NSM-10 Explained: What the White House Directive Actually Requires of Federal Agencies

Federal civilian agencies operating systems classified as High Value Assets or rated FIPS 199 "High" on confidentiality are already in a live compliance cycle under OMB Memorandum M-23-02. The first cryptographic inventory submission deadline passed on May 4, 2023, and the cycle repeats annually through 2035.^[M-23-02] Agencies that submitted thin inventories in early cycles, or missed them entirely, are accumulating a compliance record that ONCD and CISA will increasingly scrutinize as migration deadlines approach. This article unpacks what the directive actually mandates, how scope is determined, and what the funding assessment obligation means for budget planning.

What NSM-10 Actually Says-And What It Doesn't

President Biden signed National Security Memorandum 10 (NSM-10) on May 4, 2022, directing federal agencies to prioritise migrating cryptographic systems away from algorithms vulnerable to a cryptographically relevant quantum computer (CRQC).^{[NSM-10, White House]} The directive establishes a 2035 target date to mitigate quantum cryptographic risk across federal systems "as feasible."^{[NSM-10, White House]}

A critical scope boundary applies: National Security Systems (NSS) are explicitly excluded from NSM-10's civilian framework. NSS obligations fall under NSM-8 and the NSA's Commercial National Security Algorithm Suite 2.0 (CNSA 2.0), which carries a 2031 deadline for many system categories-earlier than the civilian 2035 target.^{[NSA CNSA 2.0]} Agencies operating in hybrid environments-managing both NSS and non-NSS systems-must track two distinct regulatory regimes simultaneously. NSM-10 does not govern NSS compliance, and conflating the two frameworks creates gaps in both directions.

M-23-02 Is the Operational Document-Here's What It Requires

OMB published Memorandum M-23-02 in November 2022 to operationalise NSM-10 for civilian agencies.^{[M-23-02, OMB]} Where NSM-10 establishes policy intent, M-23-02 specifies the mechanics: what to inventory, who receives it, when submissions are due, and what funding documentation must accompany each cycle.

The memorandum requires agencies to submit annual cryptographic inventories to both the Office of the National Cyber Director (ONCD) and CISA.^{[M-23-02, OMB]} The first deadline was May 4, 2023-90 days after M-23-02's publication-and the obligation recurs annually through 2035. Within 30 days of each inventory submission, agencies must also deliver a funding assessment to ONCD and OMB documenting the resources required to execute migration for in-scope systems.^{[M-23-02, OMB]} The inventory and the funding assessment are coupled deliverables; submitting one without the other constitutes an incomplete compliance cycle.

NIST's finalisation of ML-KEM under FIPS 203 and ML-DSA under FIPS 204 in 2024 removed the last defensible reason to defer migration roadmap development. Agencies can now map in-scope systems to standardised, production-ready algorithms rather than citing standardisation uncertainty.^{[NIST PQC Project]}

How to Determine Which Systems Are In Scope

M-23-02 defines three criteria that trigger scope inclusion for the annual cryptographic inventory. A system qualifies if it meets any one of the following:^{[M-23-02, OMB]}

1. FIPS 199 High-impact rating on confidentiality, integrity, or availability. Any system where a breach would have a severe or catastrophic effect on agency operations, assets, or individuals meets this threshold.
2. High Value Asset (HVA) designation. Systems designated as HVAs under existing DHS/CISA guidance are automatically in scope regardless of their FIPS 199 rating.
3. Use of public-key or key-exchange cryptography protecting data that will remain sensitive through 2035. This criterion captures systems not necessarily rated FIPS 199 High but whose data carries long-term sensitivity-personnel records, classified programme data, treaty-related communications, and similar categories.

The third criterion is the most operationally demanding to apply because it requires security architects to assess data sensitivity over a 10-plus-year horizon, not just current classification. A system holding law enforcement investigative data generated today may not be a current HVA, but if that data will remain sensitive in 2035, it belongs in the inventory. This is where maintaining a cryptographic bill of materials becomes operationally essential-without visibility into which systems use which algorithms to protect which data categories, scoping is guesswork. Cryptographic inventory is also the first of the six components of crypto agility — agencies treating M-23-02 inventory submissions as compliance paperwork rather than a continuously maintained capability will rebuild the inventory from scratch at each subsequent migration phase.

The Funding Assessment Obligation Most Agencies Are Underestimating

The 30-day post-inventory funding assessment is the requirement most frequently treated as an administrative formality. It is not. ONCD and OMB use these submissions to inform multi-year budget planning for federal PQC migration, and thin or unrealistic assessments directly affect an agency's ability to secure migration funding through the President's Budget process.^{[M-23-02, OMB]}

A credible funding assessment requires agencies to estimate costs across several dimensions: cryptographic discovery and inventory tooling, algorithm migration for each in-scope system, testing and validation against finalized NIST standards, and legacy system remediation where vendor PQC support is absent or unscheduled. Agencies that submit high-level estimates without system-level cost breakdowns are likely to find those estimates inadequate when migration efforts scale after 2027 and vendor capacity tightens. An incomplete funding assessment today is a budget liability in the out-years.

Where NSM-10 and CNSA 2.0 Intersect-And Why Hybrid Environments Face Additional Complexity

Agencies and contractors managing both NSS and non-NSS systems operate under two distinct compliance regimes with different algorithm requirements and different deadlines. NSM-10 and M-23-02 govern non-NSS civilian systems with a 2035 target. NSM-8 and CNSA 2.0 govern NSS with category-specific deadlines, some as early as 2027 and others at 2031.^{[NSA CNSA 2.0]} The CNSA 2.0 deadline matrix by system type is the authoritative reference for NSS obligations and should be read alongside M-23-02, not instead of it.

