Your RSA-2048 keys break in 2030. Find every one of them before attackers do.
CompliancePost-Quantum Cryptography (CNSA 2.0)
US · CNSA 2.0 / OMB M-23-02 / NIST FIPS 203-205

Post-quantum cryptography migration:

CNSA 2.0, OMB M-23-02 and the NIST FIPS 203/204/205 standards explained.

Three US mandates now drive the move off quantum-vulnerable cryptography. The NSA's Commercial National Security Algorithm Suite 2.0 (CNSA 2.0, Sept 2022) names the approved algorithms for National Security Systems. OMB M-23-02 (Nov 18, 2022) orders every federal civilian agency to inventory its active cryptography and report quantum-vulnerable use to ONCD and CISA. NIST finalized the underlying algorithm standards on Aug 13, 2024: FIPS 203 (ML-KEM), FIPS 204 (ML-DSA) and FIPS 205 (SLH-DSA).

This page explains what each document requires, the migration deadlines that matter (software signing exclusively CNSA 2.0 by 2030, NSS by 2033, new acquisitions CNSA 2.0 by Jan 1, 2027), and how to build the cryptographic inventory those mandates depend on.

Talk to our advisory team Read the NSA CNSA 2.0 advisory
At a glance
Aug 13, 2024NIST finalized FIPS 203, 204 and 205
Jan 1, 2027New NSS acquisitions must support CNSA 2.0
2030 / 2033Software signing / full NSS exclusivity to CNSA 2.0
Through 2035Agencies submit annual crypto inventories (M-23-02)
NSA CNSA 2.0, OMB M-23-02 and NIST Post-Quantum Cryptography standards (FIPS 203/204/205)
Why it matters

A "harvest now, decrypt later" threat with hard federal deadlines already on the clock.

A cryptographically relevant quantum computer would break RSA, Diffie-Hellman and elliptic-curve cryptography. Adversaries do not have to wait for that machine. Encrypted traffic captured today can be stored and decrypted later, which is why migration timelines start now rather than when quantum hardware arrives.

CNSA 2.0 sets the destination for National Security Systems: ML-KEM-1024 for key establishment, ML-DSA-87 for general signatures, and the stateful hash-based schemes LMS and XMSS for software and firmware signing (per NIST SP 800-208), alongside AES-256 and SHA-384 or stronger. The NSA wants software and firmware signing on CNSA 2.0 exclusively by 2030, broad NSS migration by 2030, full exclusivity by 2033, and new NSS acquisitions to support CNSA 2.0 by January 1, 2027.

OMB M-23-02 makes the first step concrete for civilian agencies: you cannot migrate what you cannot see. Agencies must inventory active cryptographic systems, prioritize High Value Assets, report quantum-vulnerable algorithms to ONCD and CISA, and estimate migration cost. That inventory is the foundation of every later step, and it is exactly where most organizations have the least visibility.

How O3 helps

Find it before attackers do. Catch it if they try. Fix it fast.

Across these requirements, O3 runs one continuous loop on your own software so issues surface, get caught, and get fixed before they become an incident.

1 · Find it first

Test like an AI-assisted attacker

An agentic pentest probes your app across 50+ vulnerability classes the way a real attacker chains them, so exploitable flaws surface in your build before someone outside finds them.

2 · Catch it live

Detect and block exploitation at runtime

A kernel-level eBPF agent watches process trees and syscalls, recognises an attack sequence as it unfolds, and restricts the offending process on the spot rather than taking down the host.

3 · Fix it fast

Auto-patch what is reachable

Reachability ranks what genuinely matters, then autofix opens a pull request with the change, so remediation starts inside tight fix windows instead of sitting in a queue.

Remediation expectations

The clock by finding type

Indicative fix windows. Tightest where exposure and active exploitation meet.

New NSS acquisitions support CNSA 2.0by Jan 1, 2027
Software & firmware signing exclusively CNSA 2.0by 2030
Broad NSS migration to CNSA 2.0by 2030
Full CNSA 2.0 exclusivity across NSSby 2033
Discovery

How to build a cryptographic inventory for OMB M-23-02

M-23-02 is built around one deliverable: a prioritized inventory of cryptographic systems, with High Value Assets and high-impact systems first. Agencies submitted their first inventory by May 4, 2023 and continue annually through 2035, reporting where quantum-vulnerable RSA, Diffie-Hellman and ECC are in use.

