According to OMB M-23-02, agencies are directed to submit a prioritized inventory of information systems and assets, excluding national security systems, that contain CRQC-vulnerable cryptographic systems to ONCD and the Department of Homeland Security Cybersecurity and Infrastructure Security Agency (CISA).
No later than 30 days after the submission of each annual inventory of cryptographic systems required under Section II of this memorandum, agencies are required to submit to ONCD and OMB an assessment of the funding required to migrate information systems and assets inventoried under this memorandum to post-quantum cryptography during the following fiscal year. These agency assessments will inform the funding assessments required by NSM-10 Section 3(c)(iv)."