OMB M-23-02 PDF Report
--format pdf-report turns a pqc-check scan into a PDF structured around the
seven reporting sections of OMB M-23-02 (Migrating to Post-Quantum
Cryptography). It is intended as the raw material an agency can edit and
submit as part of its M-23-02 reporting cadence.
This report inventories quantum-vulnerable cryptography. It is not a security accreditation (such as FedRAMP authorization or a validated cryptographic module), and generating it does not make a system compliant. Treat it as a starting point for your own reporting.
Generate
pqc-check ./my-project --format pdf-report \
--agency "Department of Examples" \
--system "Customer Auth Service" > report.pdf
--agency <name>/--system <name>populate the report header.--reproduciblemakes the output byte-identical for the same scan (fixed PDF metadata dates + file ID, content-derived CBOM serial, no wall-clock timestamps) — for CI diffing and federal review.
pdf-report writes a binary PDF to stdout; redirect it to a file. (It refuses to
dump binary to an interactive terminal.)
The seven sections
| # | Section | Contents |
|---|---|---|
| 1 | Cover | Agency, system, scan date, tool version, scan fingerprint (SHA-256) |
| 2 | Executive summary | Totals by risk + traffic-light status (RED / AMBER / GREEN) |
| 3 | Cryptographic inventory | Each finding: algorithm, parameter set, NIST quantum security level, location, risk |
| 4 | Migration priority ranking | Ordered by risk, then harvest-now-decrypt-later exposure (key establishment before signing) |
| 5 | Recommended migration paths | Per-category PQC target — RSA → ML-KEM-1024, ECDSA → ML-DSA-87, … |
| 6 | Methodology & provenance | Tool version + the embedded CBOM's SHA-256 |
| 7 | Appendix | The full embedded CycloneDX 1.6 CBOM (machine-verifiable) |
Example
A sample report generated from a synthetic project with
--agency "Department of Examples (sample)" --system "Customer Auth Service":
📄 Download example OMB M-23-02 report (PDF)
It was produced with --reproducible, so re-running pqc-check on the same input
yields a byte-identical file.
Machine verification
The PDF embeds the CycloneDX 1.6 CBOM in its appendix, and section 6 records that CBOM's SHA-256. To verify the inventory programmatically, generate the CBOM directly:
pqc-check ./my-project --format cyclonedx-cbom --reproducible > cbom.json
sha256sum cbom.json # matches the hash printed in §6 of the PDF
See Output Formats → CycloneDX CBOM for the CBOM schema.