NSM-10 Compliance: What Federal Agencies Need by 2035
National Security Memorandum 10 mandates the most significant cryptographic transformation in federal history. Every agency must inventory, prioritize, and migrate to post-quantum cryptography — or face operational and compliance consequences.
~8 min readWhat is NSM-10?
National Security Memorandum 10, formally titled “Promoting United States Leadership in Quantum Computing While Mitigating Risks to Vulnerable Cryptographic Systems”, was signed by President Biden on May 4, 2022. It is the foundational federal policy document directing the transition to post-quantum cryptography (PQC) across all government systems.
NSM-10 acknowledges that cryptographically relevant quantum computers (CRQCs) pose a direct threat to the public-key cryptographic systems that protect classified and unclassified federal data. The memorandum establishes a coordinated, government-wide approach to identifying vulnerable systems and migrating them to quantum-resistant algorithms before adversaries achieve quantum advantage.
The memorandum operates alongside Executive Order 14028(Improving the Nation's Cybersecurity) and OMB Memorandum M-23-02 (Migrating to Post-Quantum Cryptography), which provides the implementation guidance for agencies. Together, these directives create the legal and operational framework for the largest cryptographic migration in history.
Key Requirements
Complete Cryptographic Inventory
Federal agencies were required to inventory all cryptographic systems by the end of 2022. This includes every algorithm, key length, protocol, certificate authority, and cryptographic library in use across the organization. The cryptographic inventory serves as the foundation for all subsequent migration planning.
Identify & Prioritize Vulnerable Systems
Agencies must classify systems by quantum vulnerability and prioritize migration based on data sensitivity, mission criticality, and exposure to “harvest now, decrypt later” (HNDL) threats. Systems protecting long-lived secrets — intelligence, health records, financial data — receive the highest priority.
NIST PQC Standards Development
NSM-10 directed NIST to coordinate and publish post-quantum cryptographic standards. NIST delivered three standards in August 2024: FIPS 203 (ML-KEM for key encapsulation), FIPS 204 (ML-DSA for digital signatures), and FIPS 205 (SLH-DSA for hash-based signatures). These algorithms are now the approved replacements for RSA, ECC, and Diffie-Hellman in federal systems.
Full PQC Migration by 2035
All federal agencies must complete migration to post-quantum cryptographic algorithms by 2035. This applies to both National Security Systems (NSS) and non-NSS federal information systems. The PQC migration encompasses network protocols, data-at-rest encryption, digital signatures, key management infrastructure, and embedded cryptographic systems.
OMB Implementation Oversight
The Office of Management and Budget (OMB) oversees implementation tracking through OMB M-23-02, which requires agencies to submit migration plans, progress reports, and risk assessments. CISA provides technical guidance and coordinates cross-agency vulnerability assessments.
NSM-10 Compliance Timeline
NSM-10 Signed
President Biden signs National Security Memorandum 10, establishing the federal mandate for post-quantum cryptography migration.
Agency Cryptographic Inventories Due
All FCEB agencies required to submit comprehensive cryptographic inventories documenting every algorithm, protocol, and key in use.
NIST Publishes FIPS 203, 204, and 205
NIST finalizes three post-quantum cryptographic standards: ML-KEM (FIPS 203),ML-DSA (FIPS 204), and SLH-DSA (FIPS 205). These are the approved algorithms for federal PQC migration.
Migration Execution Phase
Agencies begin active migration of systems to PQC algorithms. Priority systems (handling classified data, long-lived secrets, and critical infrastructure) migrate first. Hybrid cryptographic deployments bridge the transition.
Full PQC Migration Deadline
All federal systems must have completed migration to quantum-resistant cryptographic algorithms. Non-compliant systems risk loss of Authority to Operate (ATO).
Who Must Comply with NSM-10?
NSM-10 compliance obligations extend across the entire federal ecosystem. If your organization touches federal data or systems, you are likely within scope.
Federal Civilian Executive Branch (FCEB)
All civilian agencies — DHS, HHS, DOE, Treasury, Commerce, and every department under the Executive Branch. These agencies fall under OMB M-23-02 reporting requirements.
Department of Defense
All DoD components, combatant commands, and defense agencies. DoD systems follow NSA's CNSA 2.0 timeline, which may impose earlier deadlines for National Security Systems.
Intelligence Community
All 18 IC agencies including NSA, CIA, DIA, NGA, and NRO. IC systems handle the most sensitive data and face the highest HNDL risk, making early PQC adoption critical.