The practical complexity arises in shared infrastructure. A network encryptor or key management system serving both NSS and non-NSS workloads must satisfy the more demanding CNSA 2.0 requirements, since the NSS component controls. Security architects should classify shared systems against NSS criteria first, then determine whether the resulting migration plan also satisfies M-23-02 obligations for the non-NSS workload. In most cases it will, because CNSA 2.0 specifies a superset of the algorithm capabilities NIST's finalized standards provide.^{[NSA CNSA 2.0]} Operating compliantly across both regimes is itself a crypto agility test — specifically the configurability and governance components — because the two frameworks impose different algorithm preferences, different deadlines, and different audit evidence requirements on the same underlying cryptographic infrastructure.

Building Your Compliance Posture Through 2035-A Realistic Phased Approach

The 2035 deadline is not an invitation to defer action to the early 2030s. Migration timelines for large federal systems-procurement cycles, Authority to Operate (ATO) updates, integration testing, and workforce training-routinely span three to five years. Agencies that begin substantive migration work after 2028 face a high probability of missing the 2035 target for complex or legacy-dependent systems.^{[M-23-02, OMB]}

A realistic phased posture looks like this:

• 2025-2026 (Now): Complete or validate the cryptographic inventory for all in-scope systems. Ensure the accompanying funding assessment reflects system-level cost estimates, not aggregate guesses. Establish a crypto agility programme so that algorithm substitution does not require full system re-engineering at each migration step — 2035 is the ceiling for the first transition, but the substitutability infrastructure you build now is what makes the ones after 2035 tractable.
• 2027-2029: Prioritise migration of FIPS 199 High and HVA systems to FIPS 203 (ML-KEM) for key encapsulation and FIPS 204 (ML-DSA) for digital signatures, as standardised by NIST.^{[NIST PQC Project]} Legacy systems without vendor PQC roadmaps should enter formal decommission or replacement planning during this window.
• 2030-2033: Complete migration of remaining in-scope systems. Address residual legacy systems through compensating controls or accelerated replacement where migration is technically infeasible.
• 2034-2035: Final validation and compliance certification for the 2035 target. Document exceptions with risk acceptance rationale for ONCD review.

Systems processing data that will remain sensitive through 2035-the third M-23-02 scope criterion-should be treated as the highest migration priority regardless of current FIPS 199 rating. Adversaries collecting encrypted government data today intend to retain it for future decryption; migration of these systems cannot wait for the later phases of this timeline.^{[CISA Quantum Cybersecurity Guidance]}

Implications for Government Agency Security Teams

NSM-10 and M-23-02 are not aspirational policy documents. They impose recurring, auditable obligations-annual inventory submissions, 30-day funding assessments, and documented migration progress-that ONCD and CISA are positioned to review against each prior year's submission. Agencies without a current, complete inventory are not in a pre-compliance posture; they are in a delinquent one.

Three specific actions belong on every agency security team's near-term calendar. First, validate that your most recent M-23-02 submission covered all three scope criteria-not just systems already in asset management databases as HVAs or FIPS 199 High. Second, confirm that the accompanying funding assessment reflects realistic, system-level migration cost estimates rather than placeholder figures. Third, assign ownership for the next annual cycle now, so the submission does not become a last-minute compliance exercise.

The single concrete action that should follow this article: pull your current system inventory this quarter and conduct a formal scoping audit against M-23-02's three criteria. Tag every system meeting any one criterion and verify it appears in your most recent ONCD/CISA submission. If it does not, treat the gap as a corrective submission opportunity now rather than an audit finding later. The M-23-02 text is publicly available and should serve as the direct reference for this exercise.^{[M-23-02, OMB]}

Key Takeaways

• NSM-10 (signed May 4, 2022) sets a 2035 target for federal civilian agencies to mitigate quantum cryptographic risk; OMB M-23-02 (November 2022) is the operational document that defines inventory, funding, and submission requirements.
• National Security Systems are explicitly out of NSM-10's scope; they fall under NSM-8 and CNSA 2.0 with earlier deadlines-some as soon as 2027.
• Annual cryptographic inventories are due to ONCD and CISA each year through 2035; the first deadline was May 4, 2023. A 30-day funding assessment follows each inventory submission.
• Three criteria trigger scope inclusion: FIPS 199 High-impact rating, HVA designation, or use of public-key cryptography protecting data that will remain sensitive through 2035.
• NIST's finalisation of FIPS 203 and FIPS 204 removes standardisation uncertainty as a reason to defer migration roadmap development.
• Agencies in hybrid NSS/non-NSS environments must satisfy CNSA 2.0 requirements for shared infrastructure before M-23-02 requirements-the more demanding standard controls.
• Realistic migration timelines for complex federal systems span three to five years; agencies that delay substantive work past 2028 face material risk of missing the 2035 target.

Related Reading

On this site:

• Federal PQC migration deadlines agencies actually face
• CNSA 2.0 compliance deadline matrix by system type
• Managing PQC migration inside FedRAMP's framework

Primary sources:

• NSA Post-Quantum Cybersecurity Resources
• OMB Briefing Room

This article draws on primary documentation from NSM-10 (White House, May 2022), OMB Memorandum M-23-02 (November 2022), NSA CNSA 2.0, and the NIST Post-Quantum Cryptography Project (CSRC). All claims verified against official sources as of April 2026.