B

Plain-English Glossary

Appendix B

Vocabulary, in plain English.

The terms below appear throughout this paper. Each is defined in the way a non-specialist executive needs to understand it — not in the way a cryptographer or regulator would define it.


TermPlain-English Definition
Asymmetric cryptographyThe family of cryptographic methods (RSA, elliptic curve, Diffie-Hellman) that secures nearly every authenticated transaction on the internet — logins, banking, software updates, encrypted email. Its security depends on math problems a future quantum computer is expected to solve easily.
CRQCCryptographically Relevant Quantum Computer (federal documents including NSM-10 and OMB M-23-02 use the phrase Cryptanalytically Relevant). A quantum computer powerful enough to break today's asymmetric cryptography in a usable timeframe.
PQCPost-Quantum Cryptography. A new generation of algorithms, now standardized by NIST, designed to resist attack by both today's computers and tomorrow's quantum computers.
HNDLHarvest Now, Decrypt Later. The well-documented adversary strategy of intercepting and storing encrypted data today, in anticipation of decrypting it once quantum capability arrives.
CBOMCryptographic Bill of Materials. An inventory of every place cryptography is used in the enterprise — systems, keys, certificates, vendors, embedded dependencies.
Crypto-agilityThe design principle of building systems so that the underlying cryptographic algorithm can be swapped out without rebuilding the application. The engineering prerequisite for a graceful migration.
ML-KEM / ML-DSA / SLH-DSAThe three NIST-standardized post-quantum algorithms (FIPS 203, 204, and 205), covering key exchange and digital signatures. The first commercial baseline for post-quantum deployment.
Hybrid deploymentA transitional approach that runs a classical algorithm and a post-quantum algorithm in parallel. Provides defense in depth during the migration period.
NSM-10National Security Memorandum 10 (May 2022). The federal directive that kicked off U.S. government migration to post-quantum cryptography.
Item 106 of Regulation S-KThe annual-disclosure requirement added by the SEC's 2023 cybersecurity rule. Requires public companies to describe, in their 10-K, how they assess and manage material cybersecurity risks, how the board oversees those risks, and management's role. Effective as of December 15, 2023.
Form 8-K Item 1.05The incident-disclosure requirement added by the same SEC rule. When a cybersecurity incident is determined to be material, the registrant has four business days to file a Form 8-K describing the incident and its material impact. Materiality must be determined “without undue delay.”
Sarbanes-Oxley certificationUnder the Sarbanes-Oxley Act, the CEO and CFO personally certify the accuracy of the annual report and the effectiveness of the disclosure controls that produced it. The cybersecurity disclosures required by Item 106 fall inside that certification.
Caremark / MarchandThe Delaware case law that requires boards to actively oversee mission-critical risks. A board that cannot show informed, documented oversight of such a risk faces personal liability that cannot be insured away with standard charter protections.
QKDQuantum Key Distribution. A method for distributing encryption keys with security guarantees grounded in physics. Mostly deployed today in banking, government, and defense applications with specific high-confidentiality requirements.
CFIUSCommittee on Foreign Investment in the United States. The interagency body that reviews foreign investments in U.S. businesses for national-security implications. Now mandatory for many quantum-adjacent transactions.