Defense Contractor Quantum Risk
Defense Industrial Base organizations handling CUI and classified data are the highest-priority targets for quantum threats. NSA CNSA 2.0 mandates quantum-resistant cryptography for National Security Systems starting in 2027.
Key Takeaways
- NSA CNSA 2.0 requires quantum-resistant algorithms for NSS software by 2027 and hardware by 2030
- DIB organizations are the highest-priority targets for harvest now, decrypt later attacks
- CMMC 2.0 assessors will increasingly evaluate cryptographic posture against quantum threats
- DFARS 252.204-7012 requires "adequate security" for CUI, which will include PQC as NIST standards mature
- PTG holds CMMC-RP and CCA credentials, producing migration documentation in the format C3PAO assessors expect
Why Defense Contractors Face the Most Urgent Quantum Threat
The Defense Industrial Base (DIB) sits at the intersection of three factors that create the most urgent quantum risk profile of any industry sector: the highest-value target data (CUI and classified information), the most aggressive regulatory timeline (NSA CNSA 2.0), and the most active adversary threat (nation-state HNDL campaigns).
Controlled Unclassified Information (CUI) handled by defense contractors includes weapons system designs, logistics data, personnel information, intelligence analysis, and technology specifications. This data has national security implications that extend decades beyond the projected timeline for a cryptographically relevant quantum computer. A weapons system design encrypted with RSA-2048 today and intercepted by a foreign intelligence service through an HNDL campaign could be decrypted and exploited by 2030.
The NSA has explicitly acknowledged that nation-state adversaries are conducting HNDL campaigns against the DIB. The agency's CNSA 2.0 guidance is the direct response: a mandatory timeline for transitioning all National Security Systems to quantum-resistant cryptography. Defense contractors who supply to these systems must align with the same timeline.
CNSA 2.0 Deadlines Are Not Recommendations
Unlike many compliance frameworks where quantum readiness is a best practice, CNSA 2.0 establishes mandatory deadlines for National Security Systems. Software and firmware must prefer quantum-resistant algorithms by 2025 and require them by 2027. Network hardware must support PQC by 2030. Complete deprecation of classical public-key cryptography by 2035. Defense contractors whose products feed into NSS must meet these deadlines or lose their market.
CNSA 2.0 Migration Timeline for Defense Contractors
2025: Preference Phase
New NSS software and firmware acquisitions should prefer quantum-resistant algorithms. Defense contractors bidding on new contracts should demonstrate PQC capability. Organizations that start their quantum readiness assessment now will have migration plans ready for contract requirements.
2027: Software Mandate
All NSS software and firmware must support quantum-resistant algorithms. Legacy TLS, IPsec, and SSH implementations begin deprecation. Defense contractors must deliver products and services with PQC-capable encryption. This is the first hard deadline for the DIB.
2030: Hardware Mandate
NSS network equipment (routers, switches, firewalls, HSMs) must support quantum-resistant algorithms in hardware. Defense contractors must supply PQC-capable hardware or face contract exclusion.
2033: Classical Deprecation
Complete deprecation of classical public-key algorithms for NSS. All RSA, ECC, and DH implementations must be fully replaced. No classical-only fallback permitted.
2035: Final Transition
No classical public-key cryptography permitted in any NSS implementation. Full quantum resistance required across the entire defense supply chain.
CNSA 2.0 Software Deadlines Start in 2027
Migration takes 18-36 months. If you start assessment now, you complete migration right at the deadline. If you wait, you miss it. PTG's initial consultation is free.
CMMC 2.0 and Post-Quantum Cryptography
CMMC 2.0 is built on NIST SP 800-171 Rev. 2, which requires FIPS-validated cryptography for CUI protection. The specific controls are:
- SC.L2-3.13.11: Employ FIPS-validated cryptography when used to protect the confidentiality of CUI
- SC.L2-3.13.8: Implement cryptographic mechanisms to prevent unauthorized disclosure of CUI during transmission
- SC.L2-3.13.16: Protect the confidentiality of CUI at rest
- IA.L2-3.5.10: Store and transmit only cryptographically protected passwords
These controls reference "FIPS-validated cryptography" without specifying which algorithms. Today, RSA-2048 and AES-256 satisfy these requirements. As NIST's Cryptographic Module Validation Program (CMVP) publishes PQC algorithm validations and deprecates quantum-vulnerable algorithms, the definition of "FIPS-validated" will shift to require PQC. Defense contractors who proactively adopt PQC will be positioned for compliance when this shift occurs, while those who wait will face a compressed migration timeline with potential compliance gaps.
