Post-Quantum Readiness: What FIPS 203/204/205 and FedRAMP 20x Mean for Your CMMC Program

What Is Post-Quantum Readiness?

Post-quantum readiness is the process of auditing, updating, and future-proofing the cryptographic systems your organization relies on before quantum computing makes current encryption methods exploitable.

The encryption algorithms defending most government and commercial networks today, RSA, elliptic curve cryptography (ECC), and Diffie-Hellman key exchange, are built on math problems that classical computers cannot solve at scale. Factoring a 2048-bit RSA key with today's hardware would take millions of years. A sufficiently powerful quantum computer running Shor's algorithm could do it in hours.

The threat is not theoretical anymore. Security researchers have documented a class of attack called "harvest now, decrypt later," where adversaries are actively collecting encrypted government and contractor data today with plans to run it through quantum systems once the hardware catches up. Data with a long shelf life, CUI, acquisition plans, technical drawings, supply chain records, is exactly what those collection operations are targeting.

CISA, NSA, and NIST have all issued guidance pointing in the same direction: organizations should start transitioning to quantum-resistant cryptography now, not when quantum computers become a demonstrated operational threat. By the time the threat is confirmed, the transition window will already be closing.

Understanding FIPS 203, 204, and 205

In August 2024, NIST finalized the first three post-quantum cryptography standards after a multi-year evaluation of 69 candidate algorithms. These three standards form the initial federal toolkit for quantum-resistant cryptography.

These three standards do not replace AES or SHA-3. Symmetric encryption and hash functions are not broken by quantum computers in the same way. AES-256 retains adequate quantum security margins and remains compliant for protecting CUI. The focus of the transition is asymmetric cryptography: key exchange, digital signatures, and certificate-based authentication.

Why Post-Quantum Readiness Matters for CMMC

CMMC Level 2 already mandates FIPS-validated cryptography across several control families. SC.3.177 requires FIPS-validated cryptography to protect the confidentiality of CUI. IA.3.083 requires multi-factor authentication for local and network access to systems that process CUI. Both controls point directly to the cryptographic stack.

Right now, compliance with those controls can be met using current FIPS-validated algorithms including AES-256, RSA-2048, and SHA-256. That will not change overnight. But federal procurement direction is consistent: agencies are being told to prefer vendors and systems that are on a defined path toward quantum-resistant cryptography. CMMC requirements will reflect that direction as the standard matures.

There is also a practical concern specific to the defense supply chain. If you are managing data that has a classification or sensitivity window longer than the expected quantum threat horizon, you should already be thinking about how that data is encrypted in transit and at rest. Long-lived contracts, multi-year technical data packages, and program-of-record documentation fall into that category.

How FedRAMP 20x Changes Compliance Expectations

FedRAMP 20x is a significant overhaul of how the federal government authorizes cloud services. The traditional FedRAMP process, with its large static documentation packages and point-in-time assessments, is being replaced with a framework built around continuous monitoring, automated evidence collection, and machine-readable security artifacts.

For contractors using cloud services to process or store CUI, this matters in two ways.

First, the cloud providers you rely on are going to be operating under tighter, more automated security validation requirements. If your MSP or cloud platform is not on a path toward FedRAMP 20x compliance, that is worth asking about now. Authorization gaps in your cloud environment can flow down into your own CMMC assessment if your System Security Plan treats those services as part of your boundary.

Second, FedRAMP 20x is pushing toward crypto-agility as an architectural expectation. Crypto-agility means your systems are built so cryptographic algorithms can be swapped out without a full infrastructure rebuild. Hard-coded RSA dependencies scattered across ten different applications is the opposite of crypto-agility. Organizations that start designing for algorithm flexibility now will have a much easier migration when quantum-resistant standards become a CMMC requirement rather than a recommendation.

What Defense Contractors Should Do Now

None of this requires an immediate full migration. FIPS 203/204/205 were finalized in August 2024 and adoption timelines for federal contractors are still developing. But there are five concrete steps worth taking in the near term, particularly if you are already working through a CMMC gap assessment or building out your SSP.

1. 01Build a cryptographic inventory. Document every place your organization uses asymmetric cryptography: VPN gateways, TLS certificates, code signing, email encryption, identity and access management systems, document signing workflows. You cannot plan a migration if you do not know what you are migrating.
2. 02Check your vendor roadmaps. Ask your firewall vendor, your cloud provider, your identity platform, and your email security vendor whether they have published a post-quantum cryptography roadmap. Most major vendors have. If yours have not, that is a risk to log in your SSP.
3. 03Evaluate crypto-agility in new purchases. When evaluating new software or infrastructure, add crypto-agility to your selection criteria. Systems that support pluggable cryptographic modules or configurable algorithm suites are better positioned for the transition than those with hardcoded legacy algorithms.
4. 04Update your SSP to reference post-quantum planning. You do not need a completed migration to document intent and planning. Assessors are increasingly looking for evidence that contractors understand where their cryptographic dependencies are and have a documented plan for addressing quantum-era risks over time. This feeds directly into SC.3.177 and IA controls.
5. 05Monitor CMMC and NIST guidance updates. NIST is expected to release additional post-quantum standards and migration guidance over the next two years. The CMMC program office has not yet issued specific post-quantum requirements, but the direction of federal policy is clear. Staying current on both tracks lets you adapt as requirements solidify.

Final Thoughts

Post-quantum readiness is not a switch you flip. It is an architectural posture you build toward over time. The contractors who will handle this transition smoothly are the ones who treat cryptography as a managed asset category today, before CMMC assessors are checking for it.

The good news is that FIPS 203/204/205 give you something concrete to plan against. The standards are finalized. The migration direction is clear. And unlike a lot of compliance requirements that arrive with short runways, this one is giving organizations a meaningful head start.

If you are working through NIST SP 800-171 Rev 3 changes or getting your program ready for CMMC Phase 2 assessments, add a cryptographic inventory to your current work. It does not cost much time now and it will matter a lot later.