Sep 10, 2022 – The U.S. National Security Agency (NSA) has officially announced the release of the Commercial National Security Algorithm Suite 2.0 (CNSA 2.0), a new set of cryptographic standards designed to protect sensitive systems against future quantum-enabled cyber threats. The NSA’s cybersecurity advisory notifies National Security System (NSS) owners, operators, and vendors of the quantum-resistant (QR) algorithms that will replace current legacy encryption in classified and mission-critical networks. This move marks a major step in U.S. efforts to “plan, prepare and budget for a transition to QR algorithms” before quantum computers can break today’s codes. NSA Cybersecurity Director Rob Joyce emphasized that close collaboration between government and industry will be required for this transition, noting the hope that early guidance will help “efficiently operationalize” the new requirements when the time comes.
CNSA 2.0 outlines a suite of next-generation cryptographic algorithms chosen for their strength against both classical and quantum attacks. The selections largely mirror the algorithms emerging from the U.S. National Institute of Standards and Technology (NIST) post-quantum cryptography program. Notably, CNSA 2.0 includes:
- CRYSTALS-Kyber – a lattice-based key encapsulation mechanism for encrypting and exchanging keys, chosen as the new standard for secure key establishment. (Kyber’s highest security parameters will be used, replacing traditional Diffie-Hellman and elliptic-curve key exchanges.)
- CRYSTALS-Dilithium – a lattice-based digital signature algorithm for authenticating messages and software, set to replace RSA and ECDSA signatures. (Dilithium at the highest security level will be required for all classified uses.)
- AES-256 – the Advanced Encryption Standard with 256-bit keys remains the cornerstone for symmetric encryption, providing strong defense for data at rest and in transit. (Symmetric ciphers like AES-256 are deemed secure against quantum attacks, though with a comfortable security margin over AES-128.)
- SHA-384/512 – the SHA-2 family hash functions (384 or 512-bit variants) for secure hashing, used in integrity checks and within signature schemes. (These longer hashes mitigate any potential weakening of shorter hashes under quantum methods.)
- LMS and XMSS (Hash-Based Signatures) – Leighton-Micali Signature and eXtended Merkle Signature schemes are included for specific applications like firmware and software signing. These stateful hash-based signatures rely only on cryptographic hash functions (e.g. SHA-256) and are inherently quantum-resistant, making them ideal for long-term verification of critical software (with the NSA encouraging vendors to adopt the NIST SP 800-208 hash-based signatures immediately).
Crucially, the introduction of CNSA 2.0 means that legacy public-key algorithms – RSA, Diffie-Hellman, and elliptic-curve cryptography – will be phased out for national security uses. Once the new suite is fully mandated, use of classic RSA/ECC alone will no longer be approved for protecting NSS data. In the interim, NSA will allow hybrid solutions (combining classical and post-quantum algorithms) for certain protocols if needed for interoperability, but the clear goal is to retire vulnerable algorithms on a set schedule.
The transition timeline laid out by NSA is ambitious, signaling urgency in the face of the quantum threat. Some of the key milestones include:
- Immediate: Begin transitioning software and firmware signing processes to use CNSA 2.0 algorithms as soon as compliant solutions are available. The NSA “encourages early deployment” of quantum-safe signing for code and updates, given the long lead times for software rollouts.
- By 2025: For new software, firmware, as well as public-facing systems like web browsers, servers, and cloud services, vendors should support and prefer the CNSA 2.0 algorithms by the end of 2025. In practice, this means companies need to start incorporating post-quantum ciphersuites (e.g. in TLS protocols, code signing tools, etc.) within the next few months to meet this target. Notably, no mandatory enforcement of CNSA 2.0 will occur before the end of 2025, giving organizations some time to adapt.
- By 2027: Starting January 1, 2027, all new acquisitions of NSS equipment must be CNSA 2.0-compliant by default. This effectively sets a deadline for vendors of hardware, operating systems, and applications used in national security to implement the approved quantum-resistant algorithms in any new product or upgrade rolling out after 2026.
- By 2030: Ahead of the broader 2030s deadline, certain categories have earlier cut-offs. For instance, all deployed software and firmware in NSS must be using CNSA 2.0 signatures by 2030. Also by 2030, legacy networking gear that cannot be upgraded with PQC (VPNs, routers, etc.) should be phased out of service.
- 2031-2033: By the end of 2031, the NSA expects full enforcement of CNSA 2.0 across all NSS cryptographic implementations, meaning all systems should be using only approved quantum-resistant algorithms (with exceptions only as noted by NSA). Intermediate targets are set through 2033 for certain specialized or constrained environments – for example, “niche” or legacy systems must be updated or replaced by 2033 at the latest.
- 2035 Ultimate Goal: NSA intends that all U.S. national security systems will be fully quantum-resistant by 2035, a date aligned with the White House’s NSM-10 directive for government-wide quantum security readiness. This 2035 horizon is essentially the “no later than” date – an outside limit acknowledging that some complex or long-life systems (like military hardware, satellites, etc.) may take up to a decade to retrofit or refresh. NSA urges vendors and agencies to make “every effort” to meet these deadlines or beat them if possible.
The CNSA 2.0 announcement also highlights coordination with ongoing standards efforts. NSA’s chosen algorithms closely follow NIST’s PQC selections. Until those standards are fully vetted and implementation guidelines are published, CNSA 1.0 (the current Suite of classical algorithms defined in 2016) remains required for operational systems. NSA advises NSS owners not to deploy new quantum-resistant algorithms on live classified networks until they are proven and approved by NIST and the National Information Assurance Partnership (NIAP). However, with the standards process now well underway, the NSA is signaling that it’s time to start building and testing PQC into products so that transition can occur seamlessly once certifications are in place. As NSA’s Joyce put it, “we don’t want to get ahead of the standards process,” but we do want people ready to act once it concludes. The advisory was accompanied by a detailed FAQ document addressing common questions on quantum computing and cryptography, indicating NSA’s effort to educate stakeholders on this complex topic.
NSA’s launch of CNSA 2.0 is more than just a policy update – it’s a loud and clear call to action for quantum readiness. For U.S. companies, especially those contracting with the government or providing IT products for NSS environments, this announcement removes any lingering doubt about the timeline and direction of cryptographic change. It establishes concrete deadlines and approved solutions, which is immensely helpful for planning investments in new security technology. Now there is a roadmap: for example, knowing that by 2027 all new government systems must use CNSA 2.0, contractors and vendors can align their product development cycles accordingly. This clarity is a positive move, as it reduces uncertainty and empowers the private sector to move from research into implementation. In short, the NSA has drawn a “clear line in the sand” for migrating to post-quantum cryptography, sending a message that the era of quantum-safe encryption is officially here and has a firm end date for completion.
