Framework
CMMC crypto controls: inventory evidence auditors want
Defense contractors face CMMC Level 2 enforcement between 2026 and 2030. Primes and assessors increasingly ask for cryptographic inventory evidence — not verbal assurance.
What CMMC expects
CMMC 2.0 Level 2 aligns with NIST SP 800-171 controls around cryptographic module validation, key management, and protection of CUI. Assessors want evidence that you:
- Know which algorithms protect CUI in transit and at rest
- Have a migration plan for quantum-vulnerable cryptography
- Can demonstrate progress between assessment cycles
Evidence that works
| Artifact | Purpose |
|---|---|
| Live TLS inventory | External attack surface with algorithm tags |
| CycloneDX CBOM | Machine-readable asset list for GRC |
Signed scan report + /verify | Independent signature check |
| Drift diff between scans | Proves monitoring, not one-time panic |
What does not work
- Annual spreadsheet exercises that go stale within weeks
- Vendor attestation letters without algorithm-level detail
- Claiming "we use TLS 1.3" without inventory of certificate algorithms
Qtangl for DIB contractors
Qtangl maps findings to CMMC-relevant controls, exports signed compliance packs, and Monitor tier tracks drift between cycles. This is an inventory aid — not a formal CMMC attestation.
See the full CMMC pillar guide at /q-day/frameworks/cmmc and the government solutions playbook at /solutions/government.
Continue on the Q-Day hub: CMMC crypto inventory guide
References & further reading
Authoritative primary sources cited in this article. Summaries are our own — follow links for full context.
Last verified 2026-06-03
- National Security Memorandum on Post-Quantum Cryptography (NSM-10)White House · 2022-05Federal mandate requiring migration away from quantum-vulnerable algorithms by 2035.
- NIST IR 8547: Transition to Post-Quantum Cryptography StandardsNIST · 2024Federal transition guidance with deprecation timelines for quantum-vulnerable algorithms.
- What Is Q-Day? Quantum Computing and Cyber RiskPalo Alto Networks · 2026CRQC definition, HNDL threat model, and migration guidance for enterprise security teams.
See your exposure with evidence
Run a live PQC inventory scan, export a CBOM, and verify signed reports independently.