up:: The Mandates MOC
OMB M-23-02
OMB M-23-02, “Migrating to Post-Quantum Cryptography,” is the November 18, 2022 memorandum from the White House Office of Management and Budget that requires every federal civilian agency to inventory its quantum-vulnerable cryptography and submit that prioritized inventory to the Office of the National Cyber Director (ONCD) and CISA every year through 2035. It’s the document that implements NSM-10 Section 3(b) for the civilian side of the government, and it’s the reason “we should think about post-quantum someday” became “here is a dated, reportable federal deliverable.” It was signed by OMB Director Shalanda D. Young and is mandatory for the agencies it covers.
The short version:
- M-23-02 is an OMB memorandum, issued November 18, 2022, that operationalizes NSM-10 for federal civilian executive branch (FCEB) agencies.
- Its central requirement is an annual prioritized inventory of quantum-vulnerable cryptographic systems, submitted to ONCD and CISA, first due May 4, 2023 and annually thereafter until 2035, plus a funding assessment 30 days after each inventory to ONCD and OMB.
- It binds all federal civilian agencies and covers both agency-operated and vendor-operated systems; national security systems are carved out.
- It has teeth: because the inventory is a FISMA-anchored obligation, missing it is a FISMA deficiency, not a missed suggestion.
- Its deadlines reach far past the government, because sector regulators, insurers, and procurement offices tend to adopt the federal template with a lag.
Think of it like the pipe survey a city orders before it can plan to replace lead service lines. Nobody can budget the replacement until somebody first maps exactly which pipes are lead, where they run, how old they are, and which neighborhoods they feed. M-23-02 is that survey order, aimed at cryptography instead of plumbing: count and characterize every quantum-vulnerable algorithm you’re running before you plan to replace it. A survey like that is dull right up to the moment it becomes the line item that unlocks the whole program’s funding.
What is OMB M-23-02?
OMB M-23-02 is a memorandum from the Office of Management and Budget, part of the Executive Office of the President, addressed to the heads of executive departments and agencies. Its stated purpose is to provide direction for agencies to comply with National Security Memorandum 10 (NSM-10), and it describes the preparatory steps agencies take as they begin the transition to post-quantum cryptography, principally by conducting a prioritized inventory of cryptographic systems. It was explicitly written as transitional guidance for the window before NIST finalized the PQC standards, with OMB committing to issue further guidance afterward.
Source: OMB, “Migrating to Post-Quantum Cryptography,” M-23-02, November 18, 2022, M-23-02 PDF, Overview and §II.A.
A few facts about its standing are worth stating precisely, because they change how you cite it:
- It’s mandatory. M-23-02 is an OMB memorandum to agency heads, and its inventory and funding-assessment requirements are directives (“agencies are directed to submit”), which agencies must meet rather than weigh as options.
- Its authority flows from NSM-10. The memo opens by saying it “provides direction for agencies to comply with National Security Memorandum 10,” and it quotes NSM-10’s 2035 mitigation goal directly. NSM-10 is the higher policy instrument; M-23-02 is the operational directive that carries it out on the civilian side.
- It sits inside FISMA. The memo is built on the Federal Information Security Modernization Act framework, requiring the FISMA system identifier as the first field of every inventory entry, so failure to submit is a reportable FISMA deficiency.
- Appendix A was corrected. The interim-benchmarks table carries a note that it was “corrected January 8, 2024” to clarify that the inventory and funding-assessment requirements apply to all agencies, though not to national security systems.
Source: OMB M-23-02, M-23-02 PDF, Overview, §II, and Appendix A footnote 18.
Who does M-23-02 apply to?
M-23-02 binds federal civilian executive branch (FCEB) agencies, and its inventory reaches every information system or asset those agencies operate or have operated on their behalf. The scope is drawn deliberately, and the edges matter:
- All federal civilian agencies. “Agency” takes the meaning given in 44 U.S.C. § 3502, so the memo covers the CFO Act agencies and the broader set of executive-branch civilian agencies subject to FISMA.
- Agency-operated and vendor-operated systems both. The inventory must encompass each qualifying system “whether operated by the agency or on the agency’s behalf.” An agency cannot push accountability onto a contractor or a cloud provider; cloud-hosted, SaaS, and managed services processing federal information are in scope. For FedRAMP-accredited cloud products, agencies are told to work with the FedRAMP PMO to obtain the cryptographic inventory.
- National security systems are excluded. NSS, as defined by 44 U.S.C. § 3552(b)(6) and § 3553(e)(2) or (e)(3), sit outside this inventory. They’re governed separately under NSM-10 directly and, for their cryptography, under NSA CNSA 2.0.
