DEFENSE CONTRACTORQUANTUM RISK
NSA CNSA 2.0 mandates post-quantum cryptography for defense contractors starting 2027. PTG helps DIB organizations meet deadlines, protect CUI, and maintain CMMC compliance.
CNSA 2.0 Migration Deadlines
These are mandates, not recommendations. Missing them puts your contracts at risk.
2025: Preference for PQC in new procurements
2027: PQC required for all software systems
2030: PQC required for hardware and firmware
2033: Classical algorithms deprecated
2035: Final transition complete
Quantum Vulnerable Areas
CUI in Transit
Controlled Unclassified Information protected by RSA/ECC during transmission is vulnerable to harvest-now-decrypt-later attacks.
CUI at Rest
Encrypted CUI stored with classical public-key cryptography will be exposed when quantum computers arrive.
Supply Chain Communications
Subcontractor communications and data exchanges create additional exposure points throughout the defense supply chain.
ITAR and Export-Controlled Data
Export-controlled technical data has regulatory lifetimes measured in decades, far outlasting current encryption protection.
Frequently Asked Questions
Does CMMC 2.0 require post-quantum cryptography?
Not yet explicitly, but CMMC inherits NIST SP 800-171 requirements for FIPS-validated cryptography. As NIST PQC standards become mandatory, CMMC assessors will evaluate your cryptographic posture. Starting now avoids last-minute scrambles.
When should defense contractors start PQC migration?
Now. The 2027 software mandate is less than two years away. Migration typically takes 18 to 36 months, which means organizations that have not started are already behind.
What about NSA CNSA 2.0?
CNSA 2.0 defines the specific post-quantum algorithms and timelines for national security systems. Defense contractors working on classified or sensitive programs must align with these requirements. Read the NSA guidance.
Related Services
Assess Your Quantum Risk
Start with a quantum readiness assessment to understand your exposure and build a migration roadmap.