Skip to content

NSA CNSA 2.0 Compliance

NSA-approved quantum-resistant algorithms - verify readiness in 5 minutes

🚀 Test CNSA 2.0 compliance now

Quick Start: Verify CNSA 2.0 Compliance

Estimated time: 5 minutes What you'll verify: AnkaSecure uses NSA-approved quantum-resistant algorithms Requirements: AnkaSecure API access

Step 1/2: Query CNSA 2.0 approved algorithms (2 minutes)

# List algorithms approved for NSA CNSA 2.0
curl https://api.ankatech.co/algorithms?standard=CNSA_2_0 \
  -H "Authorization: Bearer $TOKEN"

Success: NSA-approved algorithms: 

{
  "algorithms": [
    {"name": "ML-KEM-768", "purpose": "Key Establishment", "level": "L3"},
    {"name": "ML-KEM-1024", "purpose": "Key Establishment", "level": "L5"},
    {"name": "ML-DSA-65", "purpose": "Digital Signature", "level": "L3"},
    {"name": "ML-DSA-87", "purpose": "Digital Signature", "level": "L5"},
    {"name": "AES-256-GCM", "purpose": "Encryption", "level": "L5"},
    {"name": "SHA-384", "purpose": "Hashing", "level": "L3"},
    {"name": "SHA-512", "purpose": "Hashing", "level": "L5"}
  ],
  "totalCNSA2Algorithms": 7
}

Step 2/2: Encrypt with CNSA 2.0 algorithm (3 minutes)

# Encrypt with NSA-approved ML-KEM-1024
curl -X POST https://api.ankatech.co/encrypt \
  -H "Authorization: Bearer $TOKEN" \
  -d '{
    "algorithm": "ML_KEM_1024",
    "plaintext": "TOP SECRET//CNSA 2.0 COMPLIANT"
  }'

Success: Data encrypted with NSA CNSA 2.0 approved algorithm 

{
  "ciphertext": "eyJhbGc...",
  "algorithm": "ML_KEM_1024",
  "cnsa2Compliant": true,
  "approvedFor": "CLASSIFIED_DATA",
  "deadline": "2030-01-01"
}

🎯 Verified: Ready for NSS (National Security Systems) by 2030 deadline

What's next? - Test signature algorithm: ML-DSA-87 signing - Defense contractor use: DoD procurement readiness - Transition planning: 2025-2030 migration roadmap

What is CNSA 2.0?

Commercial National Security Algorithm Suite

CNSA 2.0 = NSA's approved algorithms for protecting National Security Systems (NSS)

Published: September 2022 Issuer: National Security Agency (NSA) Scope: Classified data (TOP SECRET, SECRET, CONFIDENTIAL)

Who must comply: - ✅ NSS systems: Defense, intelligence, nuclear command - ✅ DoD contractors: Handling classified information - ✅ Federal agencies: Processing sensitive national security data - ⚠️ Non-NSS systems: Not required but recommended (best practice)

Deadline: January 1, 2030 (quantum-resistant algorithms mandatory)

CNSA 2.0 vs CNSA 1.0

What Changed?

Algorithm Type CNSA 1.0 (Classical) CNSA 2.0 (Quantum-Resistant)
Key Establishment ECDH P-384 ML-KEM-768 or ML-KEM-1024
Digital Signature ECDSA P-384, RSA-3072 ML-DSA-65 or ML-DSA-87
Encryption AES-256 AES-256 (unchanged)
Hashing SHA-384 SHA-384 or SHA-512
Message Auth HMAC-SHA384 HMAC-SHA384 (unchanged)

Key change: Asymmetric algorithms (ECDH, ECDSA, RSA) → Post-quantum (ML-KEM, ML-DSA)

Symmetric algorithms: No change (AES-256 already quantum-resistant)

Timeline for Transition

Today - 2027: Transition period - ⚠️ Classical algorithms (RSA, ECDSA) still allowed - ✅ Hybrid algorithms (RSA + ML-KEM) encouraged - ✅ Pure PQC algorithms (ML-KEM alone) acceptable

