CNSA 2.0 Compliance Guide: Algorithms, Timelines, and Requirements
The National Security Agency's Commercial National Security Algorithm Suite 2.0 mandates post-quantum cryptography for all National Security Systems. This guide covers every required algorithm, transition deadline, and compliance step.
~10 min readWhat is CNSA 2.0?
CNSA 2.0(Commercial National Security Algorithm Suite 2.0) is the NSA's updated cryptographic guidance, released in September 2022. It replaces the original CNSA suite and establishes the post-quantum cryptographic algorithms that must be used to protect classified and sensitive National Security Systems (NSS).
The original CNSA 1.0 suite specified RSA-3072+, ECDH/ECDSA P-384, AES-256, and SHA-384 as approved algorithms. CNSA 2.0 retains the symmetric primitives (AES-256, SHA-384) but replaces all public-key algorithms with quantum-resistant alternatives standardized by NIST.
CNSA 2.0 is not optional for organizations operating National Security Systems. It represents the U.S. government's definitive position: the quantum threat to public-key cryptography is real, the timeline is near, and migration must begin now.
Key Document
NSA Cybersecurity Advisory: "Announcing the Commercial National Security Algorithm Suite 2.0" — Published September 7, 2022. Available from media.defense.gov.
Algorithm Requirements
CNSA 2.0 specifies exact algorithms and security levels for each use case. No lower parameter sets (e.g., ML-KEM-512, ML-DSA-44) are permitted for National Security Systems.
| Use Case | Algorithm | Standard | Transition | Notes |
|---|---|---|---|---|
| Software & Firmware Signing | ML-DSA-87 | FIPS 204 | New products/services by 2027 | XMSS/LMS (SP 800-208) also accepted; prefer immediately for firmware |
| Web Browsers & Servers (TLS) | ML-KEM-1024 + ML-DSA-87 | FIPS 203 + FIPS 204 | New products/services by 2027 | Hybrid key exchange during transition period |
| Key Establishment | ML-KEM-1024 | FIPS 203 | New products/services by 2027 | Replaces RSA and ECDH key exchange |
| Digital Signatures | ML-DSA-87 | FIPS 204 | New products/services by 2027 | Replaces RSA and ECDSA signatures |
| Hash-Based Signatures | XMSS / LMS | NIST SP 800-208 | Prefer immediately | Stateful; suitable for firmware and code signing only |
| Symmetric Encryption | AES-256 | FIPS 197 | No change required | Already quantum-resistant at 256-bit key length |
| Hashing | SHA-384+ | FIPS 180-4 | No change required | SHA-384 minimum; SHA-512 recommended |
Source: NSA CNSA 2.0 Advisory (September 2022), NSA CSfC post-quantum guidance, and NIST FIPS 203/204/205 (August 2024).
Transition Timeline
CNSA 2.0 establishes a phased transition from classical to post-quantum cryptography. Organizations operating NSS should treat these dates as hard deadlines, not aspirational targets.
NSA publishes CNSA 2.0, replacing the original CNSA suite with post-quantum algorithm requirements for National Security Systems.
NIST finalizes FIPS 203 (ML-KEM), FIPS 204 (ML-DSA), and FIPS 205 (SLH-DSA), providing the standardized algorithms referenced by CNSA 2.0.
CNSA 2.0 is expected for new products and services unless a CSfC Capability Package, NIAP Protection Profile, program stipulation, or waiver applies.
Equipment that does not support CNSA 2.0 should be replaced where required. CNSA 2.0 becomes the preferred protocol path for affected systems.
CNSA 2.0 is mandated for affected systems unless a program-specific stipulation or waiver applies.
Who Must Comply?
National Security Systems (NSS) Operators
Any system processing, storing, or transmitting classified national security information as defined by CNSSI 1253.
Defense Contractors
DIB organizations holding classified contracts (DFARS 252.204-7012) and requiring CMMC Level 2+ certification.
Intelligence Community
All 18 IC agencies and their contractors processing SCI and other classified intelligence data.
Federal Agencies with Classified Data
Civilian agencies operating NSS or processing classified information under EO 13526 and NSM-10.
Private sector guidance: While CNSA 2.0 is mandatory only for NSS, the NSA recommends all organizations — particularly those in financial services, healthcare, and critical infrastructure — adopt CNSA 2.0 algorithms as best practice. Data with secrecy requirements beyond 2030 is at risk from harvest-now-decrypt-later attacks today. Start with a quantum risk assessment to quantify exposure, then follow the PQC migration guide for a structured transition plan.
How to Start Your CNSA 2.0 Transition
Build Your Cryptographic Inventory
Identify every algorithm, key length, and protocol in use across your systems. You cannot migrate what you cannot see.
Request QScout assessment discovery with QScout→Assess Quantum Risk by Data Lifetime
Prioritize systems protecting data with secrecy requirements beyond 2030. These face harvest-now-decrypt-later risk today.
Forward-threat demonstration with QStrike→Follow the PQC Migration Checklist
A structured, step-by-step migration path aligned with CNSA 2.0 timelines and NIST IR 8547 deprecation guidance.
View the PQC checklist→Implement and Validate
Deploy ML-KEM-1024 and ML-DSA-87 in priority systems. Validate implementations against NIST ACVP test vectors. Establish crypto-agility for future algorithm updates.
Government compliance details→Frequently Asked Questions
What is CNSA 2.0 and when was it released?+
What algorithms does CNSA 2.0 require?+
When must organizations comply with CNSA 2.0?+
Who must comply with CNSA 2.0?+
How does CNSA 2.0 differ from NIST PQC standards?+
Assess Your CNSA 2.0 Readiness
QScout identifies every quantum-vulnerable algorithm in your infrastructure and maps findings directly to CNSA 2.0 requirements. QScout approved-scope snapshot, no integration required.