NSA CNSA 2.0 Compliance

NSA-approved quantum-resistant algorithms - verify readiness in 5 minutes

Quick Start: Verify CNSA 2.0 Compliance

Estimated time: 5 minutes
What you'll verify: AnkaSecure uses NSA-approved quantum-resistant algorithms Requirements: AnkaSecure API access

Step 1/2: Query CNSA 2.0 approved algorithms (2 minutes)

# List algorithms approved for NSA CNSA 2.0
curl https://api.ankatech.co/algorithms?standard=CNSA_2_0 \
  -H "Authorization: Bearer $TOKEN"

✅ Success: NSA-approved algorithms:

{
  "algorithms": [
    {"name": "ML-KEM-768", "purpose": "Key Establishment", "level": "L3"},
    {"name": "ML-KEM-1024", "purpose": "Key Establishment", "level": "L5"},
    {"name": "ML-DSA-65", "purpose": "Digital Signature", "level": "L3"},
    {"name": "ML-DSA-87", "purpose": "Digital Signature", "level": "L5"},
    {"name": "AES-256-GCM", "purpose": "Encryption", "level": "L5"},
    {"name": "SHA-384", "purpose": "Hashing", "level": "L3"},
    {"name": "SHA-512", "purpose": "Hashing", "level": "L5"}
  ],
  "totalCNSA2Algorithms": 7
}

Step 2/2: Encrypt with CNSA 2.0 algorithm (3 minutes)

# Encrypt with NSA-approved ML-KEM-1024
curl -X POST https://api.ankatech.co/encrypt \
  -H "Authorization: Bearer $TOKEN" \
  -d '{
    "algorithm": "ML_KEM_1024",
    "plaintext": "TOP SECRET//CNSA 2.0 COMPLIANT"
  }'

✅ Success: Data encrypted with NSA CNSA 2.0 approved algorithm

{
  "ciphertext": "eyJhbGc...",
  "algorithm": "ML_KEM_1024",
  "cnsa2Compliant": true,
  "approvedFor": "CLASSIFIED_DATA",
  "deadline": "2030-01-01"
}

🎯 Verified: Ready for NSS (National Security Systems) by 2030 deadline

What's next?

Test signature algorithm: ML-DSA-87 signing
Defense contractor use: DoD procurement readiness
Transition planning: 2025-2030 migration roadmap

What is CNSA 2.0?

Commercial National Security Algorithm Suite

CNSA 2.0 = NSA's approved algorithms for protecting National Security Systems (NSS)

Published: September 2022
Issuer: National Security Agency (NSA) Scope: Classified data (TOP SECRET, SECRET, CONFIDENTIAL)

Who must comply:

✅ NSS systems: Defense, intelligence, nuclear command
✅ DoD contractors: Handling classified information
✅ Federal agencies: Processing sensitive national security data
⚠️ Non-NSS systems: Not required but recommended (best practice)

Deadline: January 1, 2030 (quantum-resistant algorithms mandatory)

CNSA 2.0 vs CNSA 1.0

What Changed?

Algorithm Type	CNSA 1.0 (Classical)	CNSA 2.0 (Quantum-Resistant)
Key Establishment	ECDH P-384	ML-KEM-768 or ML-KEM-1024
Digital Signature	ECDSA P-384, RSA-3072	ML-DSA-65 or ML-DSA-87
Encryption	AES-256	AES-256 (unchanged)
Hashing	SHA-384	SHA-384 or SHA-512
Message Auth	HMAC-SHA384	HMAC-SHA384 (unchanged)

Key change: Asymmetric algorithms (ECDH, ECDSA, RSA) → Post-quantum (ML-KEM, ML-DSA)

Symmetric algorithms: No change (AES-256 already quantum-resistant)

Timeline for Transition

Today - 2027: Transition period

⚠️ Classical algorithms (RSA, ECDSA) still allowed
✅ Hybrid algorithms (RSA + ML-KEM) encouraged
✅ Pure PQC algorithms (ML-KEM alone) acceptable