- Contractors are bound indirectly but really. M-23-02 doesn’t name contractors as addressees, yet a contractor running a system on an agency’s behalf inherits the cryptographic-inventory obligation through the agency relationship and its FISMA-derived contract terms.
- Commercial organizations aren’t directly covered. The memo creates no direct private-sector obligation. Its value to a bank, a hospital, or a utility is as a leading indicator, since sector regulators tend to model their eventual requirements on the federal template.
Source: OMB M-23-02, M-23-02 PDF, §II.A, footnotes 2, 6, 7, and 17.
What does M-23-02 require?
The memo establishes several distinct obligation streams. The prioritized inventory is the center of gravity; the rest support it.
- Designate a lead (§II.B). Within 30 days of publication, each agency designates a cryptographic inventory and migration lead and identifies that person to OMB. OMB uses these leads for government-wide coordination.
- Submit a prioritized cryptographic inventory (§II.A). Each agency submits, to ONCD and CISA, a prioritized inventory of information systems and assets that contain quantum-vulnerable cryptographic systems. The memo defines a “cryptographic system” as an active software or hardware implementation of one or more cryptographic algorithms that provides key creation and exchange, encrypted connections, or the creation and validation of digital signatures. Unused or inactive implementations are excluded.
- Prioritize by sensitivity (§II.A). The inventory covers each system or asset that is a high impact information system (FIPS 199 “high” in confidentiality, integrity, or availability), an agency High Value Asset (HVA), or any other system the agency judges particularly vulnerable to attacks by a CRQC, including systems whose data will still be mission-sensitive in 2035 and asymmetric-key logical access control systems such as public key infrastructure.
- Submit a funding assessment (§III). No later than 30 days after each annual inventory, agencies submit to ONCD and OMB an assessment of the funding required to migrate the inventoried systems during the following fiscal year. These feed the funding assessments NSM-10 §3(c)(iv) requires.
- Test pre-standardized PQC (§V). Agencies, and CISA in particular, are encouraged to work with vendors to run pre-standardized PQC in candidate environments, which may operate in production alongside approved algorithms with monitoring and safeguards.
- Stand up a working group (§VI). Within 30 days, OMB and ONCD establish a cryptographic migration working group of NIST, CISA, NSA, the FedRAMP PMO, and agency representatives, chaired by the Federal Chief Information Security Officer.
Source: OMB M-23-02, M-23-02 PDF, §II.A, §II.B, §III, §V, and §VI.
What has to be in each inventory entry?
For every system or asset in the inventory, the memo (§II.A) enumerates nine required data elements. This algorithm-level detail is what separates an M-23-02 cryptographic inventory from an ordinary asset list, and it’s the practical seed of a federal CBOM:
- The FISMA system identifier.
- The FIPS 199 system categorization (Low, Moderate, or High).
- The HVA identifier, if the system is an HVA.
- Each quantum-vulnerable cryptographic system actively used, including the algorithm, the service it provides, and the key or module length.
- The software-package classification (COTS, GOTS, or Other) with the vendor or developer name.
- The operating system, including major and minor version.
- The hosting environment (on-premise, commercial cloud, government cloud, or hybrid) with the provider name.
- The data lifecycle characteristics, including data type and how long the data and its metadata need protection (its “time to live”).
- Any additional notes the agency deems relevant.
A footnote (§II.A footnote 13) adds a privacy guardrail: agencies submit identifiers only and never include names that reveal the function or the logical or physical location of a system.
Source: OMB M-23-02, M-23-02 PDF, §II.A items 1 through 9 and footnote 13.
Which algorithms is the inventory hunting for?
M-23-02 predates the finished NIST PQC standards, so its only algorithm-specific content is Appendix B’s list of quantum-vulnerable targets. These are the quantum-vulnerable algorithms the inventory is meant to surface:
| Algorithm | Function | Specification |
|---|---|---|
| ECDH key exchange | Key establishment | NIST SP 800-56A/B/C |
| Menezes-Qu-Vanstone (MQV) key exchange | Key establishment | NIST SP 800-56A/B/C |
| ECDSA | Digital signatures | FIPS PUB 186-4 |
| DH key exchange | Key establishment | IETF RFC 3526 |
| RSA signature algorithm | Key establishment | FIPS SP 800-56B Rev. 1 |
| Digital Signature Algorithm (DSA) | Digital signatures | FIPS PUB 186-4 |
| Other non-PQC asymmetric algorithm | Any not listed above | Not applicable |
Appendix B footnote 19 makes the last row a catch-all: agencies are encouraged to include any asymmetric algorithm not definitively known to be quantum-resistant. The replacements the government now points agencies toward, the FIPS PQC standards (ML-KEM for key establishment, ML-DSA and SLH-DSA for signatures), and the deprecation schedule in NIST IR 8547, all came after this memo and now sit on top of the inventory it created.
