Viewing as:

Defense · DoD · Intelligence Community

CNSA 2.0 requires a baseline
you don't have yet.

CNSA 2.0 Inventory Gap

NSA requires documented algorithm inventories across classified and unclassified systems. We generate that baseline without disruption to operations.

Harvest Now / Decrypt Later

State actors are collecting DoD encrypted traffic today. Quantum relevance arrives 2030–2035. Classification windows demand action now.

Machine Identity in Contested Environments

Unmanaged service accounts are the vector state actors exploit. We deliver the NHI inventory your Zero Trust architecture requires.

→ JWCC cloud cryptographic audit

→ Classified system discovery (on-prem)

→ HNDL risk prioritization

→ CNSA 2.0 migration baseline

→ Supply chain crypto assessment

→ Service account NHI inventory

Request DoD Briefing →

Civilian Agencies · CISA · DHS · HHS · DOE · DOJ

OMB requires an inventory.
Most agencies can't produce one.

The IG Audit Finding in Waiting

Federal auditors require service account inventories with credential rotation evidence. Most civilian agencies cannot produce this on demand. MIBOM closes that gap before the auditors arrive.

CDM Dashboard Native

Our platform feeds directly into your CDM dashboards. No manual export, no translation layer. Real-time posture within your existing CDM investment.

Competitive Procurement Preserved

Bundled discovery costs agencies 30–50% more. QFed delivers inventory only — you run your own competitive RFP, preserving FAR requirements and saving millions.

→ OMB M-23-02 inventory compliance

→ CDM dashboard integration

→ FISMA / IG audit readiness

→ Zero Trust EO 14028 NHI

→ Certificate expiry management

→ P-Card eligible assessments

Request Agency Briefing →

// Four Problems We Solve

01 — Compliance Mandate

OMB Requires an Inventory Nobody Has

OMB M-23-02 mandates a complete cryptographic asset inventory. Most agencies have no automated way to produce it.

"When we scan cisa.gov — the agency writing the guidance — they're in the same position as everyone else."

02 — Machine Identity Sprawl

Your Biggest Attack Surface Has No Owner

Federal environments average 144 non-human identities per human user. 97% are over-privileged. Most have no owner. IG audits now require a complete machine account inventory.

"MFA protects human logins. Firewalls protect the perimeter. Neither inventories service accounts."

03 — Harvest Now, Decrypt Later

Your Data Is Being Stolen Today for 2030

State actors are harvesting encrypted federal traffic now. When quantum computers arrive — 2030 to 2035 — everything collected today becomes readable.

"Clearance files. Treaty documents. Acquisition strategies. Data with decades-long confidentiality windows is already at risk."

04 — The Vendor Lock-In Trap

Bundled Discovery Costs Agencies 30–50% More

Major vendors bundle discovery with remediation — by the time you have inventory, you've lost procurement leverage. QFed separates discovery from remediation. Always.

"We don't sell remediation. No preferred vendors. No incentive to steer you anywhere but toward competitive bids."

100%

Agencies Scanned with Quantum-Vulnerable Crypto

144:1

Machine Identities per Human User

72%

Orgs with Certificate Outage in Past 12 Months

30–50%

Savings via Vendor-Neutral Discovery

$10M+

Typical PQC Remediation Without Inventory

// Platform

One scan. Full picture.
No agenda.

Cryptographic Intelligence

ACDI

Automated Cryptographic Discovery & Intelligence

Vendor-neutral automated discovery of every cryptographic asset — algorithms, certificates, key lengths, libraries, dependencies. Generates a machine-readable CBOM aligned to OMB M-23-02, with native CISA CDM integration.

Full algorithm inventory with CNSA 2.0 gap mapping
Certificate expiry lifecycle — eliminates unplanned outages
Native CDM dashboard integration
NIST SP 800-208 and CISA CRQC framework alignment
Vendor-neutral output for competitive remediation bidding

Deployed & Demonstrable

Machine Identity Governance

MIBOM

Machine Identity Bill of Materials

Complete inventory of every non-human identity — service accounts, API keys, OAuth tokens, certificates, bots, secrets, scripts. Generates the audit-ready identity report federal IGs require.

Discovers all machine accounts — including orphaned ones
Flags stale, over-privileged, and unowned identities
Credential rotation status and ownership per account
FISMA / IG audit-ready reports on demand
Zero Trust EO 14028 NHI governance alignment

Operational

Platform Bundle →One scan. Both inventories. ACDI + MIBOM in a single procurement action.

// How It Works

Discovery to Delivery.
Rapid. Structured. Complete.

01.

Scoping & Access Agreement

Define scope — network ranges, cloud accounts, on-prem, SaaS. No agents required. Activates within days of task order.

02.

Automated Platform Discovery

Discovery runs across your defined environment. No credentials transferred. No data leaves your perimeter. On-premise available for classified.

