Skip to content

47-Day Certificates Are Coming. Are You Ready?

Act Now →

What Is CNSA 2.0?

CNSA 2.0 whitepaper

CNSA 2.0 (Commercial National Security Algorithm Suite 2.0) is the US National Security Agency’s set of quantum-resistant cryptographic algorithms and the staged timeline for adopting them across National Security Systems, replacing the classical algorithms in CNSA 1.0.

CNSA 2.0 is the NSA’s roadmap for moving National Security Systems to post-quantum cryptography. It names the specific quantum-resistant algorithms that must be used, such as ML-KEM-1024 for key establishment and ML-DSA-87 for signatures, and sets category-by-category deadlines for when systems must support, prefer, and then exclusively use them, with most transitions targeted between 2030 and 2033.

Key Takeaways

  • CNSA 2.0 is the NSA’s quantum-resistant algorithm suite and transition timeline for National Security Systems (NSS), first announced in September 2022 and refined since.
  • The suite specifies ML-KEM-1024 (FIPS 203) for key establishment, ML-DSA-87 (FIPS 204) for signatures, AES-256 for symmetric encryption, and SHA-384 or SHA-512 for hashing. Software and firmware signing uses LMS or XMSS (SP 800-208).
  • Deadlines are set per technology category. Software and firmware signing targets exclusive CNSA 2.0 use by 2030; web, cloud, and operating systems by 2033; networking equipment by 2030.
  • From January 1, 2027, new NSS acquisitions are expected to be CNSA 2.0-compliant by default, and most transitions are targeted for completion by 2033, ahead of the NSM-10 2035 goal.
  • Although CNSA 2.0 is mandatory only for National Security Systems, it functions as an authoritative reference timeline that many commercial and critical-infrastructure organizations follow for their own post-quantum planning.

What CNSA 2.0 Is and Why It Exists

CNSA 2.0, the Commercial National Security Algorithm Suite 2.0, is the NSA’s cryptographic standard for protecting National Security Systems against the future threat of quantum computers. National Security Systems are systems that handle classified information or support military, defense, and intelligence functions. The NSA announced CNSA 2.0 in September 2022 to give vendors and system owners time to plan, budget, and migrate before a cryptographically relevant quantum computer arrives.

It replaces CNSA 1.0, which relied on classical algorithms such as RSA and elliptic-curve cryptography that a quantum computer could break using Shor’s algorithm. Where CNSA 1.0 was about strong classical cryptography, CNSA 2.0 is about quantum-resistant cryptography built on the NIST post-quantum standards.

The operational anchor is CNSSP 15, the Committee on National Security Systems policy that specifies which algorithms NSS must use, which was updated in 2025 to incorporate CNSA 2.0 and deprecate CNSA 1.0.

The CNSA 2.0 Algorithm Suite

CNSA 2.0 names specific algorithms and parameter sets, not just algorithm families. This precision is deliberate: it removes ambiguity for vendors building to the standard.

PurposeAlgorithmRelevant standard
Symmetric encryptionAES-256FIPS 197
Cryptographic hashingSHA-384 or SHA-512FIPS 180-4
Key establishmentML-KEM-1024FIPS 203
Digital signatures (general)ML-DSA-87FIPS 204
Software and firmware signingLMS or XMSS (LMS SHA-256/192 recommended)SP 800-208
Secure-boot hashingSHA3-384 or SHA3-512FIPS 202

Two things stand out. First, CNSA 2.0 selects the highest-strength parameter sets: ML-KEM-1024 and ML-DSA-87 are the category 5 (roughly AES-256 equivalent) options, reflecting the high-assurance nature of national security systems. Second, for software and firmware signing CNSA 2.0 specifies the stateful hash-based schemes LMS and XMSS rather than the lattice-based ML-DSA, because hash-based signatures rest on the most conservative security assumptions for code that must remain verifiable for decades.

CBOM Secure

Gain complete visibility with continuous cryptographic discovery, automated inventory, and data-driven PQC remediation.