2027 - 2030: Final migration

⚠️ Classical algorithms deprecated (warnings issued)
✅ Hybrid algorithms required minimum
✅ Pure PQC algorithms preferred

2030+: Quantum-resistant only

❌ Classical algorithms (RSA, ECDSA) not allowed for classified data
✅ Only ML-KEM, ML-DSA, SLH-DSA approved

Recommendation: Transition NOW (avoid 2029 last-minute rush)

CNSA 2.0 Approved Algorithms

Key Establishment (Encryption)

Algorithm	Security Level	Status	Use Case
ML-KEM-768	CNSA Level 3 (192-bit)	✅ Approved	Standard classified data
ML-KEM-1024	CNSA Level 5 (256-bit)	✅ Approved	TOP SECRET data
AES-256-GCM	256-bit	✅ Approved	Symmetric encryption

AnkaSecure support: ✅ All CNSA 2.0 key establishment algorithms

Example: Encrypt TOP SECRET document:

curl -X POST https://api.ankatech.co/encrypt \
  -H "Authorization: Bearer $TOKEN" \
  -d '{
    "algorithm": "ML_KEM_1024",  # CNSA 2.0 L5
    "plaintext": "TOP SECRET//SI//NOFORN",
    "classification": "TOP_SECRET"
  }'

Digital Signatures

Algorithm	Security Level	Status	Use Case
ML-DSA-65	CNSA Level 3 (192-bit)	✅ Approved	SECRET documents
ML-DSA-87	CNSA Level 5 (256-bit)	✅ Approved	TOP SECRET documents
SLH-DSA-SHAKE-256f	CNSA Level 5	✅ Approved	Long-term signatures (firmware)

AnkaSecure support: ✅ All CNSA 2.0 signature algorithms

Example: Sign classified order:

curl -X POST https://api.ankatech.co/sign \
  -H "Authorization: Bearer $TOKEN" \
  -d '{
    "algorithm": "ML_DSA_87",  # CNSA 2.0 L5
    "document": "EXECUTE OPERATION NORTHERN LIGHT",
    "classification": "TOP_SECRET"
  }'

Hashing & MAC

Algorithm	Security Level	Status	Use Case
SHA-384	192-bit	✅ Approved	Standard hashing
SHA-512	256-bit	✅ Approved	High-security hashing
HMAC-SHA384	192-bit	✅ Approved	Message authentication
HMAC-SHA512	256-bit	✅ Approved	Message authentication

AnkaSecure support: ✅ All CNSA 2.0 hashing/MAC algorithms

CNSA 2.0 Compliance Levels

Level 3: SECRET Classification

Requirements:

✅ ML-KEM-768 or ML-KEM-1024 (key establishment)
✅ ML-DSA-65 or ML-DSA-87 (signatures)
✅ AES-256-GCM (encryption)
✅ SHA-384 or SHA-512 (hashing)

AnkaSecure configuration:

# Create CNSA 2.0 L3 key
curl -X POST https://api.ankatech.co/keys \
  -H "Authorization: Bearer $TOKEN" \
  -d '{
    "algorithm": "ML_KEM_768",
    "securityLevel": "CNSA_L3",
    "classification": "SECRET"
  }'

Use case: DoD SECRET documents, intelligence reports (SECRET level)

Level 5: TOP SECRET Classification

Requirements:

✅ ML-KEM-1024 (key establishment) - REQUIRED
✅ ML-DSA-87 (signatures) - REQUIRED
✅ AES-256-GCM (encryption)
✅ SHA-512 (hashing)
⚠️ FIPS 140-3 Level 3 HSM (physical tamper-detection)

AnkaSecure configuration:

