up:: The Mandates MOC

NSM-10

NSM-10, “National Security Memorandum on Promoting United States Leadership in Quantum Computing While Mitigating Risks to Vulnerable Cryptographic Systems,” is the May 4, 2022 presidential directive that set the United States government’s policy on the quantum threat to cryptography. It’s the top of the federal post-quantum stack: a presidential order that frames a cryptanalytically relevant quantum computer as a national-security problem and sets 2035 as the year by which the government wants to have mitigated as much of the quantum risk as is feasible.

The memo itself regulates no one directly. It directs NIST to finish the post-quantum standards, directs OMB to make civilian agencies inventory their cryptography, and directs NSA to cover national-security systems. It’s the policy source that the enforceable mandates below it (OMB M-23-02, CNSA 2.0, NIST IR 8547) all trace their authority to.

The short version:

  • NSM-10 is a presidential directive from May 4, 2022, and it’s the highest-authority document in the U.S. federal PQC program. Every federal deadline you’ll hear about traces back to it.
  • It sets the headline goal of “mitigating as much of the quantum risk as is feasible by 2035,” and that phrasing is deliberately qualified. It’s a policy target for how far to get, framed by feasibility, rather than a promise that every federal system is migrated by that date.
  • It binds all federal agencies. Civilian agencies get their marching orders through OMB M-23-02, national-security systems through CNSA 2.0, and the technical roadmap through NIST IR 8547.
  • It tasks specific officials with specific dated deliverables: NIST working groups within 90 days, civilian cryptographic inventories within a year, NSA guidance for national-security systems within a year, and more.
  • Its reasoning is that migration has to start now, before a quantum computer exists, because of harvest-now-decrypt-later risk and the years a migration takes.

Think of NSM-10 as the founding charter for the federal quantum transition. A charter doesn’t tell any one office what to do on a Tuesday. It names the mission, assigns the departments, and puts a date on the wall.

The detailed work orders come from the memos and standards written underneath it: who inventories what, which algorithm replaces which, what the deadline is for a given system. When someone at a federal agency asks “who says we have to do this,” the honest answer runs up the chain to this document.

What is NSM-10?

NSM-10 is a National Security Memorandum, a presidential directive carrying full executive-branch authority, signed by President Biden on May 4, 2022. Its full title is “Promoting United States Leadership in Quantum Computing While Mitigating Risks to Vulnerable Cryptographic Systems,” and its two-part purpose is right there in the name: keep the U.S. ahead in quantum information science, and protect the country’s cryptography from the quantum computer that quantum research is racing toward.

Source: The White House, “National Security Memorandum on Promoting United States Leadership in Quantum Computing While Mitigating Risks to Vulnerable Cryptographic Systems,” May 4, 2022, bidenwhitehouse.archives.gov.

Three things about its standing are worth being precise on, because they shape how you cite it:

  1. It’s a policy directive, not an implementing regulation. NSM-10 sets policy and hands out taskings. It doesn’t itself tell an agency which algorithm to deploy or hand a vendor a compliance checklist. It orders the offices that write those rules to write them, which is why it reads as a list of assignments with due dates.
  2. Its force comes from what it spawns. The teeth are in the documents it directed into existence: OMB’s civilian inventory and migration memo (OMB M-23-02), NSA’s national-security-system requirements (CNSA 2.0), and NIST’s algorithm roadmap (NIST IR 8547). NSM-10 is the authority those documents cite.
  3. It defines its own terms. Section 5 gives working definitions the rest of the federal program reuses, including “cryptanalytically relevant quantum computer,” “cryptographic agility,” “quantum-resistant cryptography,” and “high value asset.” Standardizing that vocabulary at the presidential level is part of what makes the downstream mandates line up.

Who does NSM-10 apply to?

NSM-10 reaches every part of the federal government, and it splits the federal world into two lanes that get governed by two different implementing documents. It then reaches past the government through critical-infrastructure engagement and procurement.