2027 - 2030: Final migration - ⚠️ Classical algorithms deprecated (warnings issued) - ✅ Hybrid algorithms required minimum - ✅ Pure PQC algorithms preferred

2030+: Quantum-resistant only - ❌ Classical algorithms (RSA, ECDSA) not allowed for classified data - ✅ Only ML-KEM, ML-DSA, SLH-DSA approved

Recommendation: Transition NOW (avoid 2029 last-minute rush)

CNSA 2.0 Approved Algorithms

Key Establishment (Encryption)

Algorithm Security Level Status Use Case
ML-KEM-768 CNSA Level 3 (192-bit) ✅ Approved Standard classified data
ML-KEM-1024 CNSA Level 5 (256-bit) ✅ Approved TOP SECRET data
AES-256-GCM 256-bit ✅ Approved Symmetric encryption

AnkaSecure support: ✅ All CNSA 2.0 key establishment algorithms

Example: Encrypt TOP SECRET document: 

curl -X POST https://api.ankatech.co/encrypt \
  -H "Authorization: Bearer $TOKEN" \
  -d '{
    "algorithm": "ML_KEM_1024",  # CNSA 2.0 L5
    "plaintext": "TOP SECRET//SI//NOFORN",
    "classification": "TOP_SECRET"
  }'

Digital Signatures

Algorithm Security Level Status Use Case
ML-DSA-65 CNSA Level 3 (192-bit) ✅ Approved SECRET documents
ML-DSA-87 CNSA Level 5 (256-bit) ✅ Approved TOP SECRET documents
SLH-DSA-SHAKE-256f CNSA Level 5 ✅ Approved Long-term signatures (firmware)

AnkaSecure support: ✅ All CNSA 2.0 signature algorithms

Example: Sign classified order: 

curl -X POST https://api.ankatech.co/sign \
  -H "Authorization: Bearer $TOKEN" \
  -d '{
    "algorithm": "ML_DSA_87",  # CNSA 2.0 L5
    "document": "EXECUTE OPERATION NORTHERN LIGHT",
    "classification": "TOP_SECRET"
  }'

Hashing & MAC

Algorithm Security Level Status Use Case
SHA-384 192-bit ✅ Approved Standard hashing
SHA-512 256-bit ✅ Approved High-security hashing
HMAC-SHA384 192-bit ✅ Approved Message authentication
HMAC-SHA512 256-bit ✅ Approved Message authentication

AnkaSecure support: ✅ All CNSA 2.0 hashing/MAC algorithms

CNSA 2.0 Compliance Levels

Level 3: SECRET Classification

Requirements: - ✅ ML-KEM-768 or ML-KEM-1024 (key establishment) - ✅ ML-DSA-65 or ML-DSA-87 (signatures) - ✅ AES-256-GCM (encryption) - ✅ SHA-384 or SHA-512 (hashing)

AnkaSecure configuration: 

# Create CNSA 2.0 L3 key
curl -X POST https://api.ankatech.co/keys \
  -H "Authorization: Bearer $TOKEN" \
  -d '{
    "algorithm": "ML_KEM_768",
    "securityLevel": "CNSA_L3",
    "classification": "SECRET"
  }'

Use case: DoD SECRET documents, intelligence reports (SECRET level)

Level 5: TOP SECRET Classification

Requirements: - ✅ ML-KEM-1024 (key establishment) - REQUIRED - ✅ ML-DSA-87 (signatures) - REQUIRED - ✅ AES-256-GCM (encryption) - ✅ SHA-512 (hashing) - ⚠️ FIPS 140-3 Level 3 HSM (physical tamper-detection)

AnkaSecure configuration: 

