United States · national security, global direction

The quantum deadline is already scheduled

CNSA 2.0, published by the NSA, sets concrete timelines for moving US national security systems to quantum-resistant cryptography, with transitions phased over a multi-year schedule. NIST has standardized the destination algorithms. The pattern is familiar: national-security mandates become regulated-sector expectations within a few years.

Who this applies to US national security systems and their vendors directly; realistically, every organization with long-lived sensitive data, because harvest-now-decrypt-later makes the migration everyone’s problem.
What it asks for
Know your cryptography
Migration presumes a complete inventory of algorithms, key sizes, and where each is used: the step most organizations cannot do today.
Adopt standardized PQC
Move to NIST-standardized quantum-resistant algorithms on the published schedule for each technology class.
Demonstrate progress
Programs are expected to show migration status over years, which requires measurable, repeatable inventory.
How SecuNexa and BOMNexa map to it
Cryptographic inventory
BOMNexa builds the CBOM from source, configuration, certificates, and binaries, with evidence per asset: the inventory the migration stands on.
Readiness classification
Every asset gets a quantum-vulnerable or quantum-safe verdict against current NIST standards, aggregated into a posture you can track quarterly.
Migration reporting
The readiness report names components, services, and required changes, turning a mandate into a schedulable engineering backlog.

Tools do not make you compliant; they make compliance provable. SecuNexa and BOMNexa supply the technical evidence described on this page. Governance, process, and legal interpretation belong to your compliance function, and this page is not legal advice.

Frequently asked questions
We are not a national security vendor. Why care now?

Two reasons: data stolen today is decryptable later, so long-lived secrets are already exposed; and these timelines historically cascade into financial, healthcare, and infrastructure regulation. Inventory takes the longest, so it is the step to start early.

Which algorithms count as quantum-safe?

The finalized NIST post-quantum standards, including ML-KEM and ML-DSA, define the destination. BOMNexa classifies against current standards and updates through its signed data bundles as standards evolve.

Walk through your CNSA 2.0 and PQC timelines evidence gaps with us, live.
Request a demo