Government: FedRAMP & CNSA 2.0 Compliance

Learn how AnkaSecure enables federal government compliance with FedRAMP and NSA CNSA 2.0 using NIST-approved post-quantum cryptography.

Federal Compliance Requirements

FedRAMP (Federal Risk and Authorization Management Program)

Overview: Cloud service security framework for U.S. federal agencies

NIST SP 800-53 Controls: - SC-8: Transmission Confidentiality (TLS 1.2+) - SC-13: Cryptographic Protection (NIST-approved algorithms) - SC-28: Protection of Information at Rest (encryption) - AU-2: Audit Events (comprehensive logging) - IA-2: Identification and Authentication (multi-factor)

See FedRAMP mapping →

NSA CNSA 2.0 (Commercial National Security Algorithm Suite)

Overview: NSA guidance for quantum-resistant cryptography in National Security Systems

Transition Deadlines: - 2030: New systems must use PQC - 2035: All software transitioned to PQC

Approved Algorithms:

Encryption: - ✅ ML-KEM-768: Key encapsulation (minimum) - ✅ ML-KEM-1024: Preferred for classified data

Signatures: - ✅ ML-DSA-65: Digital signatures (minimum) - ✅ ML-DSA-87: Preferred for high security - ✅ SLH-DSA-192: Stateless signatures

Symmetric: - ✅ AES-256: Symmetric encryption - ✅ HMAC-SHA384: Message authentication

Transitional (until 2030): - ⚠️ ECDSA P-384: Allowed but deprecated post-2030 - ⚠️ ECDH P-384: Allowed but deprecated post-2030

AnkaSecure for Government

NIST-Approved Cryptography

AnkaSecure implements all NSA CNSA 2.0 approved algorithms:

✅ ML-KEM-768/1024 (NIST FIPS 203)
✅ ML-DSA-65/87 (NIST FIPS 204)
✅ SLH-DSA (NIST FIPS 205)
✅ AES-256-GCM (NIST FIPS 197)
✅ HMAC-SHA384 (NIST FIPS 198-1)

Policy Template: US_NSA_CNSA (enforces CNSA 2.0 algorithms only)

FIPS 140-2/140-3 Support

Cryptographic Modules: - ✅ Bouncy Castle FIPS module (Java) - ✅ HSM integration (Thales Luna, AWS CloudHSM - FIPS 140-2 Level 3)

Note: Full FIPS 140-2 operational compliance requires FIPS-certified HSM deployment (available with AnkaTech professional services).

Use Case: Classified Document Management

Scenario

Government Agency: Department of Defense (DoD)

Requirements: - FedRAMP High authorization - NSA CNSA 2.0 compliance - Classified data encryption (SECRET, TOP SECRET) - Long-term retention (50+ years)

Implementation

Step 1: Generate Classified Data Key

// Use ML-KEM-1024 for maximum security (CNSA 2.0 approved)
KeyGenerationRequest keyRequest = KeyGenerationRequest.builder()
    .algorithm("ML-KEM-1024")  // NSA CNSA 2.0
    .keyId("classified-doc-key-2025")
    .policy("US_NSA_CNSA")  // Enforce CNSA 2.0 algorithms
    .build();

KeyResponse key = ankaSecureClient.generateKey(keyRequest);

Why ML-KEM-1024? - NSA CNSA 2.0 approved - NIST Level V security (AES-256 equivalent) - Quantum-resistant (protects 50+ year retention)

Step 2: Encrypt Classified Document

public String encryptClassifiedDocument(ClassifiedDocument doc) {
    // Add classification markings
    Map<String, Object> metadata = Map.of(
        "classification", doc.getClassification(),  // SECRET, TOP SECRET
        "documentId", doc.getId(),
        "createdBy", currentUser.getClearanceId()
    );

    // Serialize document + metadata
    String json = objectMapper.writeValueAsString(Map.of(
        "content", doc.getContent(),
        "metadata", metadata
    ));

    // Base64 encode
    String base64Data = Base64.getEncoder().encodeToString(json.getBytes());

    // Encrypt with ML-KEM-1024
    EncryptRequest request = EncryptRequest.builder()
        .keyId("classified-doc-key-2025")
        .plaintext(base64Data)
        .build();