# Create CNSA 2.0 L5 key (TOP SECRET)
curl -X POST https://api.ankatech.co/keys \
  -H "Authorization: Bearer $TOKEN" \
  -d '{
    "algorithm": "ML_KEM_1024",
    "securityLevel": "CNSA_L5",
    "classification": "TOP_SECRET",
    "hsmRequired": true  # Must use Luna/nShield
  }'

Additional requirement: Luna HSM integration (FIPS 140-2 Level 3)

Use case: TOP SECRET documents, nuclear command data, SIGINT

DoD Procurement

DFARS 252.204-7012: Safeguarding Covered Defense Information

Requirement: DoD contractors must protect CUI and CDI

Cybersecurity requirements (from NIST SP 800-171): - ✅ FIPS-validated cryptography (FIPS 140-2 minimum) - ✅ Quantum-resistant algorithms (CNSA 2.0 by 2030) - ✅ Key management (secure generation, storage, destruction)

AnkaSecure compliance: - ✅ FIPS 140-2 Certificate #4616 - ✅ CNSA 2.0 algorithms (ML-KEM, ML-DSA) - ✅ HSM key protection (Luna, nShield)

Contractor benefit: Check DFARS 252.204-7012 boxes in proposals

DD254 (DoD Contract Security Classification Specification)

DD Form 254: Specifies security requirements for classified contracts

Common requirement: "All classified data shall be encrypted using NSA-approved algorithms"

AnkaSecure response: - ✅ CNSA 2.0 approved: ML-KEM-1024, ML-DSA-87, AES-256 - ✅ FIPS-validated: Bouncy Castle Certificate #4616 - ✅ HSM-backed: Luna HSM for Level 3 protection

Evidence for DD254 compliance: [Attach AnkaSecure CNSA 2.0 brief]

Intelligence Community Compliance

ICD 503: Intelligence Community Cryptographic Requirements

ICD 503: Intelligence Community Directive 503

Requirements: - Type 1 cryptography for TOP SECRET (NSA Suite A) - Type 2 cryptography for SECRET (NSA Suite B → CNSA 2.0) - Commercial solutions must use NSA-approved algorithms

AnkaSecure fit: - ✅ Type 2 equivalent: CNSA 2.0 algorithms (ML-KEM, ML-DSA) - ⚠️ Type 1: Not currently (requires NSA certification, classified algorithms)

Use case: SECRET intelligence reports, compartmented information (SCI)

Limitation: TOP SECRET/SCI may require Type 1 (contact NSA for certification path)

CNSA 2.0 Transition Strategy

Phase 1: Inventory (2025-2026, complete by mid-2026) - Identify all NSS systems using classical crypto (RSA, ECDSA) - Assess data sensitivity (classification level) - Prioritize by data lifetime (longer retention = higher priority)

Phase 2: Pilot (2026-2027) - Deploy AnkaSecure in 10% of systems (low-risk) - Generate composite keys (RSA + ML-KEM hybrid) - Validate functionality and performance

Phase 3: Production Rollout (2027-2029) - Migrate 50% of systems per year - Use composite keys during transition (defense-in-depth) - Monitor error rates and performance

Phase 4: Pure PQC (2029-2030) - Rotate from hybrid to pure PQC (ML-KEM-1024, ML-DSA-87) - Decommission classical algorithms - Achieve 100% CNSA 2.0 compliance by Jan 1, 2030

Timeline: 4-5 years (aligns with NSA deadline)

Quick Transition (Greenfield Systems)

If building NEW systems today (no legacy constraints):

Use pure PQC from day 1: 

# Generate ML-KEM-1024 key (CNSA 2.0 L5)
curl -X POST https://api.ankatech.co/keys \
  -H "Authorization: Bearer $TOKEN" \
  -d '{
    "algorithm": "ML_KEM_1024",
    "purpose": "CLASSIFIED_DATA_ENCRYPTION",
    "classification": "TOP_SECRET"
  }'

Benefits: - ✅ Immediate CNSA 2.0 compliance (4 years ahead of deadline) - ✅ No migration burden (start quantum-resistant) - ✅ Simpler architecture (no hybrid complexity)

