The PQC Compliance Roadmap for CISOs: Frameworks, Deadlines, and What's Actually Mandatory

On September 21, 2026, NIST's Cryptographic Module Validation Program will stop validating cryptographic modules that do not incorporate post-quantum algorithms. Any organization whose FIPS 140 certification status underpins federal contracts, FedRAMP authorizations, or regulated-industry security obligations faces a hard operational cutoff - not a soft deadline subject to waiver. That date is less than 18 months away as of this writing. The more significant problem is that organizations treating PQC compliance as a future planning exercise are already behind: large enterprises average seven to ten years to complete cryptographic migrations, and the full federal disallowance deadline under NIST IR 8547 and NSM-10 falls in 2035. The math does not work unless planning begins now.

This article maps the layered compliance obligations, sequences the confirmed deadlines, identifies the gaps that regulators have not resolved, and provides a working framework for initiating a defensible PQC compliance program.

The Mandate Landscape: What's Actually Required and Who It Applies To

There is no single, universal PQC mandate - and that structural ambiguity is itself a compliance risk. CISOs are instead navigating five overlapping directive layers, each with distinct scope and enforceability.

NSM-10 (National Security Memorandum 10, May 2022) is the foundational U.S. federal directive. Issued by the White House, it establishes that all National Security Systems (NSS) must migrate to post-quantum cryptography, sets an annual cryptographic inventory requirement for agencies, and anchors the 2027, 2033, and 2035 milestone targets. NSM-10 applies directly to federal agencies and, by extension, to defense contractors operating on or interfacing with NSS environments.^{[NSM-10, White House, 2022]}

NIST IR 8547 (Initial Public Draft, 2024) establishes the algorithm transition timeline for all federal information systems - not only NSS. It sets 2031 as the deprecation date for vulnerable algorithms and 2035 as the date of full disallowance across federal environments. Because NIST guidance cascades into procurement requirements and regulated-industry standards, the 2031 and 2035 dates carry practical weight for any organization subject to federal contracting or FISMA obligations.^{[NIST IR 8547 IPD, 2024]}

CNSA 2.0 (Commercial National Security Algorithm Suite 2.0), published by NSA, specifies the exact algorithms required for NSS environments: ML-KEM (FIPS 203) for key encapsulation, ML-DSA (FIPS 204) for digital signatures, and SLH-DSA (FIPS 205) as an additional signature option. CNSA 2.0 mandates that new NSS acquisitions comply beginning January 1, 2027.^{[NIST PQC Project, CSRC]}

FIPS CMVP (Cryptographic Module Validation Program) governs which cryptographic modules are accepted for federal use and, by extension, for any commercial or regulated-industry context that requires FIPS 140 validated cryptography. The September 21, 2026 cutoff for non-PQC module validation is a CMVP administrative decision with immediate downstream consequences for procurement and certification continuity.

International frameworks add a fifth layer for multinational organizations. Canada's ITSM 40.001 sets an April 2026 deadline for initial PQC migration planning documentation.^{[Canada ITSM 40.001, CCCS]} The EU's coordinated PQC roadmap (2025) establishes a phased migration structure differentiated by application type, running through 2035. The UK NCSC structures its guidance around three milestone phases in 2028, 2031, and 2035. None of these frameworks are legally identical to U.S. federal mandates, but they collectively define what regulators and counterparties in those jurisdictions will expect.

The operative point for CISOs: the absence of one universal mandate does not reduce the compliance burden. It distributes that burden across multiple simultaneous obligations with different applicability triggers - a condition that requires explicit program architecture, not ad hoc response.

The Compliance Timeline You Need on Your Wall: 2026 Through 2035

The following represents the confirmed, source-attributed deadline sequence. Where a deadline is drawn from an initial public draft (as with NIST IR 8547), that status is noted - the timeline may shift if the final publication alters dates, but security architects broadly recommend planning against IPD timelines rather than waiting for finalization.

2026

• April 2026: Government of Canada agencies must complete initial PQC migration planning documentation under ITSM 40.001.^{[Canada ITSM 40.001, CCCS]}
• September 21, 2026: NIST CMVP ceases validation of cryptographic modules that do not incorporate post-quantum algorithms. This is not a deprecation of existing validated modules; it is a cutoff for new validations. Organizations that need to renew or obtain FIPS 140 validation after this date must submit PQC-capable modules.

