Request Consultation
Request Consultation

FIPS 140

Compliance

Technology

Industries

FIPS 140-3 Validated Software

Post-Quantum Cryptography

Entropy

Extended Support



CNSA 2.0 Compliance

Future-Proof Your National Security Systems with Certified CNSA 2.0 Cryptography

 

 

What is CNSA 2.0?

CNSA 2.0 (Commercial National Security Algorithm Suite 2.0) is a set of quantum-resistant cryptographic algorithms approved by the NSA for use in National Security Systems (NSS), which includes systems handling classified information or supporting military, defense, or intelligence functions.

CNSA 2.0 introduces cryptographic protections against emerging quantum threats. It includes lattice-based key exchange and digital signature algorithms, as well as secure hashing and symmetric encryption standards.

CNSA-2.0-compliance

CNSA 2.0 Algorithms

CNSA 2.0 specifies a suite of algorithms for general-purpose use and firmware/software-specific applications:

cnsa-2.0-algorithms

 

General-Purpose Algorithms

  • AES 256 (Advanced Encryption Standard) – symmetric block cipher for information protection (FIPS 197)
  • ML-KEM-1024 (Module Lattice-Based Key Establishment Mechanism) – asymmetric algorithm for key establishment (FIPS 203)
  • ML-DSA-87 (Module Lattice-Based Digital Signature Standard) – asymmetric algorithm for digital signatures in any use case, including signing software and firmware (FIPS 204)
  • SHA-384 and SHA-512 (Secure Hash Algorithm) – algorithms for creating a condensed representation of information (FIPS 180-4)

Algorithms Allowed in Specific Applications

  • LMS (Leighton-Micali Signature) - Asymmetric algorithm for digitally signing firmware and software (NIST SP 800-208)
  • XMSS (Xtended Merkle Signature Scheme) - Asymmetric algorithm for digitally signing firmware and software (NIST SP 800-208)

CNSA 2.0 builds on NIST’s FIPS 140 standards and certification programs for cryptographic algorithms and modules. CNSA 2.0 includes two of the three PQC algorithms recently standardized by NIST: ML-KEM and ML-DSA. However, it does not include NIST’s SLH-DSA algorithm.

CNSA 2.0 Timeline

The NSA stated that "when validated products become available, they should be deployed in mission systems." Both NIAP and the Commercial Solutions for Classified Systems (CSfC) program aim to track the validation status of products closely.  

Date Requirement

Now

NSA encourages early deployment of CNSA 2.0 algorithms as validated products become available.

+6 months after CNSSP 15 publication

Any NSS not compliant with CNSA 1.0 must become CNSA 2.0 compliant or request a waiver within 90 days.

December 31, 2025

No enforcement of CNSA 2.0 transition before this date. Existing NIAP or CSfC-validated systems remain valid through their certification lifecycle.

January 1, 2027

All new acquisitions for National Security Systems must be CNSA 2.0 compliant, unless otherwise stated in updated protection profiles.

December 31, 2030

All fielded equipment and services that cannot support CNSA 2.0 must be phased out. Transition planning for hardware upgrades should be underway. 

December 31, 2031

Full enforcement: All cryptographic implementations in NSS must use CNSA 2.0 algorithms unless otherwise noted.

By 2035

Per NSM-10, all National Security Systems must be quantum-resistant.

CryptoComply to Provide Full CNSA 2.0 Support

SafeLogic is committed to helping organizations stay ahead of compliance deadlines. Our upcoming CNSA 2.0 version of CryptoComply will include:

  • All CNSA 2.0 algorithms (AES-256, ML-KEM-1024, ML-DSA-87, LMS, XMSS, SHA-384/512)
  • Built-in support for FIPS 140-validated implementations
  • CNSA 2.0 Mode to enforce use of approved algorithms
  • Automatic blocking of deprecated methods (RSA, ECDSA)
  • Built in crypto-agility to support future transitions

Explore CryptoComply

cryptocomply-2

 

Ready to Migrate to CNSA 2.0?

Call us at 844-436-2797 or complete the form below to learn how CryptoComply can simplify your CNSA 2.0 transition.