The compliance notice is already in the mail. Most contractors just haven't read it yet.

CMMC 2.0 became law on December 16, 2024. Phase 1 contracts — requiring Level 1 self-assessments — started flowing through procurement in early 2025. Phase 2, which mandates third-party Level 2 assessments for anyone handling Controlled Unclassified Information (CUI), begins appearing in contracts from 2026 onward. If you're a defence contractor and you're not planning for this, you're already behind.

But there is a second deadline layered underneath CMMC that most compliance teams haven't connected yet: post-quantum cryptography.

These two converge in 2027. If you handle CUI, you need to understand both — and why the order in which you address them matters.

What CMMC 2.0 Actually Requires

CMMC 2.0 simplified the original five-level model into three:

Level Practices Assessment type Who it applies to
Level 1 17 practices — FAR 52.204-21 Annual self-assessment Contractors handling Federal Contract Information (FCI)
Level 2 110 practices — NIST SP 800-171 Rev 2 Third-party assessment (C3PAO) Contractors handling CUI on prioritised programmes
Level 3 24 additional practices — NIST SP 800-172 Government-led (DIBCAC) Contractors on the DoD's most critical programmes

If you touch CUI — and most prime contractors and their Tier 1 subcontractors do — you are in Level 2 territory.

NIST SP 800-171 Level 2 includes SC.3.177: "Employ cryptographic mechanisms to protect the confidentiality of CUI during transmission." And SC.3.187: "Establish and manage cryptographic keys when cryptography is employed."

Those two controls are the bridge to PQC. Right now, most contractors satisfy them with RSA, ECDSA, or Diffie-Hellman. By 2030, those algorithms are deprecated. The question is not whether you will need to migrate — it is whether you will do it in an orderly way or in a panic.

Where Post-Quantum Cryptography Enters the Compliance Chain

Three separate directives are converging on defence contractors simultaneously:

NSM-10 (May 2022) — The White House National Security Memorandum on Quantum Computing requires all federal agencies to prioritise migration to post-quantum cryptography and submit cryptographic inventories. Agencies push these requirements into contracts. Your prime contractor pushes them to you.

OMB M-23-02 (December 2022) — Requires federal agencies to complete inventories of all systems using public-key cryptography. That inventory work is now done. The remediation phase follows — and contractors are next in the chain.

CNSA 2.0 (September 2022) — The NSA's Commercial National Security Algorithm Suite 2.0 is the most specific and the most demanding. It sets hard timelines for National Security Systems (NSS):

Algorithm use Must support by Exclusively by
Software / firmware signing 2025 2030
Key establishment (key exchange) 2025 2033
RSA / ECDSA / Diffie-Hellman Deprecated — no new acquisitions

If your systems touch NSS — or if your prime contractor's systems do — CNSA 2.0 applies to your supply chain. "Exclusively by 2030" means RSA is gone in four years.

Why Defence Contractors Are the Highest-Risk Target

The threat model for a defence contractor is fundamentally different from a commercial software company.

Commercial companies worry about data that is sensitive today. Defence contractors hold data that is sensitive for decades.

CUI — export-controlled technical data, programme acquisition plans, operational details — routinely has a 15-to-25-year sensitivity window. A classified programme design stolen today needs to stay secret until 2040 or beyond.

This is exactly what makes the Harvest Now, Decrypt Later attack so acute for this sector. Nation-state adversaries — the same ones you model in your threat assessments — are not waiting for quantum computers to arrive before they act. They are recording your encrypted VPN traffic, your secure file transfers, your contractor portal logins right now, archiving the ciphertext, and waiting.

When a Cryptographically Relevant Quantum Computer (CRQC) comes online — the US intelligence community estimates mid-2030s for the first one capable of breaking RSA-2048 — that archived traffic becomes plaintext.

Migrating to post-quantum algorithms after 2030 does not protect the traffic already captured. The only way to protect against Harvest Now, Decrypt Later is to migrate before the harvest becomes the attack.

What Your Systems Actually Need to Change

The NIST standards are finalised. Published August 13, 2024:

Standard Algorithm Replaces Used for
FIPS 203 ML-KEM (CRYSTALS-Kyber) RSA, Diffie-Hellman, ECDH Key encapsulation, key exchange
FIPS 204 ML-DSA (CRYSTALS-Dilithium) RSA signatures, ECDSA Digital signatures, code signing
FIPS 205 SLH-DSA (SPHINCS+) RSA, ECDSA (alternate) Digital signatures, hash-based

A full cryptographic migration for a defence contractor typically touches six system categories:

  • 1
    VPN and remote access

    IKEv2/IPSec key exchange uses Diffie-Hellman. ML-KEM replaces it. Every remote access session between your workforce and classified systems passes through this path.

  • 2
    Authentication and identity

    PKI certificates, smart card authentication (CAC/PIV), and code signing all use RSA or ECDSA. ML-DSA provides the post-quantum replacement. Certificate reissuance is the largest operational effort.