Source: OMB M-23-02, M-23-02 PDF, Appendix B and footnote 19.
What is the M-23-02 timeline?
The memo attaches dated taskings to its obligations, anchored to the November 18, 2022 publication date. Appendix A collects them as interim benchmarks. Here is the schedule, with the calendar dates the day-counts resolve to:
| Tasking | Deadline | Responsible body | Source |
|---|---|---|---|
| Designate cryptographic inventory and migration lead | Within 30 days (Dec 18, 2022) | All agencies | §II.B; Appendix A |
| Establish OMB and ONCD cryptographic migration working group | Within 30 days (Dec 18, 2022) | OMB, ONCD | §VI |
| Establish PQC testing information-exchange mechanism | Within 60 days (Jan 17, 2023) | NIST | §V; Appendix A |
| Release instructions for collection and transmission of inventory | Within 90 days (Feb 16, 2023) | ONCD | §II.B; Appendix A |
| Release instructions for funding assessments | Within 90 days (Feb 16, 2023) | ONCD | §III; Appendix A |
| Produce a security classification guide, if one is deemed needed | Within 90 days (conditional) | CISA | §II.B |
| Submit first prioritized cryptographic inventory | By May 4, 2023, annually until 2035 | All agencies | §II.A; Appendix A |
| Submit funding assessment | 30 days after each inventory, annually | All agencies | §III; Appendix A |
| Release strategy on automated tooling for PQC-adoption assessment | Within 1 year (Nov 18, 2023) | CISA | §IV; Appendix A |
| Report testing of pre-standardized PQC | Ongoing | All agencies | §V; Appendix A |
| Mitigate as much quantum risk as feasible | By 2035 | All agencies | §II.A, quoting NSM-10 |
Source: OMB M-23-02, M-23-02 PDF, §II through §VI and Appendix A.
Two things about the timeline catch people. The first is that the inventory is recurring, not a one-time exercise: it repeats every year through 2035, and each cycle carries its own funding assessment 30 days behind it. The second is that the 2035 date is a policy target inherited from NSM-10, phrased as “mitigating as much of the quantum risk as is feasible by 2035,” rather than an algorithm-by-algorithm cutoff. The dated cutoffs for specific algorithms live in NIST IR 8547.
How does M-23-02 relate to NSM-10 and the other mandates?
M-23-02 is one layer in a stack, and it helps to see where it sits:
- NSM-10 is the policy above it. National Security Memorandum 10, issued May 4, 2022, set the 2035 mitigation goal and directed OMB, working with ONCD, to establish the inventory requirements. M-23-02 is OMB carrying out that instruction for civilian agencies.
- NIST IR 8547 supplies the algorithm clock. M-23-02 tells agencies to find their quantum-vulnerable cryptography; IR 8547 tells them which algorithms are deprecated and disallowed and by which year (2030 and 2035). The inventory feeds the schedule.
- NSA CNSA 2.0 governs the systems M-23-02 excludes. National security systems follow CNSA 2.0 on a separate, generally more aggressive track. An agency running both civilian and national-security systems answers to both.
- FISMA is the legal chassis. Because the inventory keys on the FISMA system identifier and rides FISMA reporting, an M-23-02 shortfall surfaces as a FISMA deficiency.
- Later executive orders and OMB memos build on this inventory. Subsequent federal guidance (tracked in The Mandates MOC) sets phased migration deadlines, and it treats the M-23-02 inventory and its nine-element schema as the baseline those migration plans prioritize against.
Source: OMB M-23-02, M-23-02 PDF, Overview and §II.A; NSM-10, National Security Memorandum 10, May 4, 2022.
What does the mandate actually force?
A dated regulatory requirement is what turns “someday” into a funded program, and that’s the real work M-23-02 does. Before it, the honest answer to “when do we have to migrate” was “before a quantum computer exists, and nobody knows when that is,” which is precisely the kind of answer that never earns a budget line. M-23-02 replaces the open question with a recurring deliverable that has named recipients (ONCD and CISA for the inventory, ONCD and OMB for the funding assessment), a fixed schema, and a due date every year. That’s the mechanism by which a cryptographic migration acquires an owner, a phase plan, and money.