03.

Expert-Validated Analysis

Every finding reviewed by our cryptographic science team. Risk-prioritized, written for both technical and executive audiences.

04.

Bill of Materials Delivery

Complete inventory reports with executive briefing. Structured for your competitive procurement — any vehicle your agency prefers.

05.

Optional Annual Subscription

Quarterly rescans, certificate expiry alerts, NHI drift detection, compliance mapping updates.

// Why This Model

Discovery without
a sales pitch attached.

We inventory everything. Then we stop. No remediation. No vendor referrals. No agenda. Independent by design.

No remediation services — ever

No preferred vendor relationships

Findings structured for competitive RFP

Data belongs to your agency — fully portable

// Compliance

Every Mandate.
One Platform.

Mandate	What It Requires	How QFed Addresses It	Coverage
OMB M-23-02	Automated cryptographic inventory of all federal systems	ACDI generates machine-readable CBOM covering all discovered cryptographic assets	✓ Direct
CNSA 2.0	Software/firmware deadline Dec 31, 2026; full compliance by 2033	ACDI maps all RSA/ECDSA/ECDHE with CNSA 2.0 readiness scoring and migration priority queue	✓ Direct
CISA CDM	Continuous Diagnostics & Mitigation real-time dashboard feeds	Native CDM integration — direct feed to agency dashboards, no manual export required	✓ Native
EO 14028 / Zero Trust	Complete inventory of all identities including non-human accounts	MIBOM delivers NHI inventory Zero Trust architecture requires	✓ Direct
FISMA / IG Audits	Documented inventory of privileged accounts with rotation evidence	MIBOM generates audit-ready identity reports with ownership and rotation status	✓ Direct
NIST SP 800-208	Algorithm compliance detection and deprecation timeline tracking	ACDI flags all deprecated algorithm usage, prioritized by NIST schedule	✓ Direct
NSM-10 / PQC Strategy	PQC migration planning underway for all federal agencies	ACDI delivers the cryptographic inventory NSM-10 migration planning requires	✓ Enabling

// Get Started

Three steps.
No commitment required at step one.

// Step One

Request a Briefing

No-cost executive or technical briefing. Live demo using publicly available federal infrastructure. No commitment.

Response: Same business day

Format: Video, on-site, or written brief

Cost: No charge

Process: Online request

Request Briefing →

// Step Two

Scoped Assessment

Scoped engagement delivering CBOM and/or MIBOM with executive briefing. No remediation bundled. Ever.

Output: Machine-readable BOM + executive brief

Vehicle: Direct procurement, P-Card eligible

Pricing: Quote via Typeform

Order Assessment →

// Step Three

Annual Subscription

Continuous monitoring, quarterly rescans, certificate expiry alerts, NHI drift detection.

Frequency: Continuous + quarterly rescans

Alerts: Cert expiry · NHI drift · algo changes

Pricing: Annual — quote via Typeform

Discuss Subscription →

// Strategic Intelligence

White Papers for
Agency Leadership

Essential Reading — Federal CISOs

The Vendor Lock-In Trap

How Federal Agencies Overpay 30–40% on PQC Remediation

Expose the hidden costs of 'free' cryptographic assessments. Why discovery-to-remediation bundling destroys competitive procurement and how vendor-neutral approaches save millions.

Target: Federal CISOs, Procurement Officers

Request Access →

Time Sensitive — Compliance Officers

The 2026 Compliance Countdown

OMB M-23-02 Deadlines & Audit Preparation

Critical timeline for federal cryptographic inventory requirements. Month-by-month compliance milestones, audit preparation checklists, and remediation sequencing strategies.

Target: Compliance Officers, Agency Leadership

Request Access →

Defense — DoD / IC Leadership

CNSA 2.0 Defense Readiness

Cryptographic Inventory for DoD & IC Environments

How DoD components and IC agencies can generate the cryptographic baseline CNSA 2.0 requires — classified, unclassified, JWCC cloud, and supply chain — without vendor lock-in.

Target: DoD CISOs, Program Managers, IC Leadership

Request Access →

📋 Download Capability Statement

// Active Threat Metrics

0Days to CNSA 2.0 Deadline

100%Agencies Scanned Still Vulnerable

144:1Machine Identities per Human User

CNSA 2.0 Software Deadline Dec 31 2026

Federal Digital Asset Intelligence

Count everything.
Owe no one.

Most agencies cannot inventory their cryptographic assets or machine identities. We can — vendor-neutral, no remediation, no agenda.

Request Agency Briefing

SAM.gov RegisteredCAGE 9NW56Nontraditional Defense ContractorP-Card EligibleClassified Env. Capable

// The Question That Breaks Audits

Can your agency inventory all cryptographic assets today?

No. Almost no federal agency can.

Is your cryptography quantum-vulnerable?