  1. All federal agencies. This is the broadest-scope federal PQC document. It covers civilian agencies and national-security systems both, and it routes them to separate rulebooks (below).
  2. Federal civilian executive branch agencies. Civilian agencies get their concrete inventory and migration-plan obligations through OMB, per the memo’s direction to the Director of OMB. That direction became OMB M-23-02.
  3. National-security systems. Agencies operating national-security systems answer to the National Manager (NSA) rather than OMB. NSM-10 directs NSA to issue migration guidance for those systems, which became CNSA 2.0, and CNSA 2.0’s near-term dates are more aggressive than the civilian schedule for several categories.
  4. Critical-infrastructure operators. NSM-10 directs CISA, working with sector risk-management agencies, to engage critical-infrastructure and state, local, tribal, and territorial partners about quantum risk and to report annually on accelerating their migration. That engagement is a formal tasking, so critical-infrastructure sectors face rising expectations even where they aren’t directly bound by federal information-security law.
  5. The defense industrial base and commercial suppliers. The memo directs the Secretary of Defense to assess quantum risk to the defense industrial base and to plan engagement with key commercial entities, and it directs NIST to work with the private sector on adoption. Commercial firms get no direct compliance obligation from NSM-10 itself, but the government’s expectation that industry aligns with the PQC standards is stated plainly.

The practical takeaway on scope: if you’re a federal agency, NSM-10 is the reason you have a program. If you sell to the federal government or run critical infrastructure, it’s the reason the requirement is coming toward you through your customers and your regulators.

What does NSM-10 require?

NSM-10 works as a tasking directive. It sets a few policy commitments, then assigns dated deliverables to named officials. The commitments:

  1. Transition to quantum-resistant cryptography, starting now. The government will prioritize moving off quantum-vulnerable public-key cryptography, and the transition has to begin before a quantum computer exists, because recording-encrypted-traffic-today attacks and multi-year migration timelines don’t wait for the machine to arrive.
  2. Finish and adopt the NIST standards. NSM-10 directed NIST to finalize the post-quantum standards (now published as FIPS 203, FIPS 204, and FIPS 205) and directed agencies to adopt NIST-approved algorithms for new systems and as the migration target for existing ones.
  3. Inventory first. Agencies have to identify and inventory the systems still using quantum-vulnerable cryptography, prioritizing high value assets and high impact systems, and keep those inventories current. This is the policy origin of the cryptographic inventory requirement.
  4. Build for cryptographic agility. Section 3(b) makes agility central to the effort, so systems can be updated to new algorithms later without rebuilding the infrastructure around them. Section 5 defines it as “a design feature that enables future updates to cryptographic algorithms and standards without the need to modify or replace the surrounding infrastructure.”

The memo’s own words on the goal, from Section 3(a):

“the United States must prioritize the timely and equitable transition of cryptographic systems to quantum-resistant cryptography, with the goal of mitigating as much of the quantum risk as is feasible by 2035.”

Source: NSM-10 §3(a), bidenwhitehouse.archives.gov.

What is the NSM-10 timeline?

Most of NSM-10’s dated taskings live in Section 3(c), which runs fifteen subordinate clauses assigning deadlines to NIST, OMB, CISA, the National Cyber Director, NSA, agency heads, and the Secretary of Defense. Some are measured from the memo’s date (May 4, 2022); some are measured from the release of the first NIST PQC standards. Here are the fixed, dated ones:

