EO 14144: What It Means for You

Is your organisation prepared for the coming shift in cybersecurity? Executive Order 14144, released earlier this year, marks a turning point in global cybersecurity policy. While its immediate focus is on U.S. federal agencies, it sets a precedent that will likely influence regulations worldwide.  

The executive order mandates federal agencies to begin transitioning to post-quantum cryptographic standards, anticipating a future where quantum computers could break traditional encryption methods. The National Institute of Standards and Technology (NIST) has already identified cryptographic algorithms designed to withstand these threats, including CRYSTALS-Kyber, CRYSTALS-Dilithium, Falcon, and SPHINCS+, which are expected to become industry standards. A recent NIST study (NIST IR 8545) highlights how modern cryptographic vulnerabilities can be exploited, even before large-scale quantum computers emerge. Compliance with these new encryption protocols will be critical for organisations interacting with federal agencies, ensuring data security against future decryption capabilities. A key response to this challenge is the adoption of CBOMs, which provide an inventory of cryptographic elements within software. This allows organisations to assess their reliance on legacy encryption methods and prepare for necessary upgrades. The National Security Agency (NSA) has already issued guidance urging organisations to begin transitioning to quantum-safe cryptography, reinforcing the importance of early preparation. 

Beyond cryptographic requirements, the order expands on prior efforts to enhance software supply chain security, reinforcing the need for transparency in software development, requiring comprehensive tracking of software components and dependencies. This aligns with prior directives, including Executive Order 14028, which mandated Software Bills of Materials (SBOMs) as a tool for increasing visibility into software ecosystems.

The emphasis on supply chain security reflects an evolving cybersecurity landscape where software vulnerabilities are increasingly exploited. According to GitHub’s latest Octoverse Report, in 2024, developers across GitHub detected more than 39 million vulnerabilities. Supply chain attacks have become more sophisticated, with incidents like SolarWinds and Log4j demonstrating how vulnerabilities in widely used software components can have global ramifications.

Ignoring these changes isn’t just risky—it’s a potential disaster waiting to unfold. The clock is ticking, and businesses that delay action could find themselves exposed to unfixable security gaps, compliance failures, and severe financial repercussions. The question is no longer whether to act, but how quickly you can adapt before it’s too late.