The National Security Agency's Commercial National Security Algorithm Suite 2.0 mandates post-quantum cryptography for all National Security Systems. This guide covers every required algorithm, transition deadline, and compliance step.
~10 min readCNSA 2.0(Commercial National Security Algorithm Suite 2.0) is the NSA's updated cryptographic guidance, released in September 2022. It replaces the original CNSA suite and establishes the post-quantum cryptographic algorithms that must be used to protect classified and sensitive National Security Systems (NSS).
The original CNSA 1.0 suite specified RSA-3072+, ECDH/ECDSA P-384, AES-256, and SHA-384 as approved algorithms. CNSA 2.0 retains the symmetric primitives (AES-256, SHA-384) but replaces all public-key algorithms with quantum-resistant alternatives standardized by NIST.
CNSA 2.0 is not optional for organizations operating National Security Systems. It represents the U.S. government's definitive position: the quantum threat to public-key cryptography is real, the timeline is near, and migration must begin now.
Key Document
NSA Cybersecurity Advisory: "Announcing the Commercial National Security Algorithm Suite 2.0" — Published September 7, 2022. Available from media.defense.gov.
CNSA 2.0 specifies exact algorithms and security levels for each use case. No lower parameter sets (e.g., ML-KEM-512, ML-DSA-44) are permitted for National Security Systems.
| Use Case | Algorithm | Standard | Transition | Notes |
|---|---|---|---|---|
| Software & Firmware Signing | ML-DSA-87 | FIPS 204 | Prefer by 2025 | XMSS/LMS (SP 800-208) also accepted; prefer immediately for firmware |
| Web Browsers & Servers (TLS) | ML-KEM-1024 + ML-DSA-87 | FIPS 203 + FIPS 204 | Prefer by 2025 | Hybrid key exchange during transition period |
| Key Establishment | ML-KEM-1024 | FIPS 203 | Prefer by 2025 | Replaces RSA and ECDH key exchange |
| Digital Signatures | ML-DSA-87 | FIPS 204 | Prefer by 2025 | Replaces RSA and ECDSA signatures |
| Hash-Based Signatures | XMSS / LMS | NIST SP 800-208 | Prefer immediately | Stateful; suitable for firmware and code signing only |
| Symmetric Encryption | AES-256 | FIPS 197 | No change required | Already quantum-resistant at 256-bit key length |
| Hashing | SHA-384+ | FIPS 180-4 | No change required | SHA-384 minimum; SHA-512 recommended |
Source: NSA CNSA 2.0 Advisory (September 2022) and NIST FIPS 203/204/205 (August 2024).
CNSA 2.0 establishes a phased transition from classical to post-quantum cryptography. Organizations operating NSS should treat these dates as hard deadlines, not aspirational targets.
NSA publishes CNSA 2.0, replacing the original CNSA suite with post-quantum algorithm requirements for National Security Systems.
NIST finalizes FIPS 203 (ML-KEM), FIPS 204 (ML-DSA), and FIPS 205 (SLH-DSA), providing the standardized algorithms referenced by CNSA 2.0.
NSS operators should prefer CNSA 2.0 algorithms for new systems and upgrades. Cryptographic inventory and migration planning must be underway.
All NSS must support CNSA 2.0 algorithms. Legacy RSA and ECC implementations must have migration paths in place. NIST IR 8547 deprecates classical algorithms.
NSS must exclusively use CNSA 2.0 algorithms. All classical public-key cryptography (RSA, ECDH, ECDSA) prohibited for National Security Systems.
Any system processing, storing, or transmitting classified national security information as defined by CNSSI 1253.
DIB organizations holding classified contracts (DFARS 252.204-7012) and requiring CMMC Level 2+ certification.
All 18 IC agencies and their contractors processing SCI and other classified intelligence data.
Civilian agencies operating NSS or processing classified information under EO 13526 and NSM-10.
Private sector guidance: While CNSA 2.0 is mandatory only for NSS, the NSA recommends all organizations — particularly those in financial services, healthcare, and critical infrastructure — adopt CNSA 2.0 algorithms as best practice. Data with secrecy requirements beyond 2030 is at risk from harvest-now-decrypt-later attacks today. Start with a quantum risk assessment to quantify exposure, then follow the PQC migration guide for a structured transition plan.
Identify every algorithm, key length, and protocol in use across your systems. You cannot migrate what you cannot see.
Run QScout Free discovery with QScout→Prioritize systems protecting data with secrecy requirements beyond 2030. These face harvest-now-decrypt-later risk today.
Forward-threat demonstration with QStrike→A structured, step-by-step migration path aligned with CNSA 2.0 timelines and NIST IR 8547 deprecation guidance.
View the PQC checklist→Deploy ML-KEM-1024 and ML-DSA-87 in priority systems. Validate implementations against NIST ACVP test vectors. Establish crypto-agility for future algorithm updates.
Government compliance details→QScout identifies every quantum-vulnerable algorithm in your infrastructure and maps findings directly to CNSA 2.0 requirements. QScout Free snapshot, no integration required.
Verified executive snapshot and primary entry point for cryptographic risk assessment.
ExploreForward-threat validation with provider-aligned platform profiles and engagement-tied performance commitments documented in SOW.
ExploreCNSA 2.0 aligned. Federal diligence materials and execution infrastructure for PQC transition.
ExploreStep-by-step checklist for post-quantum migration planning.
ExplorePost-quantum cryptography terms and definitions.
ExploreQuantum vulnerability status for RSA, ECC, AES, ML-KEM, ML-DSA, and more.
ExploreEnterprise playbook for post-quantum cryptography migration.
ExploreComplete enterprise guide to assessing quantum computing risk.
ExploreNational Security Memorandum 10 quantum readiness requirements.
Explore