CMMC Level 3 adds NIST SP 800-172 enhanced security requirements, which include more stringent cryptographic controls for high-value CUI. PTG's CMMC-RP and CCA credentials ensure that PQC migration documentation is produced in the format that C3PAO assessors expect, with SSP updates, POA&M entries, and evidence artifacts aligned to the CMMC assessment methodology.
Defense Contractor Quantum Attack Surfaces
CUI in Transit
CUI transmitted between defense contractors, prime contractors, and DoD systems traverses networks where HNDL interception is an active threat. VPN tunnels (IPsec with RSA/ECDH key exchange), encrypted email (S/MIME with RSA), and file transfers (SFTP with SSH RSA keys) are all quantum-vulnerable. Migrating these transport channels to PQC is the highest-priority action for reducing HNDL exposure.
CUI at Rest
CUI stored in databases, file servers, engineering workstations, and backup systems is encrypted with key management that typically relies on RSA or ECC. While the symmetric encryption (AES-256) protecting the data itself is quantum-resistant, the key management infrastructure wrapping those keys is not. An attacker who obtains the encrypted key material through HNDL and later decrypts it with a quantum computer gains access to all data protected by those keys.
Supply Chain Communications
The defense supply chain involves hundreds of subcontractors exchanging CUI through various channels. Each link in the supply chain represents a potential HNDL interception point. DFARS 252.204-7012 flow-down requirements mean that subcontractors must also implement adequate security for CUI. PTG helps prime contractors establish PQC migration requirements for their supply chain, including contract language and compliance verification procedures.
Weapons System Software and Firmware
Software and firmware deployed in weapons systems, sensor platforms, and command-and-control systems use cryptographic algorithms for secure communications, authentication, and data integrity. These systems have long operational lifetimes (20-40 years for major platforms) and limited upgrade windows. The CNSA 2.0 timeline specifically targets these systems: quantum-resistant algorithms must be integrated into new acquisitions now, with retrofit of fielded systems following the hardware timeline.
ITAR and Export-Controlled Data
International Traffic in Arms Regulations (ITAR) controlled data represents some of the most sensitive technical information in the DIB. Export-controlled encryption algorithms, weapons designs, and defense technology specifications encrypted with quantum-vulnerable algorithms face the same HNDL threat. The consequences of quantum decryption of ITAR data extend beyond the organization to national security implications.
Defense Contractor Quantum Readiness Checklist
- Completed quantum readiness assessment with full cryptographic inventory of CUI-handling systems
- CNSA 2.0 timeline mapped to specific systems and contract deliverables
- CMMC SSP updated to address quantum cryptographic transition planning
- POA&M entries created for in-progress quantum migrations with specific milestones
- VPN, email, and file transfer encryption evaluated for HNDL exposure
- Key management infrastructure assessed for PQC algorithm support
- Supply chain PQC requirements defined and communicated to subcontractors
- Weapons system and firmware cryptographic dependencies inventoried
- Crypto agility requirements included in system architecture planning
- FIPS 140 module inventory completed with PQC upgrade paths identified
- Hybrid mode deployment plan documented for classical-to-PQC transition
- Executive briefing completed on CNSA 2.0 compliance risk and investment requirements
Your CMMC Assessment Will Ask About Cryptography
Proactive PQC migration demonstrates security maturity to C3PAO assessors. PTG's CMMC-RP and CCA credentials ensure your quantum migration documentation is in the format assessors expect.
Frequently Asked Questions
Does CMMC currently require post-quantum cryptography?
CMMC 2.0 requires "FIPS-validated cryptography" for CUI, not specifically PQC. However, FIPS validation tracks NIST standards. As NIST publishes PQC module validations (via CMVP) and deprecates quantum-vulnerable algorithms, CMMC compliance will require PQC through the existing "FIPS-validated" requirement. NSA CNSA 2.0 adds explicit PQC deadlines for organizations handling National Security System data. Defense contractors who proactively migrate to PQC will be ahead of competitors when these requirements formalize.
How does CNSA 2.0 apply to defense contractors vs. DoD agencies?
