Defense

Gov contractor & harvest-now-decrypt-later

Contract deliverables and personnel records with 15–50 year confidentiality requirements face HNDL exposure under NSM-10 timelines.

Run Q-Day scan Q-Day hub

Framework

CMMC inventory and federal HNDL exposure

Deadline: 2035 (NSM-10)

Executive summary

Government contractors and federal-adjacent SaaS providers hold data with decades-long confidentiality requirements. HNDL exposure is often present today while today's crypto still works — because migration timelines (Y) plus data shelf-life (X) exceed quantum timeline estimates (Z).

Federal deadlines

Framework	Key date	Requirement
NSM-10	2035	Migrate away from quantum-vulnerable crypto
CNSA 2.0	2030–2033	Algorithm tiers for national-security systems
CMMC L2	Ongoing	Cryptographic inventory and safeguard evidence
NIST IR 8547	2030 target	Transition to FIPS 203/204/205

Data shelf-life for contractors

Data class	Typical X	Harvest path
Contract deliverables	15–30 years	Subcontractor archives
Personnel / clearance	20–50 years	Backup exfiltration
Research (CUI-adjacent)	15–40 years	Bulk collection
VPN / remote access TLS	5–10 years	Handshake capture

Collection vectors

Breach exfiltration — fastest path in incident response data
Backup and archive copies — long-retention tape and cloud snapshots
Insider and supply-chain — M&A, legal holds, subcontractor data rooms
Bulk transit — TLS sessions on contractor API and VPN endpoints

CMMC evidence package

Artifact	Assessor use
Signed TLS inventory PDF	Risk analysis documentation
CycloneDX CBOM	Prime contractor reporting
Mosca HNDL score	ISSO and board reporting
Monitor drift diffs	Continuous safeguard evidence

Qtangl mapping

Gov contractor CMMC scenario
Framework mapping to NSM-10 and CNSA 2.0 tiers
Signed verify links for prime audit cycles

Inventory aid — not CMMC certification.

90-day plan

Baseline scan on external TLS, SSH, JWKS
Mosca score on longest-retained deliverable classes
Export CBOM for prime contractor
Schedule quarterly re-scans

Government solutions · HNDL hub

Are you exposed?

Select your industry and migration runway. We pre-fill typical data shelf-life from sector norms.

Industry / data type

X — Data shelf-life (15–50 years)Y — Migration runway (years)Z — Quantum timeline (years)

25 + 7 = 32 vs Z = 10

Inequality holds — HNDL exposure today for your data profile.

Classified-adjacent research
Contract deliverables
Personnel records

Run free mini-assessment Mosca deep dive →

Qtangl mapping

Gov contractor CMMC scenario scan
NSM-10 and CNSA 2.0 framework mapping
Signed verify links for prime audit cycles

References & further reading

Authoritative primary sources cited in this article. Summaries are our own — follow links for full context.

Last verified 2026-06-04

National Security Memorandum on Post-Quantum Cryptography (NSM-10)White House · 2022-05Federal mandate requiring migration away from quantum-vulnerable algorithms by 2035.
Commercial National Security Algorithm Suite 2.0 (CNSA 2.0)NSA · 2022NSA migration tiers for national security systems through 2030–2033.
NIST IR 8547: Transition to Post-Quantum Cryptography StandardsNIST · 2024Federal transition guidance with deprecation timelines for quantum-vulnerable algorithms.
Quantum Threat Timeline Report (Mosca inequality)Global Risk Institute · 2023Dr. Michele Mosca's X + Y > Z framework for harvest-now-decrypt-later exposure planning.

Try it

Gov contractor CMMC

Gov contractor & harvest-now-decrypt-later

Executive summary

Federal deadlines

Data shelf-life for contractors

Collection vectors

CMMC evidence package

Qtangl mapping

90-day plan

Government solutions

HNDL hub

Gov HNDL blog