Post-Quantum Readiness
How Government Contractors Can Prepare for PQC Compliance
Government contractors face mandatory PQC migration under NSM-10, OMB M-23-02, and CNSA 2.0. Learn the compliance timelines, crypto inventory requirements, and how to start your readiness program.
How Government Contractors Can Prepare for PQC Compliance Government contractors face the most aggressive PQC compliance timelines of any sector. NSM 10, OMB M 23 02, CNSA 2.0, and CMMC 2.0 are converging to mandate cryptographic inventories and migration plans on accelerated schedules. Federal agencies must submit annual crypto inventories now, with high priority systems beginning PQC migration by 2028. If you sell software, cloud services, or IT systems to the US federal government, your customers will soon require evidence that your cryptographic posture meets these mandates. Here is what contractors need to know and do. The Key Mandates NSM 10 (National Security Memorandum on Quantum Computing) Issued in 2022 and operationalized through subsequent directives, NSM 10 requires federal agencies to: Inventory all cryptographic systems Develop a migration plan to PQC Begin migration for high priority systems by 2028 Complete migration for all systems by 2035 For contractors, NSM 10 matters because federal agencies flow these requirements down through contracts, RFPs, and security assessments. If you cannot demonstrate your PQC readiness, you risk losing federal business. OMB M 23 02 (Annual Cryptographic Inventory) OMB M 23 02 requires agencies to submit an annual inventory of all cryptographic assets — algorithms, certificates, protocols, and vendors. The inventory must classify each asset by quantum vulnerability and include a migration plan with milestones. Contractors providing systems to federal agencies are expected to provide the cryptographic data that feeds these inventories. If an agency uses your platform, they need your CBOM. CNSA 2.0 (Commercial National Security Algorithm Suite) NSA's CNSA 2.0 specifies which algorithms are approved for national security systems. It mandates: ML KEM 768 for key establishment (replacing RSA and ECDH) ML DSA 65 or SLH DSA for digital signatures (replacing RSA and ECDSA) AES 256 for symmetric encryption (unchanged) SHA 384 or SHA 512 for hashing (upgraded from SHA 256) For contractors handling classified or controlled unclassified information (CUI), CNSA 2.0 compliance is mandatory. CMMC 2.0 (Cybersecurity Maturity Model Certification) CMMC 2.0 Level 2 and Level 3 include cryptographic requirements through NIST SP 800 171 controls. SC.L2 3.13.11 (cryptographic protection of CUI) and SC.L2 3.13.10 (cryptographic key establishment and management) are directly relevant. As PQC becomes the required standard, CMMC assessments will verify that contractors are migrating to approved post quantum algorithms. What Contractors Should Do Now Month 1 2: Cryptographic Inventory Run an external cryptographic posture assessment on every domain used in federal contract delivery. Inventory TLS certificates, algorithms, key sizes, and vendors. Identify every instance of RSA 2048, ECC P 256, and SHA 256 with RSA signatures. CipherReady automates the external discovery layer — enter domains, run scans, and within minutes you have the certificate by certificate inventory that feeds NSM 10 and OMB M 23 02 requirements. Month 2 3: Classify by CNSA 2.0 Compliance Map every cryptographic asset to CNSA 2.0 requirements: Compliant: AES 256, SHA 384/512, ML KEM 768, ML DSA 65 Non Compliant but Migratable: RSA 2048, ECC P 256 (can be replaced with CNSA approved algorithms) Non Compliant and Blocked: Algorithms with no PQC replacement path yet (specialized hardware crypto, legacy OT systems) Month 3 4: Vendor Cryptographic