CNSA 2.0, explained: the quantum-safe suite and its deadlines
CNSA 2.0 is the NSA's quantum-safe algorithm suite — ML-KEM, ML-DSA, AES-256, SHA-384/512, and LMS/XMSS — that systems touching national security must adopt on a timeline running through roughly 2030–2033.
If NIST IR 8547 is the "what to stop using" document, CNSA 2.0 is the "what to use instead, and by when" document. If you sell to government or defense — or want to look credible to a regulated buyer — this is the bar.
What CNSA 2.0 requires
The Commercial National Security Algorithm Suite 2.0 specifies the approved quantum-resistant algorithms:
- Key establishment → ML-KEM (FIPS 203), at the ML-KEM-1024 level.
- Signatures → ML-DSA (FIPS 204), at the ML-DSA-87 level.
- Software / firmware signing → LMS or XMSS (stateful hash-based signatures).
- Symmetric encryption → AES-256.
- Hashing → SHA-384 or SHA-512.
Note what's not on the list: RSA, ECDSA, ECDH, and — for CNSA-scope work — even AES-128 and SHA-256. If you're "compliant" with general best practice but still on AES-128 or SHA-256, you're below the CNSA 2.0 floor.
The timeline
CNSA 2.0 phases adoption in by use case, with software/firmware signing earliest and broad adoption targeted across the rest of the decade — milestones generally fall in the 2030–2033 window for National Security Systems, with the expectation that exclusive use of quantum-safe algorithms arrives by the mid-2030s. (Verify the exact dates for your category against NSA's current published guidance.)
What it means for you
Even if you're not directly bound by CNSA 2.0, it's becoming the reference standard in security questionnaires and vendor due diligence. Being able to show where you stand against it — a gap analysis listing which algorithms meet CNSA 2.0 and which don't — is increasingly a sales requirement, not just a compliance one.
See your CNSA 2.0 gaps — a per-algorithm assessment from a real scan, free.
Get a compliance report →