2027

• January 1, 2027: All new NSS acquisitions must comply with CNSA 2.0 under NSM-10. Defense contractors and agencies that procure cryptographic capabilities for NSS environments after this date must specify and deploy ML-KEM, ML-DSA, or SLH-DSA - or face non-compliant acquisitions.^{[NSM-10, White House, 2022]}

2028-2031

• 2028: UK NCSC Phase 1 milestone - organizations should have completed discovery and prioritization of cryptographic assets.^{[NCSC PQC Guidance, UK]}
• December 31, 2030: DoD NSS symmetric and pre-shared key cryptography phase-out target under DoD CIO guidance.^{[NSM-10, White House, 2022]}
• 2031: NIST IR 8547 deprecation of vulnerable algorithms (RSA, ECC, finite-field Diffie-Hellman) across federal information systems. The binding implications of these NIST IR 8547 deprecation dates extend beyond federal agencies to any organization that must demonstrate NIST-aligned cryptographic practice.^{[NIST IR 8547 IPD, 2024]}
• 2031: UK NCSC Phase 2 milestone - migration of high-priority systems complete.

2033-2035

• 2033: NSM-10 comprehensive NSS migration target - all NSS environments fully migrated to post-quantum cryptography.^{[NSM-10, White House, 2022]}
• 2035: NIST IR 8547 full disallowance of deprecated algorithms in federal information systems. Use of RSA, ECC, and related schemes in federal contexts becomes non-compliant after this date.^{[NIST IR 8547 IPD, 2024]} NSM-10 aligns the full federal migration target to the same year.
• 2035: UK NCSC Phase 3 milestone - full migration complete. EU coordinated roadmap phased conclusion.

The seven-to-ten year average migration timeline for large enterprises means that an organization beginning cryptographic inventory in late 2025 or 2026 is targeting a completion date of 2032-2036 at best - which places them at the edge of the 2035 disallowance window with no margin for program delays.

FIPS 140 and CNSA 2.0 - The Two Immediate Pressure Points

Of the deadlines above, two require action within the current calendar year and next: the CMVP cutoff in September 2026 and the CNSA 2.0 acquisition mandate effective January 1, 2027.

The CMVP Validation Cutoff

FIPS 140 validation is a prerequisite for federal procurement, FedRAMP authorization, and a wide range of regulated-industry security frameworks that reference FIPS 140 by name (including certain healthcare, financial, and defense supply chain standards). After September 21, 2026, NIST's CMVP will not issue new validations for modules lacking PQC support. Organizations in the CMVP validation queue with non-PQC modules need to assess whether their submissions will complete before the cutoff, and whether their validation renewal cycles will expire after it. The current absence of FIPS 140-3 validated PQC modules means procurement teams cannot simply purchase a compliant product off the shelf today - lead times for hardware security module upgrades and vendor validation cycles must factor into planning.

The algorithms mandated for FIPS compliance are ML-KEM (FIPS 203), ML-DSA (FIPS 204), and SLH-DSA (FIPS 205). These are not interim solutions - they are the finalized NIST standards that define the post-quantum cryptographic baseline going forward.^{[NIST PQC Project, CSRC]}

The CNSA 2.0 Acquisition Mandate

NSM-10 establishes that from January 1, 2027, any new acquisition for a National Security System must specify CNSA 2.0-compliant algorithms.^{[NSM-10, White House, 2022]} For defense contractors, this means contract vehicles, statements of work, and security architecture documentation submitted after that date must demonstrate CNSA 2.0 compliance or include a credible, time-bounded migration plan. Hybrid implementations - running classical and post-quantum algorithms in parallel - are recognized in practitioner guidance as a transitional architecture for systems that cannot immediately achieve full PQC deployment, but they do not satisfy the long-term compliance requirement.

The practical implication: procurement officers and contracting teams need to update solicitation templates and vendor evaluation criteria before January 2027, not after. Contracts awarded in Q4 2026 with multi-year performance periods will govern cryptographic requirements through the heart of the 2031-2035 compliance window.

What the Frameworks Don't Tell You - The Four Gaps CISOs Must Solve Independently

The federal guidance is explicit about what algorithms are required and when. It is notably silent on several operational questions that determine whether a compliance program is executable.