Use case: New DoD systems, next-gen intelligence platforms, modernization projects

Compliance Verification

CNSA 2.0 Compliance Scorecard

Check your tenant's CNSA 2.0 readiness:

curl https://api.ankatech.co/compliance/cnsa-scorecard \
  -H "Authorization: Bearer $TOKEN"

Response: 

{
  "overallCompliance": "75%",
  "breakdown": {
    "keyEstablishment": {
      "compliant": 450,  # ML-KEM keys
      "nonCompliant": 150,  # RSA keys (transitional)
      "complianceRate": "75%"
    },
    "digitalSignatures": {
      "compliant": 200,  # ML-DSA keys
      "nonCompliant": 50,  # ECDSA keys
      "complianceRate": "80%"
    },
    "encryption": {
      "compliant": 600,  # AES-256
      "nonCompliant": 0,
      "complianceRate": "100%"
    }
  },
  "deadline": "2030-01-01",
  "daysRemaining": 1454,
  "onTrack": true
}

Interpretation: 75% compliant (on track for 2030, but work needed)

Action items: - Migrate 150 RSA keys → ML-KEM (key establishment) - Migrate 50 ECDSA keys → ML-DSA (signatures)

Generate CNSA 2.0 Compliance Report

For federal auditors and ATO (Authority to Operate) reviews:

curl https://api.ankatech.co/compliance/cnsa-report \
  -H "Authorization: Bearer $TOKEN" \
  -d '{
    "classification": "TOP_SECRET",
    "format": "PDF",
    "includeRemediation": true
  }'

Report includes: - ✅ Algorithm inventory (which are CNSA 2.0 compliant) - ✅ Compliance rate by classification level - ✅ Non-compliant keys flagged (with migration recommendations) - ✅ Timeline to 100% compliance - ✅ Evidence (algorithm usage logs, FIPS certificates)

Use case: Submit for ATO review, annual compliance audits, contract renewals

CNSA 2.0 Algorithm Selection Guide

For SECRET Classification

Minimum requirements: - Key Establishment: ML-KEM-768 (CNSA L3) - Digital Signature: ML-DSA-65 (CNSA L3) - Encryption: AES-256-GCM - Hashing: SHA-384

AnkaSecure recommendation: 

# Generate composite key for SECRET (hybrid during transition)
curl -X POST https://api.ankatech.co/keys/composite \
  -H "Authorization: Bearer $TOKEN" \
  -d '{
    "classicalAlgorithm": "ECDSA_P384",  # Classical (transitional)
    "pqcAlgorithm": "ML_DSA_65",  # CNSA 2.0
    "mode": "DUALSIGN",
    "classification": "SECRET"
  }'

Benefits: - ✅ CNSA 2.0 compliant (ML-DSA-65) - ✅ Backward compatible (ECDSA-P384 for legacy systems) - ✅ Instant rollback if ML-DSA issue found

For TOP SECRET Classification

Minimum requirements: - Key Establishment: ML-KEM-1024 (CNSA L5) - REQUIRED - Digital Signature: ML-DSA-87 (CNSA L5) - REQUIRED - Encryption: AES-256-GCM - Hashing: SHA-512 - HSM: FIPS 140-3 Level 3 (Luna, nShield)

AnkaSecure recommendation: 

# Generate pure PQC key for TOP SECRET
curl -X POST https://api.ankatech.co/keys \
  -H "Authorization: Bearer $TOKEN" \
  -d '{
    "algorithm": "ML_KEM_1024",  # CNSA 2.0 L5
    "classification": "TOP_SECRET",
    "hsmRequired": true,  # Luna HSM integration
    "compartment": "SI_TK"  # Sensitive Compartmented Information
  }'

Additional requirement: Luna HSM cluster (3+ nodes for HA)

