NSM 10 moves agencies into PQC execution
The hard part is cryptographic visibility, where zero-trust-style consensus turns into ownership fights, inventory gaps and validation risk.
TL;DR
A Federal News Network commentary by Forescout’s Alison King says post-quantum cryptography (PQC) readiness has crossed from standards work into execution under National Security Memorandum 10. Federal agencies, state CISOs, primes and contractors now need cryptographic inventories, migration sequencing and validation across legacy, mission-critical systems. The zero-trust lesson is practical: agreement without ownership leaves hidden dependencies untouched while dashboards report movement.
Federal News Network published this as commentary from Alison King, vice president of government affairs at Forescout, so the product-market subtext should stay visible. The core diagnosis still holds. Post-quantum cryptography (PQC) has moved from a standards conversation into an inventory, sequencing and validation problem. Agencies have to find where current cryptography lives, decide what gets replaced first and confirm that the replacement works on systems built over decades.
Zero trust is the useful comparison because it exposed the gap between policy agreement and execution mechanics. Agencies adopted the vocabulary and wrote strategies, but implementation varied as resources, prioritization and coordination diverged. PQC has the same failure mode with higher validation consequences. If the owner of a legacy mission system, the acquisition shop and the security team do not share definitions and milestones, hidden cryptographic dependencies stay in production while the dashboard shows progress.
Where the execution starts
Visibility is the first control. NIST’s public explainer for National Security Memorandum 10 describes a government goal to mitigate as much quantum risk as feasible by 2035 and tells agencies to start planning, prioritizing and budgeting now (https://www.nist.gov/cryptography/nist-role-and-activities-relative-post-quantum-cryptography-white-house-memo). CISA’s automated-discovery strategy ties OMB M-23-02 to reporting on cryptographic systems that use quantum-vulnerable cryptography to the Office of the National Cyber Director and CISA (https://www.cisa.gov/sites/default/files/2024-09/Strategy-for-Migrating-to-Automated-PQC-Discovery-and-Inventory-Tools.pdf). That is the right starting point because agencies cannot prioritize a dependency they have not found.
For contractors and primes, the practical effect runs through acquisition. CISA’s January 2026 product-category list identifies hardware and software categories that support or are expected to support PQC standards, expressly to help organizations shape migration strategies and future technology investments (https://www.cisa.gov/news-events/news/cisa-releases-product-categories-list-propel-post-quantum-cryptography-adoption-pursuant-president). That is a signal to vendors and buyers: PQC will increasingly show up as a capability question inside solicitations, refresh cycles and validation evidence.
Where NSM 10 stops
The open enforcement question is practical. The material here shows a 2035 risk-mitigation goal, reporting expectations and procurement signals. It leaves out a specific agency-by-agency deadline for reaching cryptographic visibility and a clear consequence if an agency cannot show that baseline. That gap matters because PQC migration is expensive in the least glamorous way: system inventory, dependency mapping, budget alignment, test plans and regression risk. The Monday work is to assign ownership across the CIO, CISO, CFO, contracting office and system owners before PQC becomes another consensus program with no accountable owner.
Published ·Deep Fathom