Compliance deadlines
Read →
Federal mandate
NSM-10 compliance guide
NSM-10 directs federal agencies and contractors to migrate away from quantum-vulnerable cryptography by 2035.
Framework
National Security Memorandum on post-quantum cryptography
Deadline: 2035
Executive summary
NSM-10 (May 2022) establishes U.S. policy to migrate away from quantum-vulnerable public-key cryptography. Defense contractors, federal-adjacent SaaS vendors, and primes must inventory crypto, plan migration, and evidence progress to auditors and contracting officers — not just assert "we use TLS."
Deadline: 2035 for broad migration; CNSA 2.0 sets tiered deadlines of 2030–2033 for national security systems.
Who must comply
- Federal agencies and national security systems
- Defense Industrial Base (DIB) contractors handling CUI
- SaaS vendors on FedRAMP or CMMC paths serving federal customers
- Subcontractors whose primes flow down crypto requirements
What auditors expect
| Evidence type | Why it matters |
|---|---|
| Algorithm-level TLS inventory | Proves you know RSA/ECDSA exposure |
| CycloneDX CBOM | Machine-readable for GRC and prime review |
Signed scan + /verify | Independent signature check |
| Drift monitoring | Shows progress between cycles |
CNSA 2.0 crosswalk
CNSA 2.0 defines approved algorithm tiers and transition dates for classified and national security systems. Map your inventory findings to CNSA tiers before NSM-10's 2035 horizon — many DIB systems align to earlier CNSA clocks.
Common failure modes
- One-time spreadsheet inventories that miss JWKS, STARTTLS, and SaaS dependencies
- Vendor attestation without algorithm tags
- Migration roadmaps without re-scan proof after fixes
Qtangl mapping
- Assess: Baseline scan with NSM-10 and CNSA 2.0 crosswalk in signed PDF
- Monitor: Drift diffs between audit cycles
- Convert: Prioritized backlog with verification scans per remediation item
Prime and sub flow
Primes increasingly require cryptographic inventory evidence in contract deliverables. Subs should export CBOM JSON and signed reports that primes can aggregate — not PDF screenshots of spreadsheets.
90-day starting plan
- Baseline external TLS inventory with algorithm classification
- Export CBOM and map to CNSA 2.0 tiers
- Present readiness score to ISSO or prime security contact
- Schedule quarterly re-scans before CMMC or authorization reviews
Qtangl mapping
- Live TLS scan inventories RSA, ECDSA, and ECDH exposure
- Framework-mapped signed PDF with verify link
- Monitor tier tracks drift between audit cycles
References & further reading
Authoritative primary sources cited in this article. Summaries are our own — follow links for full context.
Last verified 2026-06-03
- National Security Memorandum on Post-Quantum Cryptography (NSM-10)White House · 2022-05Federal mandate requiring migration away from quantum-vulnerable algorithms by 2035.
- Commercial National Security Algorithm Suite 2.0 (CNSA 2.0)NSA · 2022NSA migration tiers for national security systems through 2030–2033.
- NIST IR 8547: Transition to Post-Quantum Cryptography StandardsNIST · 2024Federal transition guidance with deprecation timelines for quantum-vulnerable algorithms.
Try it