TaskingWhoDeadlineReference
Identify a liaison to the National Quantum Coordination OfficeAgencies funding/developing/acquiring quantum computersWithin 90 days of the memo§2(f)
Initiate an open PQC-adoption working group with industryDirector of NISTWithin 90 days of the memo§3(c)(i)
Establish the Migration to Post-Quantum Cryptography Project at the NCCoEDirector of NISTWithin 90 days of the memo§3(c)(ii)
Engage critical-infrastructure and SLTT partners, report annually to OMB/APNSA/NCDDirector of CISAWithin 180 days of the memo, then annually§3(c)(iii)
Establish requirements to inventory all non-NSS cryptographic systemsDirector of OMBWithin 180 days of the memo, ongoing§3(c)(iv)
Deliver an inventory of CRQC-vulnerable IT systems to CISA and the NCDFCEB agency headsWithin 1 year of the memo, then annually§3(c)(v)
Deliver a status report on FCEB migration progress to APNSA and OMBNational Cyber DirectorBy October 18, 2023, then annually§3(c)(vi)
Release a proposed deprecation timeline for quantum-vulnerable cryptographyDirector of NISTWithin 90 days of the first NIST PQC standards, then annually§3(c)(vii)
Issue a policy memo requiring FCEB migration plansDirector of OMBWithin 1 year of the first NIST PQC standards§3(c)(viii)
Hold off procuring commercial PQC solutions for production systemsFCEB agency headsUntil the first NIST PQC standards release§3(c)(ix)
Provide PQC migration/oversight guidance for national-security systemsDirector of NSA (National Manager)Within 1 year of the memo, then annually§3(c)(x)
Identify and document all NSS use of quantum-vulnerable cryptographyNSS agency headsWithin 1 year of the memo, ongoing§3(c)(xi)
Implement symmetric-key protections for quantum-vulnerable key exchangesAgencies maintaining NSSBy December 31, 2023§3(c)(xiv)
Deliver a defense-industrial-base risk assessment and engagement planSecretary of DefenseBy December 31, 2023§3(c)(xv)
Develop technology-protection plans for quantum R&D and acquisitionAgencies funding/developing/acquiring quantum computersBy December 31, 2022, then annually§4(d)
Mitigate as much quantum risk as is feasibleWhole of governmentGoal year 2035§3(a)

Source: NSM-10 §2, §3(c), §4(d), bidenwhitehouse.archives.gov.

The memo also sets a broader ambition for the deprecation timeline NIST was tasked to publish in §3(c)(vii): the goal of “moving the maximum number of systems off quantum-vulnerable cryptography within a decade of the publication of the initial set of standards.” That decade-from-standards framing is what NIST later operationalized in NIST IR 8547’s 2030 and 2035 deprecation years.

How firm is the 2035 goal?

The 2035 date is a qualified policy goal, and reading it as a hard cutoff misses the memo’s own wording. Section 3(a) sets the goal as “mitigating as much of the quantum risk as is feasible by 2035,” and the phrase “as is feasible” is doing real work. It’s a target for how far the government wants to get, bounded by what’s practical, rather than a guarantee that every federal system is migrated by that year. The memo reinforces the point in Section 1(d), where it reserves the right to issue “additional guidance and directives” as quantum technology and its risks mature.

Two things follow from that:

  1. 2035 is best treated as a policy floor. It reflects the government’s judgment about the risk horizon and gives every downstream mandate a date to anchor to, and later documents have tightened the near-term schedule considerably rather than relaxing it.
  2. The real deadline for any specific system depends on that system’s own exposure. Data that has to stay secret for a long time is already at risk today under harvest-now-decrypt-later. The way to reason about a given system’s urgency is Mosca’s inequality (how long your data must stay secret, plus how long migration takes, against how long until a quantum computer arrives), and that math rarely lands on the year a memo prints.

How does NSM-10 relate to the other mandates?

NSM-10 sits at the top, and the documents most federal teams actually work from are its children. The chain is worth holding in your head, because people often know the implementing memo without knowing it’s an implementing memo.

DocumentRole relative to NSM-10
OMB M-23-02The civilian implementing instrument. Converts NSM-10’s inventory-and-plan direction into concrete requirements for federal civilian agencies.
CNSA 2.0The national-security-systems implementation. Gives algorithm requirements and timelines for NSS, with more aggressive near-term dates than the civilian side.
NIST IR 8547The technical roadmap. Maps each quantum-vulnerable algorithm to its replacement and attaches the 2030/2035 deprecation years the civilian program follows.
FIPS 203 / FIPS 204 / FIPS 205The standards NSM-10 directed NIST to finalize, now the approved algorithms agencies migrate toward.
CISA PQC workImplements NSM-10’s direction to CISA to coordinate the civilian transition and engage critical infrastructure.

One older document to keep straight from NSM-10: Executive Order 14028, “Improving the Nation’s Cybersecurity” (May 2021), set the broader zero-trust and software-supply-chain agenda. NSM-10 is the quantum-specific piece that sits alongside it. Newer executive orders and OMB memos have since tightened the civilian schedule on top of the NSM-10 foundation, converting its “as feasible by 2035” goal into firmer near-term dates.