# Create CNSA 2.0 L5 key (TOP SECRET)
curl -X POST https://api.ankatech.co/keys \
  -H "Authorization: Bearer $TOKEN" \
  -d '{
    "algorithm": "ML_KEM_1024",
    "securityLevel": "CNSA_L5",
    "classification": "TOP_SECRET",
    "hsmRequired": true  # Must use Luna/nShield
  }'

Additional requirement: Luna HSM integration (FIPS 140-2 Level 3)

Use case: TOP SECRET documents, nuclear command data, SIGINT

DoD Procurement

DFARS 252.204-7012: Safeguarding Covered Defense Information

Requirement: DoD contractors must protect CUI and CDI

Cybersecurity requirements (from NIST SP 800-171):

✅ FIPS-validated cryptography (FIPS 140-2 minimum)
✅ Quantum-resistant algorithms (CNSA 2.0 by 2030)
✅ Key management (secure generation, storage, destruction)

AnkaSecure compliance:

✅ FIPS 140-2 Certificate #4616
✅ CNSA 2.0 algorithms (ML-KEM, ML-DSA)
✅ HSM key protection (Luna, nShield)

Contractor benefit: Check DFARS 252.204-7012 boxes in proposals

DD254 (DoD Contract Security Classification Specification)

DD Form 254: Specifies security requirements for classified contracts

Common requirement: "All classified data shall be encrypted using NSA-approved algorithms"

AnkaSecure response:

✅ CNSA 2.0 approved: ML-KEM-1024, ML-DSA-87, AES-256
✅ FIPS-validated: Bouncy Castle Certificate #4616
✅ HSM-backed: Luna HSM for Level 3 protection

Evidence for DD254 compliance: [Attach AnkaSecure CNSA 2.0 brief]

Intelligence Community Compliance

ICD 503: Intelligence Community Cryptographic Requirements

ICD 503: Intelligence Community Directive 503

Requirements:

Type 1 cryptography for TOP SECRET (NSA Suite A)
Type 2 cryptography for SECRET (NSA Suite B → CNSA 2.0)
Commercial solutions must use NSA-approved algorithms

AnkaSecure fit:

✅ Type 2 equivalent: CNSA 2.0 algorithms (ML-KEM, ML-DSA)
⚠️ Type 1: Not currently (requires NSA certification, classified algorithms)

Use case: SECRET intelligence reports, compartmented information (SCI)

Limitation: TOP SECRET/SCI may require Type 1 (contact NSA for certification path)

CNSA 2.0 Transition Strategy

Recommended Transition Path

Phase 1: Inventory (2025-2026, complete by mid-2026)

Identify all NSS systems using classical crypto (RSA, ECDSA)
Assess data sensitivity (classification level)
Prioritize by data lifetime (longer retention = higher priority)

Phase 2: Pilot (2026-2027)

Deploy AnkaSecure in 10% of systems (low-risk)
Generate composite keys (RSA + ML-KEM hybrid)
Validate functionality and performance

Phase 3: Production Rollout (2027-2029)

Migrate 50% of systems per year
Use composite keys during transition (defense-in-depth)
Monitor error rates and performance

Phase 4: Pure PQC (2029-2030)

Rotate from hybrid to pure PQC (ML-KEM-1024, ML-DSA-87)
Decommission classical algorithms
Achieve 100% CNSA 2.0 compliance by Jan 1, 2030

Timeline: 4-5 years (aligns with NSA deadline)

Quick Transition (Greenfield Systems)

If building NEW systems today (no legacy constraints):

Use pure PQC from day 1:

# Generate ML-KEM-1024 key (CNSA 2.0 L5)
curl -X POST https://api.ankatech.co/keys \
  -H "Authorization: Bearer $TOKEN" \
  -d '{
    "algorithm": "ML_KEM_1024",
    "purpose": "CLASSIFIED_DATA_ENCRYPTION",
    "classification": "TOP_SECRET"
  }'

Benefits:

✅ Immediate CNSA 2.0 compliance (4 years ahead of deadline)
✅ No migration burden (start quantum-resistant)
✅ Simpler architecture (no hybrid complexity)

