United States National Security Agency releases Commercial National Security Algorithm Suite 2.0 (CNSA 2.0) Cybersecurity Advisory

September 11, 2022 |

The United States National Security Agency (“NSA”) has released its Commercial National Security Algorithm Suite 2.0 (CNSA 2.0) Cybersecurity Advisory . It notifies National Security Systems operators of the requirement to have   quantum-resistant  algorithms, being networks which contain classified information or are otherwise critical to military or intelligence activities. A cryptanalytically relevant quantum computer would have the potential to break public-key systems so that it is necessary to plan, prepare, and budget for a transition to QR algorithms if cryptanalytically relevant quantum computers become a reality.

The media release provides:

The National Security Agency (NSA) released the “Commercial National Security Algorithm Suite 2.0” (CNSA 2.0) Cybersecurity Advisory (CSA) today to notify National Security Systems (NSS) owners, operators and vendors of the future quantum-resistant (QR) algorithms requirements for NSS — networks that contain classified information or are otherwise critical to military and intelligence activities.
A cryptanalytically-relevant quantum computer (CRQC) would have the potential to break public-key systems (sometimes referred to as asymmetric cryptography) that are used today. Given foreign pursuits in quantum computing, now is the time to plan, prepare and budget for a transition to QR algorithms to assure sustained protection of NSS and related assets in the event a CRQC becomes an achievable reality.
“This transition to quantum-resistant technology in our most critical systems will require collaboration between government, National Security System owners and operators, and industry,” said Rob Joyce, Director of NSA Cybersecurity. “Our hope is that sharing these requirements now will help efficiently operationalize these requirements when the time comes.”
The Director of NSA is the National Manager for NSS and therefore issues guidance for NSS. The algorithms in CNSA 2.0 are an update to those in the currently required Commercial National Security Algorithm Suite (now referred to as CNSA 1.0) listed in CNSSP 15, Annex B (released in 2016). The CNSA 2.0 algorithms have been analyzed as secure against both classical and quantum computers, and they will eventually be required for NSS.
NSA’s CNSA 2.0 algorithm selections were based on the National Institute of Standards and Technology’s (NIST) recently announced selections for standardization for quantum-resistant cryptography, but there are neither final standards nor FIPS-validated implementations available yet.
NSA urges NSS owners and operators to pay attention to NIST selections and to the future requirements outlined in CNSA 2.0, while CNSA 1.0 compliance continues to be required in the interim.
“We want people to take note of these requirements to plan and budget for the expected transition, but we don’t want to get ahead of the standards process,” said Joyce.
NSS owners and operators should not deploy QR algorithms on mission networks until they have been vetted by NIST and National Information Assurance Partnership (NIAP) as required in CNSSP-11. There will be a transition period, and NSA will be transparent about NSS transition requirements.

The advisory is a practical 10 page guide of what the NSA expects.  Some key elements are:

  • The reasons for choosing separate algorithms for software- and firmware-signing are three-fold:
    • NIST has standardized these algorithms already, while other post-quantum signatures are not yet standardized,
    • This signature use-case is more urgent, and
    • This selection places algorithms with the most substantial history of cryptanalysis in a use case where their potential performance issues have minimal impact. In particular, this usage coincides well with the requirement for keeping track of state—that is, how many times a given public key was used in signing software or firmware when deploying these signatures.
  • the algorithms chosen for software- and firmware-signing are those specified in NIST Special Publication 800-208. NSA recommends Leighton-Micali with SHA-256/192, but all NIST SP 800-208 algorithms are approved for this use case.
  • NSA expects the transition to QR algorithms for NSS to be complete by 2035.
  • where feasible, NSS owners and operators will be required to prefer CNSA 2.0 algorithms when configuring systems during the transition period.
  • use of CNSA 2.0 algorithms will be mandatory in classes of commercial products within NSS, while reserving the option to allow other algorithms in specialized use cases
  • the method of transitioning is:


NIAP will release protection profiles specifying that products support CNSA

2.0 algorithms in accordance with NIST and other standards from standards development organizations and the development of standards- compliant cryptographic equipment.


All new equipment must meet the protection profile requirements; older equipment must meet the requirement at its next update to remain NIAP compliant.


Using CNSA 2.0 algorithms as the preferred configuration option will begin as soon as validated and tested solutions are available.


NIAP Protection Profile requirements and NSM-10 technology refresh requirements will determine the removal of legacy algorithm support.


At that point, legacy equipment and software not refreshed regularly will require a waiver and a plan to bring it into compliance.

  • the timing is:
    • Software and firmware signing begin transitioning
    • New software and firmware use CNSA 0 signing algorithms by 2025.
    • Transitioning deployed software and firmware not CNSA 0 compliant to CNSA 2.0-compliant algorithms by 2025.

Leave a Reply

Verified by MonsterInsights