Yes. 100% of sites we scan still use RSA / ECDSA.

Are adversaries collecting encrypted traffic now?

Yes. Harvest now, decrypt 2030–2035.

Can you produce a service account inventory for IG audit?

Rarely. That's the finding in waiting.

Viewing as:

Defense · DoD · Intelligence Community

CNSA 2.0 requires a baseline
you don't have yet.

CNSA 2.0 Inventory Gap

NSA requires documented algorithm inventories across classified and unclassified systems. We generate that baseline without disruption to operations.

Harvest Now / Decrypt Later

State actors are collecting DoD encrypted traffic today. Quantum relevance arrives 2030–2035. Classification windows demand action now.

Machine Identity in Contested Environments

Unmanaged service accounts are the vector state actors exploit. We deliver the NHI inventory your Zero Trust architecture requires.

→ JWCC cloud cryptographic audit

→ Classified system discovery (on-prem)

→ HNDL risk prioritization

→ CNSA 2.0 migration baseline

→ Supply chain crypto assessment

→ Service account NHI inventory

Request DoD Briefing →

Civilian Agencies · CISA · DHS · HHS · DOE · DOJ

OMB requires an inventory.
Most agencies can't produce one.

The IG Audit Finding in Waiting

Federal auditors require service account inventories with credential rotation evidence. Most civilian agencies cannot produce this on demand. MIBOM closes that gap before the auditors arrive.

CDM Dashboard Native

Our platform feeds directly into your CDM dashboards. No manual export, no translation layer. Real-time posture within your existing CDM investment.

Competitive Procurement Preserved

Bundled discovery costs agencies 30–50% more. QFed delivers inventory only — you run your own competitive RFP, preserving FAR requirements and saving millions.

→ OMB M-23-02 inventory compliance

→ CDM dashboard integration

→ FISMA / IG audit readiness

→ Zero Trust EO 14028 NHI

→ Certificate expiry management

→ P-Card eligible assessments

Request Agency Briefing →

// Four Problems We Solve

01 — Compliance Mandate

OMB Requires an Inventory Nobody Has

OMB M-23-02 mandates a complete cryptographic asset inventory. Most agencies have no automated way to produce it.

"When we scan cisa.gov — the agency writing the guidance — they're in the same position as everyone else."

02 — Machine Identity Sprawl

Your Biggest Attack Surface Has No Owner

Federal environments average 144 non-human identities per human user. 97% are over-privileged. Most have no owner. IG audits now require a complete machine account inventory.

"MFA protects human logins. Firewalls protect the perimeter. Neither inventories service accounts."

03 — Harvest Now, Decrypt Later

Your Data Is Being Stolen Today for 2030

State actors are harvesting encrypted federal traffic now. When quantum computers arrive — 2030 to 2035 — everything collected today becomes readable.

"Clearance files. Treaty documents. Acquisition strategies. Data with decades-long confidentiality windows is already at risk."

04 — The Vendor Lock-In Trap

Bundled Discovery Costs Agencies 30–50% More

Major vendors bundle discovery with remediation — by the time you have inventory, you've lost procurement leverage. QFed separates discovery from remediation. Always.

"We don't sell remediation. No preferred vendors. No incentive to steer you anywhere but toward competitive bids."

100%

Agencies Scanned with Quantum-Vulnerable Crypto

144:1

Machine Identities per Human User

72%

Orgs with Certificate Outage in Past 12 Months

30–50%

Savings via Vendor-Neutral Discovery

$10M+

Typical PQC Remediation Without Inventory

// Platform

One scan. Full picture.
No agenda.

Cryptographic Intelligence

ACDI

Automated Cryptographic Discovery & Intelligence

Full algorithm inventory with CNSA 2.0 gap mapping
Certificate expiry lifecycle — eliminates unplanned outages
Native CDM dashboard integration
NIST SP 800-208 and CISA CRQC framework alignment
Vendor-neutral output for competitive remediation bidding

Deployed & Demonstrable

Machine Identity Governance

MIBOM

Machine Identity Bill of Materials

Complete inventory of every non-human identity — service accounts, API keys, OAuth tokens, certificates, bots, secrets, scripts. Generates the audit-ready identity report federal IGs require.

Discovers all machine accounts — including orphaned ones
Flags stale, over-privileged, and unowned identities
Credential rotation status and ownership per account
FISMA / IG audit-ready reports on demand
Zero Trust EO 14028 NHI governance alignment

Operational

Platform Bundle →One scan. Both inventories. ACDI + MIBOM in a single procurement action.

// How It Works

Discovery to Delivery.
Rapid. Structured. Complete.

01.

Scoping & Access Agreement

Define scope — network ranges, cloud accounts, on-prem, SaaS. No agents required. Activates within days of task order.

02.

Automated Platform Discovery

Discovery runs across your defined environment. No credentials transferred. No data leaves your perimeter. On-premise available for classified.

