Policy & Legal]]></category>
            <category><![CDATA[Politics]]></category>
            <guid isPermaLink="false">NpabdoDRydEF5bKz9jUY4</guid>
            <dc:creator>Zaid Zaid</dc:creator>
            <dc:creator>Vincent Voci</dc:creator>
        </item>
    </channel>
</rss>