DoD Use Cases

Classified Communications

Scenario: Secure message exchange between DoD installations

Requirements: - CNSA 2.0 key establishment (ML-KEM) - CNSA 2.0 signatures (ML-DSA) - Perfect forward secrecy (ephemeral keys)

AnkaSecure solution: 

# Generate ephemeral ML-KEM key for each session
curl -X POST https://api.ankatech.co/keys/ephemeral \
  -H "Authorization: Bearer $TOKEN" \
  -d '{
    "algorithm": "ML_KEM_1024",
    "ttl": "1_HOUR",  # Auto-delete after session
    "classification": "TOP_SECRET"
  }'

Security property: Even if key compromised later, past sessions still secure (PFS)

Weapons Systems Data

Scenario: Protect design schematics for classified weapons (50+ year retention)

Requirements: - TOP SECRET classification - 50-year confidentiality - Quantum resistance (threat timeline: 2030-2035)

AnkaSecure solution: ML-KEM-1024 encryption (quantum-resistant for 50+ years)

Example: 

curl -X POST https://api.ankatech.co/encrypt \
  -H "Authorization: Bearer $TOKEN" \
  -d '{
    "algorithm": "ML_KEM_1024",
    "plaintext": "F-35 avionics schematics...",
    "classification": "TOP_SECRET//RD",
    "retention": "50_YEARS"
  }'

Compliance: CNSA 2.0 + NIST SP 800-208 (long-term protection)

Intelligence Reports (SIGINT, HUMINT)

Scenario: Encrypt signals intelligence and human intelligence reports

Requirements: - Compartmented (SCI) - Need-to-know access control - Quantum resistance

AnkaSecure solution: Multi-tenant isolation + ML-DSA signatures

Example: Sign SIGINT report with compartment metadata 

curl -X POST https://api.ankatech.co/sign \
  -H "Authorization: Bearer $TOKEN" \
  -d '{
    "algorithm": "ML_DSA_87",
    "document": "SIGINT Report #12345",
    "classification": "TOP_SECRET//SI",
    "compartment": "GAMMA",  # NSA SIGINT compartment
    "releaseability": "USA_FVEY"  # Five Eyes
  }'

Access control: Only users with SI clearance + GAMMA access can verify signature

Compliance Enforcement

Enable CNSA 2.0 Mode

Strict enforcement for NSS systems (reject non-CNSA algorithms):

curl -X PATCH https://api.ankatech.co/tenants/{tenantId}/settings \
  -H "Authorization: Bearer $TOKEN" \
  -d '{
    "complianceMode": "CNSA_2_0_ENFORCED",
    "allowedAlgorithms": ["ML_KEM_768", "ML_KEM_1024", "ML_DSA_65", "ML_DSA_87", "AES_256_GCM"]
  }'

Effect: All non-CNSA algorithms rejected

Error example: 

{
  "error": "ALGORITHM_NOT_ALLOWED",
  "message": "RSA-4096 is not CNSA 2.0 approved. Use ML-KEM-1024 instead.",
  "complianceMode": "CNSA_2_0_ENFORCED",
  "deadline": "2030-01-01"
}

Use case: NSS systems transitioning to CNSA 2.0 (enforce pure PQC usage)

What's Next?

Ready for CNSA 2.0 compliance? - 🚀 Test CNSA 2.0 algorithms (5-minute verification) - 📥 Download CNSA 2.0 brief (PDF, 6 pages for procurement) - 📊 Compliance scorecard (assess your current state) - 📧 Request DoD consultation (specialized support for defense contractors)

Related standards: - NIST PQC compliance - FIPS 203/204/205 algorithms - FIPS 140-3 validation - Cryptographic module certification - GSA PQC mandate - Federal procurement requirements

Defense use cases: - Classified communications - Ephemeral keys, PFS - Weapons systems - 50-year retention - Intelligence reports - SCI compartments

Have questions? Email [email protected] or schedule consultation

Last updated: 2026-01-07 | CNSA 2.0: September 2022 | Deadline: January 1, 2030