Use case: New DoD systems, next-gen intelligence platforms, modernization projects

Compliance Verification

CNSA 2.0 Compliance Scorecard

Check your tenant's CNSA 2.0 readiness:

curl https://api.ankatech.co/compliance/cnsa-scorecard \
  -H "Authorization: Bearer $TOKEN"

Response:

{
  "overallCompliance": "75%",
  "breakdown": {
    "keyEstablishment": {
      "compliant": 450,  # ML-KEM keys
      "nonCompliant": 150,  # RSA keys (transitional)
      "complianceRate": "75%"
    },
    "digitalSignatures": {
      "compliant": 200,  # ML-DSA keys
      "nonCompliant": 50,  # ECDSA keys
      "complianceRate": "80%"
    },
    "encryption": {
      "compliant": 600,  # AES-256
      "nonCompliant": 0,
      "complianceRate": "100%"
    }
  },
  "deadline": "2030-01-01",
  "daysRemaining": 1454,
  "onTrack": true
}

Interpretation: 75% compliant (on track for 2030, but work needed)

Action items:

Migrate 150 RSA keys → ML-KEM (key establishment)
Migrate 50 ECDSA keys → ML-DSA (signatures)

Generate CNSA 2.0 Compliance Report

For federal auditors and ATO (Authority to Operate) reviews:

curl https://api.ankatech.co/compliance/cnsa-report \
  -H "Authorization: Bearer $TOKEN" \
  -d '{
    "classification": "TOP_SECRET",
    "format": "PDF",
    "includeRemediation": true
  }'

Report includes:

✅ Algorithm inventory (which are CNSA 2.0 compliant)
✅ Compliance rate by classification level
✅ Non-compliant keys flagged (with migration recommendations)
✅ Timeline to 100% compliance
✅ Evidence (algorithm usage logs, FIPS certificates)

Use case: Submit for ATO review, annual compliance audits, contract renewals

CNSA 2.0 Algorithm Selection Guide

For SECRET Classification

Minimum requirements:

Key Establishment: ML-KEM-768 (CNSA L3)
Digital Signature: ML-DSA-65 (CNSA L3)
Encryption: AES-256-GCM
Hashing: SHA-384

AnkaSecure recommendation:

# Generate composite key for SECRET (hybrid during transition)
curl -X POST https://api.ankatech.co/keys/composite \
  -H "Authorization: Bearer $TOKEN" \
  -d '{
    "classicalAlgorithm": "ECDSA_P384",  # Classical (transitional)
    "pqcAlgorithm": "ML_DSA_65",  # CNSA 2.0
    "mode": "COMPOSITE_SIGNATURE",
    "classification": "SECRET"
  }'

Benefits:

✅ CNSA 2.0 compliant (ML-DSA-65)
✅ Backward compatible (ECDSA-P384 for legacy systems)
✅ Instant rollback if ML-DSA issue found

For TOP SECRET Classification

Minimum requirements:

Key Establishment: ML-KEM-1024 (CNSA L5) - REQUIRED
Digital Signature: ML-DSA-87 (CNSA L5) - REQUIRED
Encryption: AES-256-GCM
Hashing: SHA-512
HSM: FIPS 140-3 Level 3 (Luna, nShield)

AnkaSecure recommendation:

# Generate pure PQC key for TOP SECRET
curl -X POST https://api.ankatech.co/keys \
  -H "Authorization: Bearer $TOKEN" \
  -d '{
    "algorithm": "ML_KEM_1024",  # CNSA 2.0 L5
    "classification": "TOP_SECRET",
    "hsmRequired": true,  # Luna HSM integration
    "compartment": "SI_TK"  # Sensitive Compartmented Information
  }'

Additional requirement: Luna HSM cluster (3+ nodes for HA)

DoD Use Cases

Classified Communications

Scenario: Secure message exchange between DoD installations

Requirements:

