What is CNSA 2.0 and how to prepare for it
CNSA 2.0 — the Commercial National Security Algorithm Suite 2.0 — is the U.S. National Security Agency designation of the cryptographic algorithms required to protect national security systems in the post-quantum era. It names ML-KEM and ML-DSA as the quantum-resistant standards and sets a phased transition timeline running through the early 2030s, making post-quantum cryptography a procurement requirement for defense suppliers rather than an optional upgrade.
What CNSA 2.0 mandates
CNSA 2.0 specifies the approved algorithms and their roles for national security systems: ML-KEM (FIPS 203) for key establishment and ML-DSA (FIPS 204) for signatures, alongside hash-based signing for firmware and software where appropriate, and larger symmetric and hash parameters. Crucially it attaches dates — a staged schedule by which classes of systems, including software and firmware signing, must adopt the suite. For vendors selling into national security programs, meeting CNSA 2.0 on time becomes a condition of doing business.
How to prepare
Start with a cryptographic inventory: find every place your products and services use cryptography and record which algorithm, where, and protecting what. Build crypto-agility so primitives can be swapped without re-architecture. Prioritize long-lived and firmware-embedded signing, which cannot be patched later at scale. Then be ready to demonstrate readiness to program offices — increasingly that means producing a machine-readable cryptographic bill of materials rather than asserting compliance in a slide.
Honest scope
CNSA 2.0 governs which algorithms protect national security systems; adopting the named standards is necessary but not the whole of security, which still spans key management, supply chain and operations. The algorithms are resistant to known classical and quantum attacks per NIST and NSA analysis — a rigorous bar, not a permanent mathematical guarantee. Preparation is fundamentally about inventory and agility: you cannot migrate what you have not mapped, and program offices will ask you to prove the map.
Try it yourself — live, free, verifiable in 30 seconds:
Prove PQC readiness with a signed CBOM →