The CNSA 2.0 Transition Timeline

CNSA 2.0 does not set a single cutover date. Instead it sets category-by-category deadlines, each with a ‘support and prefer’ milestone followed by an ‘exclusive use’ milestone. The following reflects the NSA’s guidance timeline, which the agency has refined since 2022.

Technology categorySupport and prefer byExclusive use by
Software and firmware signing20252030
Web browsers, servers, cloud services20252033
Traditional networking (VPNs, routers)20262030
Operating systems20272033

Two anchor dates tie the categories together. From January 1, 2027, new acquisitions of NSS equipment are expected to be CNSA 2.0-compliant by default. And the NSA has indicated it expects most equipment transitions to be complete by 2033, ahead of the broader 2035 quantum-resistance goal set by National Security Memorandum 10 (NSM-10).

Software and firmware signing and networking equipment carry the most aggressive exclusive-use date of 2030, because signed code and network traffic are especially exposed to harvest-now-decrypt-later collection.

Note on the Dates
These are NSA guidance dates for the transition, and the agency has refined the timeline since the original 2022 announcement. They are firm planning targets rather than static legal deadlines, and some categories allow hybrid classical-plus-quantum-resistant configurations during the transition, provided the CNSA 2.0 algorithm is present and preferred. Organizations should track NSA’s Post-Quantum Cybersecurity Resources and the relevant Protection Profiles, which began releasing in 2026, for the authoritative current dates.

Who CNSA 2.0 Applies To

Strictly, CNSA 2.0 is mandatory for National Security Systems and the vendors that supply them. That includes defense agencies, the intelligence community, and the defense industrial base of contractors and suppliers providing hardware, software, or services to those systems.

In practice its influence is much wider. Because CNSA 2.0 is the most operationally specific post-quantum timeline any US authority has published, with named algorithms and concrete dates, many commercial and critical-infrastructure organizations use it as their reference roadmap even when not legally bound by it. If you sell into the defense supply chain, CNSA 2.0 compliance is likely to appear in procurement requirements well before the exclusive-use dates arrive.

How CNSA 2.0 Relates to Other PQC Mandates

CNSA 2.0 does not exist in isolation. It sits alongside several other pieces of US post-quantum policy, and they mostly reinforce one another:

  • NSM-10 (2022) sets the government-wide goal of a quantum-resistant federal posture by 2035. CNSA 2.0’s 2033 target sits deliberately ahead of it.
  • NIST IR 8547 (draft) sets the civilian federal timeline to deprecate quantum-vulnerable public-key algorithms after 2030 and disallow them after 2035. CNSA 2.0 is the more aggressive NSS-specific counterpart.
  • The Quantum Computing Cybersecurity Preparedness Act (2022) codified federal migration requirements in law.
  • CNSSP 15 is the policy that operationally requires NSS to use the CNSA 2.0 algorithms; it was updated in 2025.

Complying With CNSA 2.0 Starts With Knowing What You Have

Every CNSA 2.0 deadline assumes you already know where your quantum-vulnerable cryptography lives. In reality, most organizations cannot say with confidence which systems use RSA or elliptic-curve cryptography, at what key sizes, in which protocols, and behind which certificates. That inventory gap is the first obstacle to compliance.

A Cryptography Bill of Materials (CBOM) closes that gap. It catalogs every algorithm, key, certificate, and protocol in your environment, which is exactly what you need to measure yourself against the CNSA 2.0 suite: to find the RSA and ECDSA that must become ML-KEM-1024 and ML-DSA-87, to identify the code-signing pipelines that must move to LMS or XMSS, and to report transition progress against the 2030 and 2033 dates. Without that inventory, CNSA 2.0 compliance is a deadline with no map.

PQC Advisory Services

Gain post-quantum readiness with expert-led cryptographic assessment, migration strategy, and hands-on implementation aligned to NIST standards.