CNSA 2.0 key establishment (ML-KEM)
CNSA 2.0 signatures (ML-DSA)
Perfect forward secrecy (ephemeral keys)

AnkaSecure solution:

# Generate ephemeral ML-KEM key for each session
curl -X POST https://api.ankatech.co/keys/ephemeral \
  -H "Authorization: Bearer $TOKEN" \
  -d '{
    "algorithm": "ML_KEM_1024",
    "ttl": "1_HOUR",  # Auto-delete after session
    "classification": "TOP_SECRET"
  }'

Security property: Even if key compromised later, past sessions still secure (PFS)

Weapons Systems Data

Scenario: Protect design schematics for classified weapons (50+ year retention)

Requirements:

TOP SECRET classification
50-year confidentiality
Quantum resistance (threat timeline: 2030-2035)

AnkaSecure solution: ML-KEM-1024 encryption (quantum-resistant for 50+ years)

Example:

curl -X POST https://api.ankatech.co/encrypt \
  -H "Authorization: Bearer $TOKEN" \
  -d '{
    "algorithm": "ML_KEM_1024",
    "plaintext": "F-35 avionics schematics...",
    "classification": "TOP_SECRET//RD",
    "retention": "50_YEARS"
  }'

Compliance: CNSA 2.0 + NIST SP 800-208 (long-term protection)

Intelligence Reports (SIGINT, HUMINT)

Scenario: Encrypt signals intelligence and human intelligence reports

Requirements:

Compartmented (SCI)
Need-to-know access control
Quantum resistance

AnkaSecure solution: Multi-tenant isolation + ML-DSA signatures

Example: Sign SIGINT report with compartment metadata

curl -X POST https://api.ankatech.co/sign \
  -H "Authorization: Bearer $TOKEN" \
  -d '{
    "algorithm": "ML_DSA_87",
    "document": "SIGINT Report #12345",
    "classification": "TOP_SECRET//SI",
    "compartment": "GAMMA",  # NSA SIGINT compartment
    "releaseability": "USA_FVEY"  # Five Eyes
  }'

Access control: Only users with SI clearance + GAMMA access can verify signature

Compliance Enforcement

Enable CNSA 2.0 Mode

Strict enforcement for NSS systems (reject non-CNSA algorithms):

curl -X PATCH https://api.ankatech.co/tenants/{tenantId}/settings \
  -H "Authorization: Bearer $TOKEN" \
  -d '{
    "complianceMode": "CNSA_2_0_ENFORCED",
    "allowedAlgorithms": ["ML_KEM_768", "ML_KEM_1024", "ML_DSA_65", "ML_DSA_87", "AES_256_GCM"]
  }'

Effect: All non-CNSA algorithms rejected

Error example:

{
  "error": "ALGORITHM_NOT_ALLOWED",
  "message": "RSA-4096 is not CNSA 2.0 approved. Use ML-KEM-1024 instead.",
  "complianceMode": "CNSA_2_0_ENFORCED",
  "deadline": "2030-01-01"
}

Use case: NSS systems transitioning to CNSA 2.0 (enforce pure PQC usage)

What's Next?

Ready for CNSA 2.0 compliance?

🚀 Test CNSA 2.0 algorithms (5-minute verification)
📥 Download CNSA 2.0 brief (PDF, 6 pages for procurement)
📊 Compliance scorecard (assess your current state)
📧 Request DoD consultation (specialized support for defense contractors)

Related standards:

NIST PQC compliance - FIPS 203/204/205 algorithms
FIPS 140-3 validation - Cryptographic module certification
GSA PQC mandate - Federal procurement requirements

Defense use cases:

Classified communications - Ephemeral keys, PFS
Weapons systems - 50-year retention
Intelligence reports - SCI compartments

Have questions? Email [email protected] or schedule consultation

Last updated: 2026-01-07 | CNSA 2.0: September 2022 | Deadline: January 1, 2030