  • 3
    Encrypted CUI storage

    CUI at rest protected with RSA-wrapped symmetric keys needs key establishment migration. The symmetric layer (AES-256) is already quantum-resistant — it is only the key wrapping that needs updating.

  • 4
    Software supply chain

    Firmware and software signing must use ML-DSA per CNSA 2.0 by 2030. If you ship software to the DoD, this includes your build pipeline signing keys and release certificates.

  • 5
    Secure email (S/MIME)

    RSA-based. The migration path to ML-DSA exists and is well-defined. Lower priority than VPN and authentication but still within scope of a CMMC cryptographic review.

  • 6
    Subcontractor interfaces

    Any encrypted API or file transfer between you and your subs uses the same vulnerable algorithms. Your CMMC Level 2 compliance boundary includes these flows — you own the risk even if your subcontractor owns the system.

The recommended path is hybrid deployment: run classical and post-quantum algorithms in parallel during the transition. X25519 + ML-KEM-768 for key exchange. RSA + ML-DSA for signatures. If either algorithm holds, the communication is secure. This is how Cloudflare, Google, and Apple have deployed PQC — and it is the approach that preserves backward compatibility with partners still migrating.

5 Things to Do Before Your Next CMMC Assessment

  • 1
    Complete a cryptographic inventory

    You cannot migrate what you have not mapped. A cryptographic inventory identifies every system, dependency, certificate, key, and endpoint using RSA, ECDSA, or Diffie-Hellman. This is the deliverable OMB M-23-02 required of agencies. You need the equivalent for your contractor environment. Without it, your CMMC assessor will find gaps you did not know existed.

  • 2
    Score your CUI data by sensitivity window

    Not all CUI is equal. Data that must stay confidential for two years and data that must stay confidential for twenty years require different urgency levels. Prioritise migration for long-lived CUI first — these are your highest Harvest Now, Decrypt Later exposure.

  • 3
    Identify your subcontractor cryptographic dependencies

    Your CMMC Level 2 compliance boundary includes the systems that handle CUI on your behalf. If a subcontractor moves CUI via an RSA-protected API, that is your exposure. Map it now — before the assessment does it for you.

  • 4
    Produce a migration roadmap with CNSA 2.0 deadline mapping

    A roadmap is not optional — it is the evidence your CMMC assessor and your prime contractor will ask for. It should specify: which algorithm is replaced by which NIST standard, by which system, by which date, with what effort estimate. CNSA 2.0 gives you the deadlines. The gap analysis gives you the effort.

  • 5
    Pilot hybrid deployment on one system this year

    Pick your highest-risk external-facing system — your contractor portal, your VPN gateway — and run ML-KEM alongside your current key exchange. It is live, documentable, and demonstrates to assessors that migration is underway rather than planned.

The Window You Have Right Now

There are two reasons 2026 is the right year to act, not 2028.

First, migration takes longer than expected. A realistic enterprise PQC migration — discovery, vendor coordination, testing, rollout, subcontractor alignment — takes 18 to 36 months. Starting in 2026 for a 2030 deadline is on-schedule. Starting in 2028 is a scramble that costs three times as much and introduces operational risk during an active assessment cycle.

Second, CMMC assessment cycles are starting now. If you are going for Level 2 certification in 2026 or 2027, your C3PAO assessors will be looking at your cryptographic controls under NIST SP 800-171. Having a documented PQC roadmap — even if migration is still in progress — is a demonstrable control. Not having one is a finding.

The contractors who complete their cryptographic inventory and produce a CNSA 2.0-aligned migration roadmap in 2026 will have a document they can show a CMMC assessor, a prime contractor, and an auditor. The ones who wait will be explaining gaps under pressure.

Start with a free domain scan

We scan your public cryptographic surface — TLS certificates, cipher suites, dependency exposure — and deliver a risk-scored report within 48 hours. No code access required. No commitment.

Scan My Domain Free →

What This Looks Like in Practice

At Novaders, we implemented ML-DSA-65 (NIST FIPS 204) in our own AuthentiScan platform — one of the first production deployments on finalized post-quantum standards. We know what this migration looks like from the inside, not just from a whitepaper.

Our Quantum Ready assessment for defence contractors covers:

  • Full cryptographic surface scan across source code, dependencies, TLS certificates, SSH keys, and API endpoints
  • Risk scoring against NIST IR 8547 and CNSA 2.0 deadlines (CRITICAL / HIGH / MEDIUM / SAFE)
  • Prioritised migration roadmap with algorithm-by-algorithm replacement specifications and effort estimates
  • Hybrid migration path designed for contractor environments with complex subcontractor dependencies
  • Deliverable your CMMC C3PAO assessor and prime contractor can review

The Starter Assessment covers your public cryptographic surface and delivers a risk-scored PDF report within 48 hours. No code access required. The Full Assessment — covering code repositories, SSH keys, API endpoints, and subcontractor interfaces — takes 5–7 working days and includes a briefing call with your security team.