This article covers US law and US DoD acquisition policy applicable to defence contractors. All regulatory references are US-specific. It does not address EU, UK, or other jurisdictions and does not constitute legal advice.

CMMC has been a moving target for years. The final rule (32 CFR Part 170) was published in October 2024 and became effective December 2024. C3PAO assessments are now flowing into contracts. Most contractors are still focused on the immediate problem: getting to 110 practices compliant under NIST SP 800-171 Rev 3 at Level 2. Post-quantum cryptography is not on most CMMC compliance roadmaps.

That is a defensible near-term prioritisation. PQC migration is not a current pass/fail gate in most Level 2 CMMC assessments. But PQC migration is a long-lead-time programme, and the compliance window is narrowing. Starting it after NIST IR 8547 is finalised and deprecation deadlines are enforced creates a compliance crunch. This article explains where PQC sits in the CMMC framework today and where it will sit by 2030.

The CMMC Framework: Brief Orientation

CMMC establishes three levels of cybersecurity requirement for DoD contractors: Level 1 (17 practices, FCI), Level 2 (110 practices, CUI, C3PAO assessment), and Level 3 (110+ practices including SP 800-172 enhanced requirements, DoD-led assessment). [VERIFIED from DFARS at https://www.acq.osd.mil/dpap/dars/dfars/]

One scope boundary matters for this discussion: CMMC governs contractors handling CUI and FCI. NSA's CNSA 2.0 governs National Security Systems (NSS). These are separate compliance obligations. NSS systems require ML-KEM-1024 and ML-DSA-87 under CNSA 2.0. Non-NSS CUI systems do not carry that mandatory parameter set. The distinction matters for implementation cost.

Where PQC Sits in CMMC Today

NIST SP 800-171 Rev 3 (December 2023) contains the cryptographic controls assessed at CMMC Levels 1 and 2. The three controls most directly relevant to PQC are 3.13.8 (cryptographic mechanisms for CUI in transmission), 3.13.10 (key management), and 3.13.16 (CUI at rest). Rev 3 does not explicitly mandate post-quantum algorithms by name.

What will change: NIST IR 8547 (Initial Public Draft, November 2024) proposes disallowing classical asymmetric algorithms including RSA, ECDSA, ECDH, and EdDSA for most purposes by 2035. When finalised, the FIPS-validated algorithm requirement embedded in DFARS 7012 will exclude systems relying on deprecated algorithms. A contractor starting a five-year migration programme in 2030 will not complete it before that deadline. [INFERRED from IR 8547's deprecation timeline applied to the DFARS 7012 FIPS validation requirement]

The practical step for Level 1 and Level 2 contractors now: document a Cryptographic Bill of Materials (CBOM) as part of 3.13.10 documentation in the System Security Plan, and a PQC migration programme in the Plan of Action and Milestones (POA&M) with time-bounded milestones.

Level 3: A Current Obligation Under SP 800-172

NIST SP 800-172 (Enhanced Security Requirements for CUI, February 2021), Section 3.13.2e requires organisations to employ post-quantum cryptography standards when they become available. [VERIFIED from NIST SP 800-172, February 2021, Section 3.13.2e, https://doi.org/10.6028/NIST.SP.800-172]

NIST published FIPS 203 (ML-KEM), FIPS 204 (ML-DSA), and FIPS 205 (SLH-DSA) in August 2024. The "when available" language in SP 800-172 3.13.2e is now triggered. Level 3 contractors have a current compliance obligation to begin deploying FIPS 203/204/205 for CUI-handling systems. Level 3 contractors should accelerate CBOM completion, prioritise deployment of FIPS 140-3 validated ML-KEM and ML-DSA implementations for highest-risk CUI systems, and document SP 800-172 3.13.2e compliance status in the SSP.

The CBOM: The Foundational Compliance Artefact

A Cryptographic Bill of Materials is the practical starting point regardless of CMMC level. For each CUI-handling system, document: all cryptographic algorithms in use; the function each serves; the implementation (library, hardware module, firmware); and the SP 800-171 Rev 3 control it satisfies. The output is a gap analysis showing which systems use classical algorithms that will fall outside the FIPS-validated set under NIST IR 8547's 2035 deprecation deadline. NIST SP 1800-38A (NCCoE PQC Migration) provides the Phase 1 (Discover) methodology for systematic CBOM production.

For supply chain: DFARS 252.204-7012 clause (d) requires prime contractors to flow CUI security requirements down to sub-tier suppliers. As PQC migration becomes part of CMMC assessment criteria, primes will need to assess sub-tier PQC readiness. For a detailed guide to managing sub-tier PQC obligations, see the CNSA 2.0 guide for sub-tier suppliers.

Parameter Sets: Which Algorithms for Which Systems

A common error is treating CNSA 2.0 parameter sets (ML-KEM-1024, ML-DSA-87) as the universal CMMC requirement. CNSA 2.0 mandates category 5 for NSS. For non-NSS CUI systems under CMMC, NIST category 3 parameters are the appropriate general recommendation.

System type Framework Key establishment Digital signatures
NSS systems CNSA 2.0 ML-KEM-1024 (public key: 1,568B; ciphertext: 1,568B) ML-DSA-87 (sig: 4,627B; public key: 2,592B)
Non-NSS CUI systems (CMMC Level 2/3) NIST general recommendation ML-KEM-768 (public key: 1,184B; ciphertext: 1,088B) ML-DSA-65 (sig: 3,309B; public key: 1,952B)

[VERIFIED from NIST FIPS 203 Table 2 for ML-KEM sizes; NIST FIPS 204 Table 2 for ML-DSA sizes]

The 2035 Compliance Deadline

NIST IR 8547 (Initial Public Draft, November 2024) proposes disallowing RSA, ECDSA, ECDH, and EdDSA for most purposes by 2035. [VERIFIED from NIST IR 8547 (IPD), November 2024, https://csrc.nist.gov/pubs/ir/8547/ipd] The arithmetic is straightforward: a contractor starting a five-year migration programme in 2028 completes in 2033, two years before the deadline. A contractor starting in 2030 completes on the deadline with no tolerance for delays.

The CMMC Level 2 contractor's position is clear: there is no current PQC assessment penalty, but the 2035 deprecation deadline creates a real compliance risk for any contractor that begins migration late. The CBOM is the low-cost, high-information first step.

The CMMC Level 3 contractor's position is different: SP 800-172 3.13.2e creates a current obligation triggered by FIPS 203/204/205 publication in August 2024. Level 3 contractors do not have the luxury of treating PQC as a future consideration. For a detailed CNSA 2.0 compliance framework applicable to contractors also operating NSS, see the CNSA 2.0 compliance audit framework and checklist.

QSECDEF professional membership and the QSECDEF certificated training programme include structured access to CMMC PQC readiness workshops, CBOM methodology training, and compliance programme guidance for contractors at all three CMMC levels.