Gap 1: No Sequencing Template for Mixed Environments

Neither NSM-10, NIST IR 8547, nor DoD CIO guidance provides a prioritization model for organizations with heterogeneous cryptographic estates. The NCCoE's risk framework mappings to NIST RMF and CSF (published September 2025) offer the closest thing to a sequencing reference, but they remain guidance rather than mandate. CISOs must build their own triage logic: systems handling long-lived sensitive data (financial records, health data, classified information) warrant immediate PQC uplift because of harvest-now-decrypt-later exposure; systems with short data lifetimes and no federal nexus carry lower near-term risk.

Gap 2: Undefined Third-Party and Vendor Risk Criteria

No current framework specifies what a compliant vendor attestation looks like for PQC purposes. There is no standardized questionnaire, no approved certification pathway for vendor PQC claims, and no guidance on how to evaluate a supplier's PQC roadmap against customer compliance timelines. A Cryptographic Bill of Materials (CBOM) is the practitioner-consensus tool for tracking cryptographic dependencies across a vendor estate, but no regulator has yet mandated CBOM delivery as a procurement requirement. Organizations that build CBOM requirements into contracts now are establishing a defensible due diligence position before regulators formalize it.

Gap 3: Hardware-Constrained Environments Lack Specific Guidance

HSMs, IoT devices, OT controllers, and SCADA systems present migration challenges that federal guidance does not address in detail. ML-KEM and ML-DSA carry larger key and signature sizes than RSA and ECC, creating performance and memory constraints on embedded systems. NIST has acknowledged these constraints and is monitoring the development of lightweight PQC candidates, but no finalized standard for constrained environments existed at the time of this writing. CISOs with significant OT or IoT footprints should treat these environments as a separate migration track with longer lead times and engage hardware vendors directly on PQC roadmap commitments.

Gap 4: Integration with Existing RMF and CSF Cycles Is Not Prescribed

Organizations operating under FISMA use the Risk Management Framework as their primary compliance vehicle. NSM-10's annual cryptographic inventory requirement creates an ongoing obligation that must be integrated into RMF authorization packages and continuous monitoring programs - but the mechanics of that integration are left to agency discretion. Security architects broadly recommend treating PQC migration status as a standing POA&M item in system security plans, with annual updates tied to the NSM-10 inventory cycle, but this approach has not been mandated in specific RMF guidance.

The Commercial and Finance Sector Exposure - SOX, SEC, and the "Reasonable Security" Signal

Public companies and financial institutions operating outside direct federal mandate scope face a different but equally real compliance dynamic. No SEC rule, PCAOB standard, or SOX provision currently requires PQC implementation by a specific date. The compliance risk is the standard of care shift: as federal agencies formalize PQC requirements and the CMVP cutoff takes effect, the definition of "reasonable security" in cybersecurity law and regulation is moving. Organizations that have not initiated PQC planning by the time a material breach occurs - or by the time an SEC enforcement action is taken against a peer - face the argument that they failed to meet the evolving standard.

The expected regulatory lag between federal mandate and private-sector requirement is two to four years based on historical patterns with prior NIST transitions. That places a probable SEC or financial-sector PQC requirement in the 2028-2030 range - well within the window where organizations that begin planning in 2026-2027 will complete initial migration phases on schedule, while those that wait for an explicit private-sector mandate will face compressed timelines.

For EU-exposed financial institutions, the timeline is more concrete. The EU's coordinated PQC roadmap establishes phased obligations running through 2035, differentiated by application sensitivity. DORA's ICT risk management requirements and NIS2's security measure obligations create a parallel compliance track that is already active. eIDAS 2.0 is tightening cryptographic requirements for digital identity frameworks. The PQC obligations created by DORA and NIS2 are not future projections - they are current requirements that EU financial institutions must map against their cryptographic estates today.

Audit committees at public companies should receive a briefing on PQC exposure as part of the annual cybersecurity risk review. The absence of an explicit SEC disclosure trigger does not eliminate the disclosure risk - it shifts it to the materiality judgment that audit committees and general counsel must make when a quantum-enabled breach or a compliance gap comes to light.

Building Your PQC Compliance Program - A Practical Starting Framework

Given the deadline structure above and the gaps in existing regulatory guidance, a workable PQC compliance program requires six components.

