CNSA 2.0: NSA’s Quantum-Resistant Cryptography Standard Explained

Experts predict that a quantum computer could break the public key algorithms that protect classified government and defense data by the 2030s. To ensure that data and systems are prepared for this leap in computing power, as well as to protecting them from data being gathered now to decrypt with post-quantum cryptography (called “harvest now, decrypt later ” tactics), the U.S. government has announced a set of quantum-resistant cryptographic algorithms approved by the NSA: CNSA 2.0 (Commercial National Security Algorithm Suite 2.0).

This is a decisive moment in computing and digital cryptography. Government agencies, military organizations, as well as critical vendors that provide products or services to the government need to modernize their systems to keep up with these developments. Getting ahead of this transition now will help reduce potential issues that could delay completion and lead to gaps and vulnerabilities later.

• CNSA 2.0 updates cryptographic algorithms to proactively safeguard national security data and systems in the post-quantum computing environment.
• CNSA 1.0 vs. 2.0 represents a fundamental, generational change in cryptography in the face of powerful technology advancements.
• The NSA offers CNSA 2.0 timeline guidance, which includes the implementation of hybrid deployments to enable both classical and post-quantum cryptography to run in parallel during the transition.
• Critical steps for the transition include cryptographic inventory and documentation, enhancing crypto-agility, working with vendors to develop PQC roadmaps, and testing solutions ahead of time.

While quantum computing could power major advances in fields like science and technology, it also presents a serious threat to the cryptographic systems in use today. “Harvest now, decrypt later” tactics are just one example of these future threats.

The Commercial National Security Algorithm Suite (CNSA) 1.0 has served as the foundation for securing National Security Systems for over a decade, but it is no longer adequate to protect systems against post-quantum risks. The CNSA 2.0 requirements, developed by the NSA based on NIST’s post-quantum cryptography standardization process, are the result of a years-long effort toward quantum-resistant security.

CNSA 2.0 introduces an initial set of algorithms designed to defend systems from post-quantum attacks, ensuring that federal agencies and vendors can continuously protect sensitive information now and well into the future.

The new suite includes implementation timelines and guidance to help organizations plan for and begin the transition to these standards now, recognizing that updating and deploying quantum-safe cryptography in complex environments will require significant resources and time.

CNSA 2.0 algorithms define the next generation of cryptography for national security systems. The ECC- and RSA-based algorithms in CNSA 1.0 standards present serious vulnerabilities that quantum computers could exploit in the future. Quantum algorithms could be used to break both of these and successfully deploy brute-force attacks in significantly faster time frames.

The post-quantum algorithms in CNSA 2.0 are designed to withstand those attacks. Unlike RSA/ECC -based algorithms, CNSA 2.0 algorithms are built on lattice-based algorithms like ML-KEM and ML-DSA, which protect against both classical and quantum threats, as well as hash-based algorithms such as LMS and XMSS, which provide long-term security for digital signatures. In the future, ECC and RSA algorithms will be removed from CNSA guidelines, highlighting the importance of adopting these standards.

The recommended algorithms in CNSA 2.0 are:

• ML-KEM (Kyber) (FIPS 203) for quantum-resistant key establishment. This requires updates to TLS implementations and key management systems to handle larger key sizes and new parameter sets.
• ML-DSA (Dilithium) (FIPS 204) for digital signatures for general use replacing ECC and RSA-based signing methods to offer robust authentication. This will affect certificate issuance, code signing, and identity credentialing processes.
• SHA-384 for hashing, held over from CNSA 1.0 for its proven resistance and compatibility across systems.
• AES-256-GCM for symmetric encryption, ensuring data confidentiality and integrity.

Together, these updates adapt PKI, applications, and firmware for quantum-safe operations. Updating these algorithms is about more than compliance: it’s a critical modernization initiative to protect systems, data, and operations in the face an evolution in computing technology that will fundamentally change cryptographic security infrastructure.

Certificate issuance workflows must support new, larger key sizes and signature formats. Key management systems need to handle hybrid and transitional cryptographic keys during migration. Crypto libraries and HSMs must be updated while maintaining performance and interoperability.

The rise of post-quantum computing makes implementing processes and plans to enhance crypto-agility (the ability to seamlessly switch, test, and deploy new cryptographic algorithms without disrupting current operations) even more urgent. Preparing for CNSA 2.0 now helps organizations future-proof their environments.

