Government
HNDL for government contractors: CMMC and long-retention data
Contract deliverables, personnel records, and research archives may require confidentiality for 15–50 years — NSM-10 and CMMC assessors expect crypto inventory evidence.
Key terms
NSM-10, CMMC, CNSA 2.0, Mosca inequality — see HNDL hub and gov HNDL framework.
Federal mandate context
NSM-10 directs migration away from quantum-vulnerable cryptography by 2035. CNSA 2.0 sets earlier tiers for national-security systems (2030–2033). CMMC Level 2 assessors expect inventory artifacts, not verbal assurance.
HNDL for contractor data
| Data class | Typical X | Harvest path |
|---|---|---|
| Contract deliverables | 15–30 years | Insider, subcontractor |
| Personnel / clearance | 20–50 years | Backup exfiltration |
| Research archives | 15–40 years | Bulk collection |
| VPN / remote access | 5–10 years | TLS handshake capture |
Evidence CMMC assessors want
| Artifact | Purpose |
|---|---|
| Signed TLS inventory PDF | Risk analysis documentation |
| CycloneDX CBOM | GRC and prime contractor reporting |
| Mosca HNDL score | Board and ISSO reporting |
| Monitor drift reports | Continuous safeguard evidence |
90-day plan
- Gov contractor scenario scan
- Map findings to NSM-10 and CNSA 2.0 tiers
- Quantify HNDL on longest-retained deliverable classes
- Schedule quarterly re-scans
Continue on the Q-Day hub: Harvest now, decrypt later guide
References & further reading
Authoritative primary sources cited in this article. Summaries are our own — follow links for full context.
Last verified 2026-06-04
- National Security Memorandum on Post-Quantum Cryptography (NSM-10)White House · 2022-05Federal mandate requiring migration away from quantum-vulnerable algorithms by 2035.
- Commercial National Security Algorithm Suite 2.0 (CNSA 2.0)NSA · 2022NSA migration tiers for national security systems through 2030–2033.
- NIST IR 8547: Transition to Post-Quantum Cryptography StandardsNIST · 2024Federal transition guidance with deprecation timelines for quantum-vulnerable algorithms.
- What Is Post-Quantum Cryptography?NIST · 2024Official overview of NIST's PQC project, finalized standards, and the harvest-now-decrypt-later threat model.
See your exposure with evidence
Run a live PQC inventory scan, export a CBOM, and verify signed reports independently.