It also sets an implicit order of operations that outlives the memo itself. The inventory comes first, because you can’t plan or price a migration for systems you haven’t mapped, and most existing asset inventories don’t capture cryptography at the algorithm level the nine-element schema demands. The prioritization then points the work at the systems that matter most: HVAs, high impact systems, and anything holding data that stays sensitive out to 2035, which is the same population most exposed to harvest-now-decrypt-later collection. And because the inventory explicitly reaches vendor-operated and cloud-hosted systems, it forces the awkward but necessary conversation about cryptography an agency doesn’t directly control.
The defensibility bar is worth naming plainly: the inventory is a FISMA-anchored obligation, so completeness is the thing that holds up under review. An inventory that lists “Application X uses TLS” without naming the underlying algorithm and key length isn’t the algorithm-level enumeration §II.A asks for, and that gap is the most common reason a submission reads as incomplete.
Source: OMB M-23-02, M-23-02 PDF, §II.A and §III.
Common misconceptions
- “M-23-02 is a one-time inventory.” It’s annual. Agencies submit a prioritized inventory by May 4, 2023 and every year thereafter until 2035, each followed by a funding assessment 30 days later.
- “An asset inventory satisfies it.” The memo asks for algorithm-level detail (the specific quantum-vulnerable algorithm, the service, and the key or module length), not a list of systems. A system list without the cryptographic specifics doesn’t meet §II.A.
- “It sets the 2030 and 2035 algorithm deadlines.” M-23-02 quotes NSM-10’s 2035 mitigation goal, but the dated deprecation and disallowance of specific algorithms lives in NIST IR 8547, not in this memo.
- “It only touches systems the agency runs itself.” The inventory covers systems operated “on the agency’s behalf” too, so vendor-operated, cloud, and SaaS systems are squarely in scope.
- “Vendors are responsible for their own systems’ compliance.” The agency stays accountable for the cryptographic posture of every system that processes federal information, regardless of who operates it. The memo gives agencies no delegation escape hatch.
- “It’s guidance you can skip.” The inventory and funding assessment are directives inside the FISMA framework. A shortfall is a reportable FISMA deficiency.
Questions people ask
Does M-23-02 apply to my organization? Directly, only if you’re a federal civilian executive branch agency, or a contractor operating a system on such an agency’s behalf. If you sell to the federal government, hold a FedRAMP authorization, or operate in a regulated sector, treat it as the template your customers’ and regulators’ requirements are converging on.
What’s the actual first deadline? The first prioritized cryptographic inventory was due May 4, 2023, to ONCD and CISA, with annual submissions after that until 2035. The 30-day lead-designation deadline fell on December 18, 2022.
Is it a law or guidance? It’s an OMB memorandum, which is binding executive-branch policy for the agencies it addresses, not a statute. Its force comes from being a directive inside the FISMA framework and from implementing NSM-10.
What happens if an agency misses it? Missing the required inventory or funding assessment is a FISMA deficiency, reportable through annual FISMA processes. There’s no separate fine, but FISMA exposure and oversight attention are real.
Does it reach me through my vendors or customers? Yes, that’s the main path for anyone outside the federal government. Agencies must inventory vendor-operated and cloud-hosted systems, so vendors get asked for cryptographic disclosures, and procurement requirements increasingly build in PQC-migration expectations.
Where do agencies actually submit the inventory? To ONCD and CISA, using the tool and procedure ONCD released (within 90 days of the memo) and posts, along with consolidated implementation guidance, on OMB MAX. The memo directs policy questions to the OMB Office of the Federal Chief Information Officer.
Does it tell me which post-quantum algorithms to deploy? No. M-23-02 was written before the NIST PQC standards were finalized, so it names only the quantum-vulnerable algorithms to inventory. The approved replacements come from the FIPS standards (ML-KEM, ML-DSA, SLH-DSA) and the transition schedule from NIST IR 8547.
How does the 2035 date relate to Mosca’s Theorem? The 2035 goal is a policy judgment that the migration has to be well underway now to finish before a CRQC arrives. That’s the same logic Mosca’s theorem formalizes: if the time your data must stay secret plus the time to migrate exceeds the time until a quantum computer exists, you’re already late.
Everything here is the map, given freely. When your team needs M-23-02’s inventory and funding-assessment obligations translated into a program sequenced against your own systems, that’s what an alignment briefing is for.
Last verified 2026-07-09 · Maintained by Addie LaMarr, LaMarr Labs.