CMMC may address today's cyber concerns but can it address future threats?

The U.S. Department of Defense (“DoD”) Final Cybersecurity Maturity Model Certification (“CMMC”) Program Rule published in early October lays out strong cybersecurity practices and verifiable security measures for contractors managing DoD data and systems.

The rule contains numerous provisions on encryption, which is a critical security control and a necessary tool in every contractor’s cybersecurity toolkit. However, encryption has also received significant attention recently in light of the fact that future powerful quantum computers may be able to break many current encryption schemes within five to 10 years.

This scenario begs the questions: how will DoD integrate tomorrow’s top security concerns -- such as the quantum computing threat to encryption -- into the CMMC rule and can contractors prepare for future DoD compliance requirements that don’t yet exist?

Threat to Cryptography Equals Threat to National Security

Many businesses and government agencies today use large, complex prime numbers as the basis for their encryption efforts using an encryption scheme called 2048-bit RSA encryption. These are numbers too large for classical computers to process.

Powerful quantum computers (referred to as “fault tolerant”) will be able to solve these complex prime numbers easily. Given this existential threat to how we protect data, new cybersecurity protocols and quantum-encryption technologies will be needed to protect our online assets and services. McKinsey estimates quantum computers will be powerful enough for prime factorization by the late 2020s at the very earliest.

Leading quantum companies such as IBM and Quantinuum have recently introduced accelerated roadmaps to achieving universal, fully fault-tolerant quantum computing by 2030. These roadmaps show that the age of fault tolerance may be closer than many experts had previously predicted.

The Unknowns

In the context of the CMMC, while there is a measure of predictability as to how many cyber attackers are succeeding, there are significant unknowns when it comes to the use of newer technologies such as AI and quantum:

• When will a quantum computer powerful enough to break encryption be available?
• Will the US and allied partners reach this milestone first or will an adversary? Will we know when that happens?
• Are adversaries stealing encrypted national security secrets today in order to decrypt them when quantum computers are powerful enough?

Then of course, there are the budgetary, policy, and personnel unknowns characterized by a presidential transition year. As we transition from the Biden administration to the second Trump administration, many DoD contractors are asking:

• Will the new Administration prioritize legislation that promotes quantum technological innovation while incentivizing cybersecurity protocols to protect data in the quantum age? If so, when will funds start to flow down to the agency level?
• Will new immigration policies negatively impact the shortage of specialized labor such as in the area of quantum and other critical emerging technologies?

Specific to the CMMC final rule, there are existing unknowns that point to a lack of clarity on current CMMC implementation requirements and the timeline for when the requirements will appear in contracts. As CMMC evolves under the new administration, it is also unknown whether new leadership will revise CMMC to reflect even stronger cybersecurity frameworks to protect government networks, critical infrastructure, and private sector assets from cyberattacks.

The Knowns

What we can say with a measure of certainty is that U.S. government leaders from both sides of the aisle recognize the need for the government to migrate to quantum-safe encryption. Perhaps the most important action taken to date has been the launch in 2016 of a multiyear competition, spearheaded by the U.S. National Institute of Standards and Technology (“NIST”), to identify and select a new suite of cryptographic algorithms (“PQC algorithms”) that are resistant to computational power of quantum computers, as well as today’s digital computers.

These algorithms utilize specific, theoretically quantum-safe mathematical formulas to secure systems against quantum-based attacks. NIST released the first three finalized PQC standards in August of 2024. In November, NIST posted an initial draft report NIST IR 8547 Transition to Post-Quantum Cryptography Standards that attempts to “inform the efforts and timelines of federal agencies, industry, and standards organizations for migrating information technology products, services, and infrastructure to PQC.”

National Security Memo 8 (“NSM-8”) and Memo 10 (“NSM-10”) are additional guideposts for contractors seeking guidance. In January 2022, the White House acknowledged the reality of the quantum threat by issuing NSM-8, the first memorandum from the White House national security apparatus to specifically mention quantum-resistant cryptography in the context of current federal cybersecurity planning.

NSM-10 followed with more detailed migration requirements and deadlines for federal agencies and partners, clearly highlighting the national security threat posed by quantum computers vis-a-vis encryption while also noting the importance of supporting the domestic quantum ecosystem.

Quantum Computing as Defined by the Final CMMC Rule

Currently, CMMC addresses quantum computing systems as a specialized asset to be protected, while NSM-10 addresses quantum computing as a potential threat. For the DoD, quantum computing has both ‘sword’ and ‘shield’ implications. The increased computational power of a quantum system has the potential to exponentially advance U.S. military and surveillance operations as well as the potential to expose national security information at the highest levels.

Getting a Step Ahead

Contractors seeking CMMC certification will benefit from adopting PQC standards as mandated for their agency counterparts under NSM-10. Historically, major cryptographic transitions can take years and even decades to complete.

The time is now to: 1. Begin inventorying cryptography systems that will be vulnerable to future quantum attacks; 2. Develop “Quantum IQ” across your organization by exploring the benefits and risks that quantum technologies will pose for your business; 3. Review the NIST PQC standards and create a strategy for cryptographic agility that will allow organizations to protect data with minimal disruption; and 4. Identify partners established in the quantum ecosystem who can provide guidance during the transition to quantum-safe cybersecurity.

In addition to threatening current encryption, quantum computers may also unlock stronger cybersecurity. To achieve true resilience against quantum attacks, defense contractors are further encouraged to build a layered-defense strategy that includes PQC and cybersecurity solutions that leverage quantum mechanics, such as provable quantum entropy for encryption key generation.

When combined with PQC algorithms, these quantum-derived technologies can help protect against a far fuller range of threats posed by quantum computers as well as classical cybersecurity threats.

Kaniah Konkoly-Thege, chief legal counsel and senior vice president of government relations, and Ryan W. McKenney, director of government relations and general counsel of compliance at Honeywell-backed Quantinuum.