Although a cryptographically relevant quantum computer has yet to be realized, the story of quantum computing and the threat to cryptography stretches back a long way. In fact, it was understood in the 1990s that it was theoretically possible for a machine to use Shor’s algorithm, putting current methods of cryptography at future risk. The mathematics behind the scenes had an expiration date.
As a result, post-quantum cryptography became a steadily growing interest, first to researchers, and subsequently to industry and government, especially as the timelines for quantum-readiness became clearer. Interest in a theoretical concept slowly and subtly shifted to a real-world concern, especially as breakthroughs in building quantum machines seemed to be accelerating the timeline. That’s why in 2015, the NSA famously updated its website to warn that a transition to quantum-resistant algorithms would be necessary ‘soon’, advising vendors not to invest in ECC (elliptic curve cryptography) as it would eventually be replaced. It was in effect, the first nail in the coffin for CNSA 1.0 and the starting pistol for what would eventually become the new recommendations for US government, CNSA 2.0.
CNSA 2.0 (2022), driven by the White House’s catalytic NSM-10 memorandum, launched the use of specific PQC algorithms, and crucially, also set the deadline for compliance. The 2024 NIST standardization of ML-KEM and ML-DSA then solidified CNSA 2.0 going from ‘proposed’ to ‘ready for implementation’. As a result, the Commercial National Security Algorithm Suite (CNSA) 2.0, is now the NSA’s set of cryptographic requirements, designed to secure National Security Systems against the threat of a Cryptographically Relevant Quantum Computer (CRQC).
Algorithms
CNSA 2.0 specifies both general-purpose algorithms and those specifically intended for software/firmware signing.
| Function | Algorithm | Specification | Parameter Goal |
|---|---|---|---|
| Symmetic Encryption | AES-256 | FIPS 197 | 256-bit keys |
| Public Key Exchange | ML-KEM | FIPS 203 | ML-KEM-1024 |
| Digital Signatures | ML-DSA | FIPS 204 | ML-DSA-87 |
| Hashing | SHA-384 / SHA-512 | FIPS 180-4 | |
| Firmware/Software signing | LMS or XMSS | NIST SP 800-208 | SHA-256/192 (LMS recommended) |
| Hardware integrity | SHA-384 / SHA-512 | FIPS 202 | SHA3-384 or SHA3-512 |
It’s worth noting that the suite of algorithms in CNSA 2.0 is built on a ‘defense-in-depth’ strategy. The core algorithms above rely on lattices and hashes, using different mathematical foundations for different tasks. For example, the general purpose algorithms, ML-KEM and ML-DSA are intended for secure communications such as TLS for web browsing, identity verification and message integrity.
The Quantum Threat
In addition to a future quantum computer, there is the threat of pre-emptive attacks known as Harvest Now, Decrypt Later (HNDL). It’s possible that an adversary today could intercept and store encrypted data with the intent of decrypting it once quantum technology matures. CNSA 2.0 mandates transition now, ensuring data longevity, protecting information that should remain classified in years to come. To mitigate the harvesting phase, the NSA recommends inventory and prioritization – moving ‘high-value’ assets to the front of the queue for PQC transition, and focuses in on PQC as the only recommended solution to the quantum problem, over alternatives such as QKD.
The Timeline
CNSA 2.0 sets out a multi-stage roadmap that’s designed to move all NSS to PQC. The timeline is effectively as follows:
| Category | Support and Prefer CNSA 2.0 | Exclusively Use CNSA 2.0 |
|---|---|---|
| Software/firmware signing | 2025 | 2030 |
| Networking Equipment (VPNs, routers) | 2026 | 2030 |
| Operating Systems | 2027 | 2033 |
| Web Browsers/Cloud Services | 2025 | 2033 |
| Niche/Custom Equipment | 2030 | 2033 |
| Legacy Systems | N/A | 2035 |
Naturally, the timeline serves as a procurement mandate for agencies. Starting in 2027, any vendor selling new equipment to the US government must prove CNSA 2.0 compliance – a check box that’s likely to fuel the supply chain, encouraging vendors to deploy compliance into commercial products. That’s why organizations such as PQShield have been accelerating towards the use of CNSA 2.0 compliant algorithms over the last few years. We believe it’s our mission to help empower the global technology supply chain, based on requirements that future-proof the assets of tomorrow. Our UltraPQ suite of products is focused around the use of these algorithms, and is cryptographically agile enough to accommodate change and future standardizations. Our team were among the first to help co-author the NIST standards, and our experience has helped us build IP that’s performant, scalable, and ready for the threats of tomorrow.
For more information, you can access CNSA 2.0 documentation here.