    EncryptResponse response = ankaSecureClient.encrypt(request);

    // Store encrypted document
    return response.getCiphertext();  // JWE Compact format
}

Step 3: Digital Signature (Non-Repudiation)

// Sign classified document (prove WHO signed)
SignRequest signRequest = SignRequest.builder()
    .keyId("signature-key-mldsa-87")  // ML-DSA-87 for high security
    .payload(base64Document)
    .build();

SignResponse signature = ankaSecureClient.sign(signRequest);

// Store signature with document
classifiedDoc.setSignature(signature.getJws());
classifiedDoc.setSignedBy(currentUser.getClearanceId());

Architecture

┌─────────────────────────────────────────────────────────────┐
│         Classified Document Management System (DoD)          │
│  (Secure workstations, air-gapped networks)                 │
└────────────┬────────────────────────────────────────────────┘
             │
             │ AnkaSecure SDK (ML-KEM-1024, ML-DSA-87)
             │
             ↓
┌─────────────────────────────────────────────────────────────┐
│            AnkaSecure Platform (On-Premise)                  │
│  • ML-KEM-1024 encryption (CNSA 2.0)                         │
│  • ML-DSA-87 signatures (CNSA 2.0)                           │
│  • HSM-backed keys (FIPS 140-2 Level 3)                      │
│  • Audit logging (NIST SP 800-92)                            │
└────────────┬────────────────────────────────────────────────┘
             │
             ↓
┌─────────────────────────────────────────────────────────────┐
│     Classified Data Storage (air-gapped database)            │
│  • Encrypted documents (ML-KEM-1024 ciphertext)              │
│  • Digital signatures (ML-DSA-87)                            │
│  • Classification markings (SECRET, TOP SECRET)              │
└─────────────────────────────────────────────────────────────┘

Note: Government on-premise deployments managed by AnkaTech professional services.

NSA CNSA 2.0 Compliance Checklist

Quantum-Resistant Algorithms

[x] ML-KEM-768/1024: Key encapsulation (encryption)
[x] ML-DSA-65/87: Digital signatures
[x] SLH-DSA: Stateless signatures (firmware, long-term)
[x] AES-256: Symmetric encryption
[x] SHA-384: Hashing

Transitional Algorithms (Until 2030)

[x] ECDSA P-384: Allowed until 2030 (deprecated after)
[x] ECDH P-384: Allowed until 2030 (deprecated after)

Migration Timeline

[ ] 2025-2027: Begin transition to PQC for new systems
[ ] 2027-2030: Scale PQC deployment to 50%+ systems
[ ] 2030: All new systems use PQC (CNSA 2.0 deadline)
[ ] 2030-2035: Complete transition (all software migrated)

FedRAMP Compliance

Security Controls Mapping

NIST SP 800-53 Control	AnkaSecure Implementation	Status
SC-8 - Transmission Confidentiality	TLS 1.3, HSTS	✅ Implemented
SC-13 - Cryptographic Protection	NIST-approved algorithms (ML-KEM, ML-DSA, AES)	✅ Implemented
SC-28 - Protection at Rest	AES-256-GCM, ML-KEM encryption	✅ Implemented
AU-2 - Audit Events	Comprehensive audit logging	✅ Implemented
AU-9 - Protection of Audit Information	Tamper-proof logs	✅ Implemented
IA-2 - Identification & Authentication	JWT, API keys, mTLS	✅ Implemented
IA-5 - Authenticator Management	Secure key storage, HSM	✅ Implemented

Customer Responsibility: Implement full NIST SP 800-53 baseline (LOW, MODERATE, or HIGH impact).

Compliance Documentation

Request from AnkaTech: - ✅ FedRAMP Compliance Matrix (NIST SP 800-53 controls) - ✅ NSA CNSA 2.0 Algorithm Attestation - ✅ FIPS 140-2 Validation (HSM-based deployments) - ✅ System Security Plan (SSP) template

Contact: fedramp@ankatech.co

FedRAMP Compliance Mapping - Complete FedRAMP compliance details
Standards Alignment - NIST, NSA CNSA 2.0
Algorithm Catalog - NIST-approved algorithms

Documentation Version: 3.0.0 Last Updated: 2025-12-26