Federal Contractors & CUI Handlers
Any organization processing, storing, or transmitting Controlled Unclassified Information (CUI) under federal contracts. This includes defense contractors, healthcare providers under HIPAA, and financial institutions with federal data obligations.
Cryptographic Inventory Obligations
The cryptographic inventory is the single most important deliverable under NSM-10. Without a complete inventory, agencies cannot identify vulnerable systems, prioritize migration, or demonstrate compliance. A complete Cryptographic Bill of Materials (CBOM) must include:
- ▸Algorithms & key lengths — Every instance of RSA, ECC, AES, SHA, Diffie-Hellman, and other cryptographic algorithms across all systems, with key sizes documented.
- ▸Protocols — TLS versions, IPsec configurations, SSH implementations, S/MIME, and any protocol that relies on public-key cryptography.
- ▸Certificates & PKI — All certificate authorities, certificate chains, HSMs, key management systems, and certificate lifecycle processes.
- ▸Libraries & dependencies — Every cryptographic library (OpenSSL, BoringSSL, NSS, Bouncy Castle, etc.) and their versions across the software supply chain.
- ▸Quantum vulnerability classification— Each asset scored against Shor's algorithm vulnerability (asymmetric algorithms) and Grover's algorithm impact (symmetric algorithms and hashes).
Most agencies that attempted manual inventories found they captured less than 40% of their actual cryptographic surface. Automated discovery is not optional — it is the only path to a defensible inventory.
How QScout Automates NSM-10 Compliance
QScout was built to solve the two hardest problems in NSM-10 compliance: discovering what you actually have, and quantifying how vulnerable it is.
Automated Cryptographic Discovery
QScout reviews approved TLS endpoints, certificate chains, and protocol configurations to build cryptographic inventory evidence. No agents to install, no manual spreadsheets. Results map directly to OMB M-23-02 reporting requirements.
Quantum Risk Scoring
Every discovered asset receives a quantum vulnerability score based on algorithm type, key length, and exposure profile. Shor-vulnerable algorithms (RSA, ECC, DH) are flagged for immediate attention. Results feed directly into your PQC migration checklist. See our quantum risk assessment guide for the full methodology.
NIST-Aligned Reporting
Assessment reports reference FIPS 203/204/205 standards, CNSA 2.0 requirements, and NSM-10 milestones. Board-ready documentation for agency CISOs and OMB reporting cycles.
Continuous Monitoring
NSM-10 compliance is not a one-time event. QScout provides continuous cryptographic monitoring so your inventory stays current as systems change, certificates rotate, and new services deploy.
NSM-10 Frequently Asked Questions
What is NSM-10 and when was it signed?
NSM-10 (National Security Memorandum 10), titled “Promoting United States Leadership in Quantum Computing While Mitigating Risks to Vulnerable Cryptographic Systems,” was signed by President Biden on May 4, 2022. It establishes the federal mandate for transitioning to post-quantum cryptography with a 2035 deadline.
Who must comply with NSM-10?
All Federal Civilian Executive Branch (FCEB) agencies, Department of Defense components, Intelligence Community agencies, and federal contractors handling Controlled Unclassified Information (CUI). If your organization processes federal data using cryptographic systems, you are within scope.
What is the cryptographic inventory requirement?
NSM-10 required agencies to complete a comprehensive inventory of all cryptographic systems — every algorithm, key length, protocol, certificate, and library in use. This cryptographic inventory is the foundation for identifying quantum-vulnerable systems and planning migration.
What PQC standards does NSM-10 reference?
NSM-10 directed NIST to develop PQC standards. NIST published three in August 2024: FIPS 203 (ML-KEM for key encapsulation), FIPS 204 (ML-DSA for digital signatures), and FIPS 205 (SLH-DSA for hash-based signatures). These replace RSA, ECC, and DH in federal systems. See the glossary for full algorithm definitions.
What happens if an agency misses the NSM-10 deadline?
Non-compliant agencies face increased OMB and CISA oversight, potential budget implications, elevated risk ratings, and possible loss of Authority to Operate (ATO) for non-compliant systems. Progress reports to the National Manager for National Security Systems create accountability at the highest levels.
Start Your NSM-10 Compliance Assessment
Run a QScout assessment intake to discover your quantum-vulnerable cryptographic surface. Automated inventory, NIST-aligned scoring, and board-ready reporting — in minutes.