Common misconceptions

  1. “NSM-10 is a compliance regulation I check against.” It’s a presidential policy directive that assigns taskings. The checkable requirements live in the documents it spawned, especially OMB M-23-02 for civilian agencies and CNSA 2.0 for national-security systems.
  2. “2035 is a hard deadline to be fully migrated.” The memo’s goal is “mitigating as much of the quantum risk as is feasible by 2035,” which is a qualified target. Newer mandates set firmer near-term civilian dates, and any system holding long-lived secrets is on a faster clock than 2035 because of harvest-now-decrypt-later.
  3. “It only touches the federal government.” Directly, it binds federal agencies. It also directs formal engagement with critical infrastructure and the defense industrial base, and its standards become the commercial default through procurement and regulators that follow NIST.
  4. “Civilian and national-security systems follow the same rules under NSM-10.” They split into two lanes with two different implementing documents and two different timelines. Conflating OMB’s civilian requirements with NSA’s CNSA 2.0 produces a plan that’s wrong for both.
  5. “NSM-10 tells me which algorithm to deploy.” It doesn’t. It directed NIST to produce the standards and the roadmap. The algorithm-level answers are in FIPS 203, FIPS 204, FIPS 205, and NIST IR 8547.

Questions people ask

Does NSM-10 apply to my organization? Directly, if you’re a U.S. federal agency. Civilian agencies act through OMB M-23-02; national-security systems act through CNSA 2.0. If you’re a federal contractor, a critical-infrastructure operator, or a commercial vendor, NSM-10 doesn’t bind you on its own, but it drives the requirements that reach you through procurement, sector regulators, and your federal customers.

Is it law, or is it guidance? It’s a presidential directive with full executive-branch authority, which is stronger than agency guidance but different from a statute or a published regulation. It orders federal offices to act and to write the specific rules. The enforceable specifics live in those downstream rules, not in NSM-10’s text.

What’s the actual deadline? The headline is 2035, framed as “mitigating as much of the quantum risk as is feasible by 2035,” so it’s a qualified goal rather than an absolute cutoff. Your real deadline is system-specific and often earlier: the civilian program has firmer near-term dates now, and long-lived secrets are already exposed to harvest-now-decrypt-later.

Why does a memo from 2022 still matter if the standards are already out? Because it’s the authority the whole program rests on. When the standards (FIPS 203 and its siblings) and the roadmap (NIST IR 8547) point back to “why do we have to do this,” the answer is NSM-10. It’s also the definitional source for terms the rest of the federal program reuses.

What does the 90-day and one-year language mean, from when? Deadlines in NSM-10 are measured from one of two clocks: the date of the memo (May 4, 2022) for most of the early taskings, or the release of the first NIST PQC standards for the deprecation-timeline and migration-plan taskings. The table above marks which clock each one uses.

Does NSM-10 require a cryptographic inventory? Yes. It directs agencies to identify and inventory the systems still using quantum-vulnerable cryptography, prioritizing high value assets and high impact systems, and to keep those inventories current. That direction is the policy origin of the cryptographic inventory work the civilian program runs on.

How does NSM-10 line up with the NIST standards? NSM-10 directed NIST to finalize them and to publish a deprecation timeline within 90 days of their release, aiming to move the maximum number of systems off vulnerable cryptography within a decade of publication. NIST turned that into the concrete 2030 and 2035 years in NIST IR 8547.

What happens if a system holds data that has to stay secret past 2035? Then 2035 is the wrong number to plan against. Data that must remain confidential for a long time is already exposed today under harvest-now-decrypt-later, which is exactly why NSM-10 says the transition has to begin immediately. Use Mosca’s inequality to reason about that system’s real urgency.


Everything here is the map, given freely. When your team needs NSM-10 and its implementing mandates translated into a phased migration sequenced against your own systems, that’s what an alignment briefing is for.

Last verified 2026-07-09 · Maintained by Addie LaMarr, LaMarr Labs.