CNSA 2.0 directly applies to National Security Systems (NSS) operated by DoD and intelligence agencies. Defense contractors are affected when their products, software, or services feed into NSS. If your contract deliverables include software, firmware, network equipment, or encryption capabilities that will be used in or connect to NSS, CNSA 2.0 deadlines apply to your deliverables. Even for contracts not directly tied to NSS, demonstrating PQC capability increasingly differentiates contractors in competitive evaluations.
Are defense contractors currently targeted by HNDL attacks?
Yes. The NSA has publicly stated that nation-state adversaries are conducting harvest now, decrypt later operations against the Defense Industrial Base. DIB organizations handle CUI with national security implications that make it among the highest-value HNDL targets. Encrypted data intercepted today from defense contractor VPNs, email systems, and file transfers is being stored by adversaries for future quantum decryption. Every day that CUI traverses quantum-vulnerable encryption adds to the adversary's HNDL inventory.
What is the migration timeline for a typical defense contractor?
For a mid-size defense contractor (100-1,000 employees), the complete migration from assessment to full PQC deployment typically takes 18-30 months. This includes 2-4 weeks for the quantum readiness assessment, 4-8 weeks for architecture planning and CMMC documentation updates, 3-6 months for pilot deployment in hybrid mode, and 6-18 months for phased production rollout. Larger primes with complex multi-site operations, weapons system integration, and deep supply chains may require 3-5 years. The critical factor is starting the assessment now to complete migration before the 2027 CNSA 2.0 software deadline.
How do we address PQC requirements in our supply chain?
DFARS 252.204-7012 requires defense contractors to flow down CUI protection requirements to subcontractors. As PQC becomes part of CUI protection (through CNSA 2.0 and evolving FIPS validation), these flow-down requirements will include PQC obligations. PTG recommends proactively adding PQC migration requirements to subcontractor agreements, including specific algorithm adoption timelines, hybrid mode deployment expectations, and compliance reporting obligations. We provide contract language templates as part of our defense contractor quantum risk engagement.
Can we use our quantum readiness assessment for CMMC evidence?
Yes. PTG's defense contractor quantum risk assessment produces deliverables specifically formatted for CMMC assessment evidence. This includes SSP updates addressing cryptographic transition planning, POA&M entries with milestones for in-progress migrations, evidence artifacts demonstrating proactive risk management, and a quantum risk register mapped to CMMC SC controls. C3PAO assessors view proactive PQC planning favorably, even before explicit PQC requirements are formalized in CMMC.
What about classified data and PQC?
Classified data protection falls under NSA Type 1 encryption requirements, which are separate from commercial FIPS validation. The NSA manages the transition to quantum-resistant algorithms for classified systems through its Suite A and Suite B program updates. Defense contractors handling classified data should coordinate with their government contracting officer and facility security officer (FSO) for classified system PQC guidance. PTG's assessment covers CUI and unclassified systems; classified system migration follows government-directed timelines and procedures.
Will quantum readiness be a factor in contract awards?
Increasingly, yes. As CNSA 2.0 deadlines approach, DoD acquisition programs will evaluate contractors' PQC capability as part of source selection criteria. Contractors who can demonstrate quantum-ready products, services, and infrastructure will have a competitive advantage. Some RFPs already reference PQC requirements for new systems. PTG's assessment and migration plan documentation provides the evidence base for quantum readiness claims in contract proposals.
What does a defense contractor quantum risk assessment cost?
Pricing depends on the size of your CUI environment, the number of systems and sites, and the complexity of your supply chain. PTG's initial consultation and scoping are free. We provide a detailed proposal after the scoping call that includes assessment scope, deliverable list, CMMC documentation components, and timeline. The assessment can be delivered as a standalone engagement or integrated with CMMC assessment preparation and PQC migration planning.
How does PTG's CMMC credential help with quantum migration?
CEO Craig Petronella holds both CMMC Registered Practitioner (RP) and CMMC Certified Assessor (CCA) credentials. This means PTG understands both the technical requirements of PQC migration and the assessment methodology that C3PAOs use to evaluate compliance. Our quantum migration documentation is produced in the exact format assessors expect: SSP updates follow the CMMC template structure, POA&M entries include the required fields, and evidence artifacts map to specific CMMC practices. This alignment reduces assessment friction and demonstrates compliance maturity.
Ready to Assess Your Defense Contractor Quantum Risk?
CNSA 2.0 deadlines are firm. HNDL attacks are active. The time for assessment is now. PTG's free consultation scopes your CUI environment and maps the migration to your contract timelines.