GovernanceNational Security Memorandum-10 on quantum-ready cryptography
On 4 May 2022 the White House issued NSM-10 directing U.S. federal agencies to inventory cryptographic systems, focus on migration to quantum-resistant algorithms, and coordinate with NIST’s post-quantum standards process.
Verified for technical accuracy — Kodi C.
National Security Memorandum Overview
The Biden Administration issued National Security Memorandum-10 on 4 May 2022, launching a government-wide effort to achieve quantum-resistant cryptography across federal systems. The memorandum recognizes that adversaries with access to cryptographically relevant quantum computers could decrypt sensitive communications and compromise critical infrastructure that currently relies on public-key cryptography.
By establishing a coordinated migration framework, NSM-10 aims to protect national security systems and encourage private sector adoption of post-quantum cryptographic standards before quantum computing threats materialize. The directive represents the most significant cryptographic policy shift since the standardization of current public-key algorithms.
Cryptographic System Inventory Requirements
The memorandum requires federal agencies to inventory cryptographic systems and identify assets vulnerable to quantum attack. Inventory efforts must capture where public-key cryptography is deployed, including encryption of data at rest, protection of data in transit, digital signature verification, and key exchange mechanisms.
Agencies must document cryptographic algorithms in use, key lengths, setup approaches, and dependencies on underlying cryptographic libraries. This inventory serves as the foundation for migration planning, enabling prioritization of systems based on sensitivity, exposure, and migration complexity. Security architecture teams should begin similar inventories for enterprise systems regardless of federal affiliation, as the same quantum threats apply to private sector infrastructure.
Migration Planning and Timelines
NSM-10 establishes phased timelines for agency migration to quantum-resistant algorithms. National Security Systems face accelerated timelines given their sensitivity, with classified system requirements detailed in a separate annex.
Non-national security federal systems must develop migration plans aligned with NIST's post-quantum standardization process, which finalized initial algorithm selections in 2022 with additional algorithms expected. Migration plans must address cryptographic agility—the ability to update cryptographic setups without major system redesigns—recognizing that algorithms may need replacement as the field evolves. Agencies must report progress against milestones to the National Manager for National Security Systems and the Office of Management and Budget.
NIST Post-Quantum Cryptography Standards
The memorandum closely coordinates with NIST's Post-Quantum Cryptography Standardization Process, which evaluated candidate algorithms for resistance to both classical and quantum attacks. NIST selected CRYSTALS-Kyber for key encapsulation and CRYSTALS-Dilithium, FALCON, and SPHINCS+ for digital signatures as initial standard algorithms.
Additional signature algorithms remained under evaluation to provide setup diversity. Security architecture and infrastructure teams should evaluate these algorithm choices, understand performance characteristics that may differ from current RSA and elliptic curve setups, and plan migration approaches that maintain interoperability during transition periods when hybrid classical/post-quantum schemes may be necessary.
Supply Chain and Third-Party Considerations
Federal systems depend extensively on commercial products and third-party services that embed cryptographic capabilities. NSM-10's inventory requirements extend to understanding where vendor products deploy vulnerable cryptographic setups and when vendors plan to offer quantum-resistant alternatives. Procurement processes must incorporate post-quantum migration considerations, potentially influencing vendor selection and contract requirements. If you are affected, engage software vendors, cloud service providers, and hardware manufacturers to understand product roadmaps for quantum-resistant cryptography support and negotiate timelines that align with enterprise migration requirements.
Harvest Now, Decrypt Later Threat Model
The urgency behind NSM-10 stems from the "harvest now, decrypt later" threat model where adversaries collect encrypted data today anticipating future quantum capabilities to decrypt it. Data with long confidentiality requirements—multi-decade classified information, long-lived trade secrets, healthcare records with lifetime privacy expectations—faces exposure if captured under current encryption before quantum-resistant alternatives are deployed.
This threat model makes preventive migration essential rather than reactive responses after quantum computing capabilities emerge. Risk assessments should evaluate data sensitivity horizons against estimated quantum computing development timelines to focus on migration investments.
Enterprise Action Items
Security architecture and infrastructure teams should take concrete steps in response to NSM-10 regardless of whether their organizations fall under federal requirements. Begin cryptographic inventory efforts to understand where vulnerable algorithms are deployed across applications, infrastructure, and third-party dependencies. Evaluate dependencies on vulnerable public-key algorithms including RSA, Diffie-Hellman, and elliptic curve cryptography.
Track NIST PQC standardization progress and vendor adoption of selected algorithms. Develop migration strategies prioritizing systems protecting long-lived sensitive data. Assess cryptographic agility of existing setups to understand migration complexity. Plan orderly upgrades for critical systems and third-party integrations that may require extended transition periods.
Cited sources
- White House fact sheet explains the inventory, migration, and coordination requirements.
- NSM-10 text details timelines and roles for agencies and the National Manager for National Security Systems.
- NIST PQC Project provides information on standardization progress and selected algorithms.
Continue in the Governance pillar
Return to the hub for curated research and deep-dive guides.
Latest guides
-
Board Oversight Governance Blueprint
Unify Basel Committee, PRA, SEC, and ISSB oversight mandates into an auditable board governance operating model with data lineage, assurance cadences, and regulatory source packs.
-
Third-Party Governance Control Blueprint
Deliver OCC, Federal Reserve, PRA, EBA, DORA, MAS, and OSFI third-party governance requirements through board reporting, lifecycle controls, and resilience evidence.
-
Public-Sector Governance Alignment Playbook
Align OMB Circular A-123, GAO Green Book, OMB M-24-10 AI guidance, EU public sector directives, and UK Orange Book with digital accountability, risk management, and service…
Coverage intelligence
- Published
- Coverage pillar
- Governance
- Source credibility
- 71/100 — medium confidence
- Topics
- Post-Quantum Cryptography · Crypto Agility · Federal Compliance
- Sources cited
- 2 sources (iso.org, sec.gov)
- Reading time
- 6 min
Cited sources
- Industry Standards and Best Practices — International Organization for Standardization
- SEC Corporate Governance Resources
Comments
Community
We publish only high-quality, respectful contributions. Every submission is reviewed for clarity, sourcing, and safety before it appears here.
No approved comments yet. Add the first perspective.