1. Cryptographic Asset Inventory

NSM-10 mandates annual cryptographic inventories for federal agencies - this is an existing, ongoing obligation, not a future one.^{[NSM-10, White House, 2022]} For commercial organizations, an equivalent inventory is the prerequisite for every downstream compliance decision. The inventory should identify: every system using RSA, ECC, or Diffie-Hellman; the data classification and retention period of what each system protects; whether the system has a federal nexus that triggers FIPS or CNSA 2.0 obligations; and the system's expected refresh cycle relative to the 2031 and 2035 deadlines.

2. Risk-Tiered Migration Roadmap

Map inventory findings against a three-tier priority structure: Tier 1 (federal nexus or long-lived sensitive data - migrate before 2028), Tier 2 (regulated but not federally connected, or medium data lifetime - migrate before 2031), Tier 3 (low sensitivity, short data lifetime, no federal obligation - migrate before 2035). This structure does not come from any single regulatory source; it reflects the practitioner consensus for translating overlapping deadline structures into an executable sequence.

3. FIPS Validation Pipeline Assessment

Identify every cryptographic module in your environment that holds or requires FIPS 140 validation. For each, determine: the current validation expiry date; whether the hardware or software vendor has a PQC upgrade path; and whether that upgrade path will be validated by CMVP before September 2026. Where vendor roadmaps are unclear, initiate procurement conversations immediately - CMVP validation cycles run 18-24 months on average.

4. CNSA 2.0 Procurement Gate

For any organization with NSS-adjacent obligations, institute a procurement gate requiring CNSA 2.0 compliance attestation from vendors on cryptographic product acquisitions initiated after Q3 2026. Use the GSA PQC Buyer's Guide as a baseline evaluation reference. Build CBOM delivery requirements into new vendor contracts.

5. Crypto Agility as a Design Requirement

System development standards and architecture review criteria should require that new systems be built to support algorithm substitution without full re-engineering. This is not a new concept - it is the operational definition of crypto agility, and it is the architectural property that will determine whether future algorithm transitions (including any HQC standardization) are manageable or disruptive.

6. Governance Integration

PQC migration status should appear as a standing agenda item in security governance meetings, a component of annual board cybersecurity reporting, and a tracked item in RMF continuous monitoring for federal systems. The NCCoE's risk framework mappings to RMF and CSF (September 2025) provide the reference architecture for this integration. The program owner should have explicit authority to impose migration requirements on business units - cryptographic compliance cannot be advisory.

As a concrete next action: download and work through the NCCoE's Migration to Post-Quantum Cryptography Project documentation at nccoe.nist.gov, which provides the most detailed practitioner-level mapping of PQC migration steps to existing NIST RMF and CSF controls currently available from a U.S. government source. Use it as the baseline for your program charter and initial board briefing.

Related Reading

On this site:

• Federal PQC migration deadlines agencies actually face
• The FIPS 140-3 validation gap for PQC modules
• Step-by-step PQC readiness assessment framework

Primary sources:

• NIST Post-Quantum Cryptography Project
• CISA Quantum Readiness Resources

Key Takeaways

• The September 21, 2026 CMVP validation cutoff is a hard administrative deadline - organizations that need new or renewed FIPS 140 validations after that date must submit PQC-capable modules.
• NSM-10 mandates CNSA 2.0 compliance for all new NSS acquisitions from January 1, 2027. Defense contractors must update procurement and contracting processes before that date.
• NIST IR 8547 (IPD) sets 2031 as algorithm deprecation and 2035 as full disallowance for federal systems. The seven-to-ten year average enterprise migration timeline means planning initiated now will barely reach the 2035 window.
• NSM-10's annual cryptographic inventory requirement is an existing, ongoing obligation for federal agencies - not a future one.
• No framework resolves the sequencing, vendor risk, hardware-constrained environment, or RMF integration gaps. CISOs must build program architecture to address these independently.
• Commercial and financial-sector organizations face a standard-of-care shift even without direct mandates. The EU frameworks (DORA, NIS2, eIDAS 2.0) create concrete obligations for EU-exposed institutions that are already active.
• ML-KEM (FIPS 203), ML-DSA (FIPS 204), and SLH-DSA (FIPS 205) are the mandated algorithms under CNSA 2.0 and NIST standards. Alternatives should not be treated as equivalent for compliance purposes.