B
Vocabulary, in plain English.
The terms below appear throughout this paper. Each is defined in the way a non-specialist executive needs to understand it — not in the way a cryptographer or regulator would define it.
| Term | Plain-English Definition |
|---|---|
| Asymmetric cryptography | The family of cryptographic methods (RSA, elliptic curve, Diffie-Hellman) that secures nearly every authenticated transaction on the internet — logins, banking, software updates, encrypted email. Its security depends on math problems a future quantum computer is expected to solve easily. |
| CRQC | Cryptographically Relevant Quantum Computer (federal documents including NSM-10 and OMB M-23-02 use the phrase Cryptanalytically Relevant). A quantum computer powerful enough to break today's asymmetric cryptography in a usable timeframe. |
| PQC | Post-Quantum Cryptography. A new generation of algorithms, now standardized by NIST, designed to resist attack by both today's computers and tomorrow's quantum computers. |
| HNDL | Harvest Now, Decrypt Later. The well-documented adversary strategy of intercepting and storing encrypted data today, in anticipation of decrypting it once quantum capability arrives. |
| CBOM | Cryptographic Bill of Materials. An inventory of every place cryptography is used in the enterprise — systems, keys, certificates, vendors, embedded dependencies. |
| Crypto-agility | The design principle of building systems so that the underlying cryptographic algorithm can be swapped out without rebuilding the application. The engineering prerequisite for a graceful migration. |
| ML-KEM / ML-DSA / SLH-DSA | The three NIST-standardized post-quantum algorithms (FIPS 203, 204, and 205), covering key exchange and digital signatures. The first commercial baseline for post-quantum deployment. |
| Hybrid deployment | A transitional approach that runs a classical algorithm and a post-quantum algorithm in parallel. Provides defense in depth during the migration period. |
| NSM-10 | National Security Memorandum 10 (May 2022). The federal directive that kicked off U.S. government migration to post-quantum cryptography. |
| Item 106 of Regulation S-K | The annual-disclosure requirement added by the SEC's 2023 cybersecurity rule. Requires public companies to describe, in their 10-K, how they assess and manage material cybersecurity risks, how the board oversees those risks, and management's role. Effective as of December 15, 2023. |
| Form 8-K Item 1.05 | The incident-disclosure requirement added by the same SEC rule. When a cybersecurity incident is determined to be material, the registrant has four business days to file a Form 8-K describing the incident and its material impact. Materiality must be determined “without undue delay.” |
| Sarbanes-Oxley certification | Under the Sarbanes-Oxley Act, the CEO and CFO personally certify the accuracy of the annual report and the effectiveness of the disclosure controls that produced it. The cybersecurity disclosures required by Item 106 fall inside that certification. |
| Caremark / Marchand | The Delaware case law that requires boards to actively oversee mission-critical risks. A board that cannot show informed, documented oversight of such a risk faces personal liability that cannot be insured away with standard charter protections. |
| QKD | Quantum Key Distribution. A method for distributing encryption keys with security guarantees grounded in physics. Mostly deployed today in banking, government, and defense applications with specific high-confidentiality requirements. |
| CFIUS | Committee on Foreign Investment in the United States. The interagency body that reviews foreign investments in U.S. businesses for national-security implications. Now mandatory for many quantum-adjacent transactions. |