How Encryption Consulting Helps

Encryption Consulting maps CNSA 2.0 directly to two services. CBOM Secure builds the cryptographic inventory that CNSA 2.0 compliance depends on, discovering every algorithm, key, certificate, and protocol in your environment and flagging the quantum-vulnerable ones against the CNSA 2.0 suite and its category deadlines.

Post-Quantum Cryptography Advisory Services then turn that inventory into a migration plan aligned to the CNSA 2.0 timeline, prioritizing the systems with the nearest exclusive-use dates and the longest-lived data, and mapping each system to its target CNSA 2.0 algorithm. Backed by ISO/IEC 27001:2022 and SOC 2 certified practices.

Frequently Asked Questions

What is CNSA 2.0?

CNSA 2.0 (Commercial National Security Algorithm Suite 2.0) is the US National Security Agency’s set of quantum-resistant cryptographic algorithms and the timeline for adopting them across National Security Systems. Announced in September 2022, it replaces the classical algorithms of CNSA 1.0 with post-quantum standards such as ML-KEM-1024 and ML-DSA-87, and sets category-by-category deadlines for when systems must support, prefer, and then exclusively use them.

What algorithms does CNSA 2.0 require?

CNSA 2.0 specifies ML-KEM-1024 (FIPS 203) for key establishment, ML-DSA-87 (FIPS 204) for general digital signatures, AES-256 (FIPS 197) for symmetric encryption, and SHA-384 or SHA-512 (FIPS 180-4) for hashing. For software and firmware signing it specifies the stateful hash-based schemes LMS or XMSS (SP 800-208), and for secure-boot hashing it specifies SHA3-384 or SHA3-512 (FIPS 202). It selects the highest-strength parameter sets, reflecting the high-assurance nature of national security systems.

What are the CNSA 2.0 deadlines?

CNSA 2.0 sets deadlines by technology category, each with a support-and-prefer date and an exclusive-use date. Software and firmware signing targets exclusive use by 2030; traditional networking equipment by 2030; web browsers, servers, and cloud services by 2033; and operating systems by 2033. From January 1, 2027, new NSS acquisitions are expected to be CNSA 2.0-compliant by default, with most transitions targeted for completion by 2033. These are NSA guidance dates that have been refined over time.

Who has to comply with CNSA 2.0?

CNSA 2.0 is mandatory for National Security Systems and the vendors that supply them, including defense agencies, the intelligence community, and the defense industrial base. It is not legally binding on the general commercial sector. However, because it is the most operationally specific US post-quantum timeline, with named algorithms and concrete dates, many commercial and critical-infrastructure organizations adopt it as their reference roadmap, and it frequently appears in defense-related procurement requirements.

What is the difference between CNSA 2.0 and NIST IR 8547?

Both are US post-quantum transition timelines, but they cover different systems. CNSA 2.0 is the NSA’s timeline for National Security Systems and is more aggressive, targeting most transitions by 2033. NIST IR 8547 is the broader civilian federal guidance, proposing that quantum-vulnerable public-key algorithms be deprecated after 2030 and disallowed after 2035. CNSA 2.0 names specific parameter sets such as ML-KEM-1024 and ML-DSA-87, whereas IR 8547 focuses on the retirement schedule for the old algorithms.

How do I start complying with CNSA 2.0?

Start with a cryptographic inventory. You cannot migrate to ML-KEM-1024 and ML-DSA-87 or report progress against the CNSA 2.0 deadlines without first knowing where RSA, ECDSA, and other quantum-vulnerable algorithms are used across your systems. Build a Cryptography Bill of Materials (CBOM) that catalogs algorithms, key sizes, certificates, and protocols, then prioritize migration by the nearest exclusive-use dates and the longest-lived data, mapping each system to its target CNSA 2.0 algorithm.

Map Your Systems to the CNSA 2.0 Timeline

CNSA 2.0 gives you the algorithms and the dates. A cryptographic inventory tells you where you stand against them. See how CBOM Secure builds your cryptographic inventory, or talk to an Encryption Consulting PQC advisor about a CNSA 2.0 migration plan.