OMB Memorandum M-23-02: Migrating to Post-Quantum Cryptography
- Issuer
- Office of Management and Budget(OMB)
- Effective date
- Jan 18, 2023
- Published date
- Jan 18, 2023
- Full text
- View full text →
Summary
OMB Memorandum M-23-02 directs federal agencies to inventory cryptographic systems and prioritize migration to post-quantum cryptography in accordance with NIST standards. Agencies must identify systems that use public-key cryptography and create actionable migration plans. The memo responds to National Security Memorandum NSM-10 and aligns with OMB's broader zero-trust strategy. All inventory and migration plan deadlines have now passed.
PKI impact
M-23-02 required all federal agencies to inventory and plan migration of every public-key cryptographic system — including all certificate-dependent services and PIV/CAC identity credentials. All deadlines have passed, placing agencies with incomplete inventories or migration plans in active non-compliance with OMB direction.
Migration hints
- If the cryptographic inventory is incomplete, prioritize internet-facing TLS/SSL certificates and long-lived code-signing certificates as the highest-risk assets for harvest-now-decrypt-later attacks.
- Explicitly include PIV/CAC credentials in the cryptographic inventory; federal identity infrastructure relying on RSA-2048 or ECDSA key pairs must be represented in migration plans submitted to CISA and NSA.
- Update PQC migration plans to reference finalized FIPS 203/204/205/206 standards; plans drafted before August 2024 will have referenced draft versions.
- Flag any certificate with a validity period extending past 2030 for early renewal, aligning with the NIST IR 8547 deprecation deadline for classical algorithms.
- Engage your internal or commercial CA about its FIPS 203/204/205/206 issuance roadmap and confirm timeline alignment with your migration plan.
Milestones (3)
| Deadline | Label | Type | Hard | Notes |
|---|---|---|---|---|
| OVERDUEJul 18, 2023 | Agency cryptographic inventory submission to CISA and NSA | Inventory | Agencies required to submit inventories of public-key cryptographic systems within 180 days of memo issuance. | |
| OVERDUEJan 18, 2024 | Cryptographic agility requirements in new procurements | Crypto Agility | All new federal IT procurements must require cryptographic agility and PQC readiness from vendors, effective one year from memo issuance. | |
| OVERDUEApr 18, 2024 | Agency PQC migration plans submitted | Migration Plan | Agencies required to submit prioritized migration plans based on the completed cryptographic inventory. |
Algorithm references (2)
- ML-KEMFIPS 203Required
Replaces: RSA, ECDH
Agencies must plan migration to NIST-approved PQC KEMs for key exchange in federal systems.
- ML-DSAFIPS 204Required
Replaces: RSA, ECDSA
Agencies must plan migration to NIST-approved PQC signature schemes for authentication in federal systems.
Changelog (2)
| Date | Type | Description |
|---|---|---|
| Mar 1, 2025 | Clarification | OMB confirmed ongoing M-23-02 compliance monitoring in alignment with final NIST IR 8547 publication, reinforcing agency obligations to update migration plans to reflect finalized FIPS 203/204/205/206 standards. |
| Jan 18, 2023 | New | OMB M-23-02 issued, directing federal agencies to inventory cryptographic assets and plan migration to NIST PQC standards. |
Issuer
Office of Management and BudgetOMB
Type: GOVERNMENT
Region: US