CSNA 1.0 vs CSNA 2.0: key differences

CNSA 1.0 vs 2.0 represents a fundamental change in cryptographic design. CNSA 1.0 used strong classical cryptographic algorithms like RSA and ECC for key exchange and digital signatures to respond to existing threats, but it was not designed for a post-quantum future. As such, it is highly vulnerable to new cryptographic algorithms.

In contrast, CNSA 2.0 was designed with an eye toward the future, especially the rise of quantum computers. It replaces RSA and ECC with ML-KEM and ML-DSA for key exchange and digital signatures, which have been built specifically for the post-quantum environment.

PQC algorithms use different key structures, signature formats, and performance characteristics that affect hardware, firmware, and software integration, so they cannot simply be switched with classical algorithms. This means successfully implementing CNSA 2.0 requires comprehensive planning across certificate authorities, key management systems, crypto libraries, and network infrastructure. 

During this transition to the post-quantum computing environment, government agencies and organizations in high-assurance sectors must prepare for hybrid environments where both classical and post-quantum algorithms are deployed.

By embracing crypto-agility now in their preparation for CNSA 2.0, organizations can be confident about their ability to maintain secure operations into the future while reducing the risk of dangerous and costly technical debt.

The biggest shift with this new guidance isn’t just the algorithms, but the presence of a CNSA 2.0 timeline. For the first time, the NSA has set clear deadlines for moving away from classical cryptography. These dates mark the beginning of the end for RSA and ECC across national security systems, and they’re closer than many expected.

• As of 2025, all new National Security System (NSS) designs must support post-quantum cryptography to avoid the need to retrofit systems later.
• All NSS designs must only use PQC algorithms by 2030.
• Until 2030, NSA recommends dual-algorithm or hybrid deployments, which are capable of running both classical and post-quantum algorithms during the transition period. The agency expects the switchover to be complete by 2035. 

Internally, this transition can take years, especially for organizations in high-security sectors with highly complex technology environments and long procurement or deployment cycles, so there is little room for them to wait. Planning should begin immediately with an eye to developing crypto-agility as well. The ability to incorporate new algorithms as standards evolve will support a smooth and successful transition to CNSA 2.0 as well as the long-term resilience to adapt to future advancements and threats.

The transition to quantum-resistant cryptography and encryption requires visibility into crypto-dependent systems, processes, and components and the ability to rapidly adapt, update, and integrate new algorithms as standards and threats evolve. Understanding the key steps in this transition can help organizations create a comprehensive action plan.

• Inventory current cryptographic systems and dependencies. Catalog all systems, applications, devices, and services that use cryptography. Document which algorithms they use (such as RSA and ECC) and the key sizes used. Next, list all cryptographic libraries and modules and check if they can support hybrid or PQC algorithms. Develop a map of how cryptographic functions interact across systems (such as how encrypted data moves through the environment). Understanding the criticality, complexity, and dependencies of each system will help determine prioritization.
• Identify where cryptography is embedded, such as in apps, hardware, certificates, and protocols, and follow the documentation protocol mentioned above. This will help identify where updates may require firmware design or hardware replacement.
• Build a crypto-agility plan. Identify areas that can support dual algorithms and flexible key management during the transition phase. Any new products meant for use during the transition period should support both classical and PQC algorithms. Ensure teams have the skills and training to implement and manage both effectively.
• Engage vendors about PQC support and roadmaps. Partners whose products rely on cryptography may offer readiness plans, timelines, or advisory services about integrating post-quantum encryption methods into their solutions. These may include hybrid implementations and interoperability testing.
• Start testing hybrid and PQC-ready solutions early. Create a controlled test environment to assess the performance, interoperability, and integration with existing systems. This allows companies to refine plans in the face of unforeseen complications or failures.

As government agencies and other critical infrastructure providers prepare for post-quantum threats, strategic planning is essential. By engaging early in crypto-agility and PQC readiness initiatives into every layer of their systems, organizations can reduce operational risk and maintain compliance during the CNSA 2.0 transition period and beyond.

Entrust helps organizations navigate this transition with decades of expertise and leadership in certificate modernization and crypto-agility, essential for adapting systems to be PQC-ready. Our Cryptographic Security Platform supports hybrid deployment, ensures operational continuity and security throughout the migration process as well as post-quantum-ready security when the process is complete.

From performing crypto-agility assessments to testing hybrid and PQC systems, we provide national security-level organizations solutions and services that align with evolving NIST and NSA guidance. Learn more about how your organization can achieve crypto modernization with our suite of post-quantum cryptography solutions.