Cryptographic Asset Discovery and Inventory for Embedded Systems: A Framework for Post-Quantum Cryptography Migration in Defense Applications

The impending threat of cryptographically relevant quantum computers (CRQCs) necessitates a comprehensive migration to post-quantum cryptography (PQC) across all computing domains. While commercial Cryptographic Asset Discovery and Inventory (CADI) tooling has emerged to support enterprise IT environments, embedded systems, which dominate defense platforms, tactical communications, and critical infrastructure, remain inadequately addressed. This paper presents a comprehensive framework for embedded systems-specific CADI, establishing a six-class taxonomy based on cryptographic characteristics and discovery feasibility. We show through feasibility analysis that fundamental constraints of embedded systems, including severe resource limitations, mission/operational continuity requirements (often including availability and safety imperatives), certification requirements, and hardware-bound cryptography, render IT-centric CADI approaches largely ineffective. Documentation-based discovery through vendor Cryptographic Bills of Materials (CBOMs) should typically serve as the primary methodology, with automated scanning relegated to supplemental verification. We analyze technical barriers to detection, including static linking, stripped binaries, cryptographic hardware offload, and proprietary implementations. The framework addresses lightweight cryptography considerations for constrained devices that are unable to accommodate standard PQC algorithm sizes, and examines lifecycle and certification constraints, including those related to DO-178C, IEC 62443, and Common Criteria. We establish planning-assumption discovery accuracy expectations (Table 6) ranging from 55–99% by embedded system class, and propose detection methodologies calibrated to each class. The paper concludes with integration pathways for Department of Defense Risk Management Framework processes and PQC migration planning.