From Quantum Readiness to Operational Migration: Why EO 14412 Makes Telecom Cryptographic Bill of Materials a Strategic Imperative

July 8, 2026 4 min read Ian Deakin, Principal Technologist at ATIS Tags: Critical Communications and Infrastructure Quantum

The recent Executive Order 14412, Securing the Nation Against Advanced Cryptographic Attacks, marks a significant shift in the nation’s approach to post-quantum cryptography (PQC). Quantum risk is no longer a future research challenge. It is now a national security, critical infrastructure, procurement, and operational priority.

The Executive Order (EO) directs federal agencies to accelerate migration to National Institute of Standards and Technology (NIST)-approved PQC, with deadlines of December 31, 2030, for key establishment and December 31, 2031, for digital signatures. It also tasks the Cybersecurity and Infrastructure Security Agency (CISA) and NIST with developing guidance on the minimum elements of a Cryptographic Bill of Materials (CBOM) to enable automated discovery and assessment of cryptographic assets.

For the information and communications technology industry, the message is clear: the post-quantum transition has entered its implementation phase. The question is no longer whether organizations should prepare. The question is whether they can discover, assess, prioritize, test, and migrate their cryptographic dependencies quickly enough.

ATIS has been preparing the communications industry for this transition for years. Through its Quantum Safe Communications and Information Initiative, ATIS has developed practical guidance on quantum threat timelines, crypto-agility, entropy risks, 5G security, and telecom-specific CBOM. These resources help organizations move beyond awareness and begin operational planning.

That work is especially important because telecommunications is fundamentally different from a traditional IT environment. Communications networks are distributed, multi-vendor ecosystems built on long-lived infrastructure, specialized protocols, and complex trust relationships. Cryptography is embedded throughout software, hardware, network functions, signaling, management systems, APIs, roaming interfaces, certificates, and operational support systems.

Simply knowing which encryption algorithms are in use is not enough. Operators need visibility into where cryptography is deployed, what it protects, which systems depend on it, who supplies it, and how changes will affect operations.

This is the role of a CBOM.

The Office of Management and Budget’s guidance accompanying the Executive Order recognizes that manual discovery is insufficient for migration at this scale. It calls for automated cryptographic inventory that feeds a centralized CBOM, providing organizations with a real-time view of their cryptographic posture.

ATIS anticipated this need. Its CBOM for Telecom report defines a CBOM as a structured, machine-readable inventory of cryptographic assets across software, hardware, network functions, and interfaces. More than documentation, it provides the operational foundation for risk assessment, migration planning, remediation, and long-term crypto-agility.

Telecommunications also presents challenges that generic CBOM approaches do not fully address. Modern mobile networks rely on specialized protocols such as 5G Authentication and Key Agreement (5G-AKA), Protection of Roaming and Interconnection Signaling (PRINS), MILENAGE, Extensible Authentication Protocol AKA (EAP-AKA), and standardized 5G interfaces from N1 through N32. Cryptographic functions may also reside in Hardware Security Modules (HSMs), Trusted Platform Modules (TPMs), secure elements, cloud services, and vendor platforms, making discovery far more complex than a software inventory alone.

A telecom-specific CBOM provides a common framework for describing these assets, allowing operators, vendors, suppliers, and security tools to use a consistent vocabulary for cryptographic discovery, risk assessment, and migration planning. Without that common framework, fragmented inventories could slow migration, complicate procurement, and make it difficult to compare risk across the communications ecosystem.

The Executive Order also places new emphasis on procurement. It directs the Federal Acquisition Regulatory Council to develop rules requiring covered federal contractors to comply with NIST Federal Information Processing Standards incorporating PQC algorithms. As a result, quantum readiness will increasingly become a supply-chain requirement rather than simply an internal cybersecurity objective.

For communications providers, this changes the conversation. Operators will need stronger evidence from suppliers, procurement teams will need to evaluate crypto-agility alongside traditional security requirements, and network architects will need to understand how PQC migration affects protocols, equipment, interfaces, and operational dependencies.

ATIS’ work directly supports this transition. Its CBOM guidance establishes the foundation for cryptographic visibility. Its crypto-agility work helps organizations measure their ability to replace cryptography with minimal operational disruption. Its research on quantum-safe 5G architectures and threat timelines provides practical guidance for integrating PQC into modern communications networks.

Perhaps the most important insight from EO 14412 is that post-quantum migration is not simply a race to adopt new algorithms. NIST has already standardized the first generation of PQC algorithms. The larger challenge is operational: identifying where vulnerable cryptography exists, understanding hidden dependencies, coordinating suppliers, prioritizing upgrades, and maintaining interoperability throughout the migration process.

Organizations cannot migrate what they cannot see.

That is why CBOM, crypto-agility, and telecom-specific migration guidance have become strategic imperatives. They provide the visibility, automation, and governance needed to execute a successful transition — not just plan for one.

EO 14412 establishes an aggressive federal timeline. ATIS is helping the communications industry meet that challenge by providing the standards, guidance, and collaborative frameworks needed to move from quantum readiness to operational migration. Through its work on telecom CBOM, crypto-agility, 5G security, and quantum-safe communications, ATIS is helping build the common foundation required to secure communications infrastructure for the quantum era.

The preparation window is narrowing. Organizations that establish cryptographic visibility today will be best positioned to migrate with confidence, maintain interoperability, and protect the communications networks that underpin the digital economy.

About the Author

Ian Deakin

Principal Technologist at ATIS

Ian Deakin, Principal Technologist at ATIS is currently applying his expertise in digital transformation to advance ATIS initiatives in the areas of distributed ledger technology (DLT) and 5G vertical enablement platforms. Deakin has a 30-year career in the ICT industry, with a long-standing track record working with companies globally to define new product and service propositions, implementing emerging technologies to deliver new business lines. Before his current role at ATIS, he worked with executive-level leadership at innov8id to help organizations use blockchain innovation to facilitate change, optimize performance and productivity, and create new business models. Prior to this, he held senior management positions leading product and technology strategies with iconectiv, CMG Telecom, Motorola, O2, and Siemens Nixdorf. He has filed three patents in the ICT area. His most recent work at ATIS involves leading the organizations’ initiative to devise and deliver a solution using DLT to help combat fraudulent/spoofed telephone calls.