03.

Expert-Validated Analysis

Every finding reviewed by our cryptographic science team. Risk-prioritized, written for both technical and executive audiences.

04.

Bill of Materials Delivery

Complete inventory reports with executive briefing. Structured for your competitive procurement — any vehicle your agency prefers.

05.

Optional Annual Subscription

Quarterly rescans, certificate expiry alerts, NHI drift detection, compliance mapping updates.

// Why This Model

Discovery without
a sales pitch attached.

We inventory everything. Then we stop. No remediation. No vendor referrals. No agenda. Independent by design.

No remediation services — ever

No preferred vendor relationships

Findings structured for competitive RFP

Data belongs to your agency — fully portable

// Compliance

Every Mandate.
One Platform.

Mandate	What It Requires	How QFed Addresses It	Coverage
OMB M-23-02	Automated cryptographic inventory of all federal systems	ACDI generates machine-readable CBOM covering all discovered cryptographic assets	✓ Direct
CNSA 2.0	Software/firmware deadline Dec 31, 2026; full compliance by 2033	ACDI maps all RSA/ECDSA/ECDHE with CNSA 2.0 readiness scoring and migration priority queue	✓ Direct
CISA CDM	Continuous Diagnostics & Mitigation real-time dashboard feeds	Native CDM integration — direct feed to agency dashboards, no manual export required	✓ Native
EO 14028 / Zero Trust	Complete inventory of all identities including non-human accounts	MIBOM delivers NHI inventory Zero Trust architecture requires	✓ Direct
FISMA / IG Audits	Documented inventory of privileged accounts with rotation evidence	MIBOM generates audit-ready identity reports with ownership and rotation status	✓ Direct
NIST SP 800-208	Algorithm compliance detection and deprecation timeline tracking	ACDI flags all deprecated algorithm usage, prioritized by NIST schedule	✓ Direct
NSM-10 / PQC Strategy	PQC migration planning underway for all federal agencies	ACDI delivers the cryptographic inventory NSM-10 migration planning requires	✓ Enabling

// Get Started

Three steps.
No commitment required at step one.

// Step One

Request a Briefing

No-cost executive or technical briefing. Live demo using publicly available federal infrastructure. No commitment.

Response: Same business day

Format: Video, on-site, or written brief

Cost: No charge

Process: Online request

Request Briefing →

// Step Two

Scoped Assessment

Scoped engagement delivering CBOM and/or MIBOM with executive briefing. No remediation bundled. Ever.

Output: Machine-readable BOM + executive brief

Vehicle: Direct procurement, P-Card eligible

Pricing: Quote via Typeform

Order Assessment →

// Step Three

Annual Subscription

Continuous monitoring, quarterly rescans, certificate expiry alerts, NHI drift detection.

Frequency: Continuous + quarterly rescans

Alerts: Cert expiry · NHI drift · algo changes

Pricing: Annual — quote via Typeform

Discuss Subscription →

// Entity Information

Federal Contractor

SAM.gov Registered

CAGE Code: 9NW56 UEI: H1ZUNCYKMX42 SAM.gov Active & Current Export Control Compliant

Technical Entity

QFed Solutions

Austin, TX Nontraditional Defense Contractor Federal Teaming Established On-premise deployment available Classified environment capable P-Card eligible entry tier

IP Position

Proprietary Methodology

Patented & patent-pending processes Trade secret protections in place Vendor-neutral by structural design Expert-validated findings

Platform Readiness

TRL 6 — Operational

ACDI: Deployed & demonstrable MIBOM: Operational Native CDM dashboard integration Vendor-neutral output — no format lock-in

// Strategic Intelligence

White Papers for
Agency Leadership

Essential Reading — Federal CISOs

The Vendor Lock-In Trap

How Federal Agencies Overpay 30–40% on PQC Remediation

Expose the hidden costs of 'free' cryptographic assessments. Why discovery-to-remediation bundling destroys competitive procurement and how vendor-neutral approaches save millions.

Target: Federal CISOs, Procurement Officers

Request Access →

Time Sensitive — Compliance Officers

The 2026 Compliance Countdown

OMB M-23-02 Deadlines & Audit Preparation

Critical timeline for federal cryptographic inventory requirements. Month-by-month compliance milestones, audit preparation checklists, and remediation sequencing strategies.

Target: Compliance Officers, Agency Leadership

Request Access →

Defense — DoD / IC Leadership

CNSA 2.0 Defense Readiness

Cryptographic Inventory for DoD & IC Environments

How DoD components and IC agencies can generate the cryptographic baseline CNSA 2.0 requires — classified, unclassified, JWCC cloud, and supply chain — without vendor lock-in.

Target: DoD CISOs, Program Managers, IC Leadership

Request Access →

📋 Download Capability Statement