OMB M-23-02 §3NIST SP 1800-38
Enumerate every place cryptography lives: code, libraries, protocols (TLS, SSH, IPsec), certificates, keys, HSMs, firmware and third-party services.
Classify each finding by algorithm and parameters, flagging quantum-vulnerable RSA, DH and ECC for ONCD and CISA reporting.
Prioritize by asset criticality, starting with HVAs and high-impact systems as M-23-02 directs.
Keep the inventory machine-readable and continuously refreshed so the annual submission through 2035 is a re-run, not a project.
Attach a migration cost estimate, which M-23-02 requires within 30 days of completing the inventory.
Where O3 helps

O3 generates a CBOM/QBOM in CycloneDX directly from source and dependencies, inventorying cryptographic assets and the libraries that implement them, which feeds the M-23-02 inventory and CNSA 2.0 planning. SCA and SBOM surface the crypto-library dependencies behind each finding.

Target state

How to map your stack to CNSA 2.0 approved algorithms

CNSA 2.0 specifies the algorithms that replace today's public-key cryptography for National Security Systems. Knowing the targets lets you plan substitutions rather than discovering them mid-migration.

NSA CNSA 2.0 advisoryNIST FIPS 203/204/205NIST SP 800-208
Replace RSA and ECC key establishment with ML-KEM-1024 (FIPS 203).
Replace RSA and ECDSA general-purpose signatures with ML-DSA-87 (FIPS 204).
Use the stateful hash-based schemes LMS and XMSS for software and firmware signing, per NIST SP 800-208.
Confirm symmetric and hash baselines meet CNSA 2.0: AES-256 and SHA-384 or stronger.
Treat SLH-DSA (FIPS 205) as the stateless hash-based signature option where stateful key management is impractical.
Planning

How to sequence migration against the CNSA 2.0 timeline

The deadlines are staggered, so sequencing matters. Signing systems lead, broad NSS migration follows, and new acquisitions must support CNSA 2.0 well before exclusivity dates.

NSA CNSA 2.0 advisoryNSA CNSA 2.0 FAQ
Start with software and firmware signing, which must be exclusively CNSA 2.0 by 2030 and benefits from early LMS/XMSS adoption.
Require new NSS acquisitions to support CNSA 2.0 by January 1, 2027, so procurement does not add new technical debt.
Plan broad NSS migration toward 2030 and full CNSA 2.0 exclusivity by 2033.
Group systems into migration waves by criticality and by how hard the crypto is to replace (hardware-bound or protocol-bound items take longest).
Track residual quantum-vulnerable usage against the timeline so exceptions are visible and time-boxed.
Where O3 helps

A continuously updated QBOM lets you watch quantum-vulnerable usage trend toward zero across the 2030 and 2033 milestones instead of relying on point-in-time audits.

Architecture

How to design for crypto agility so the next transition is cheaper

Hard-coded algorithms are why this migration is painful. Crypto agility means cryptographic choices are configurable and discoverable, so future changes (including algorithm deprecations) do not require rewrites.

NIST SP 1800-38BNIST PQC project
Centralize cryptographic operations behind libraries or services rather than scattering primitives through application code.
Make algorithm and key-length selection configurable, not compiled-in, so swaps are policy changes.
Favor hybrid modes where standards bodies allow them during transition, pairing classical and post-quantum algorithms.
Add automated tests that assert which algorithms are actually negotiated in TLS, SSH and signing flows.
Re-scan after each change so the inventory reflects reality, not intent.
Where O3 helps

O3's source-level CBOM identifies where cryptographic primitives are called directly in code, helping locate the hard-coded usage that blocks crypto agility.

Supply chain

How to assess vendors and dependencies for PQC readiness

Much of your cryptography ships inside third-party libraries, products and services. M-23-02 and CNSA 2.0 only succeed if the supply chain moves too, which makes vendor visibility part of the inventory.

OMB M-23-02 §3NSA CNSA 2.0 advisory
Request PQC roadmaps from vendors of products that perform key establishment, signing or encryption.
Map open-source crypto libraries in your dependency tree and track their FIPS 203/204/205 implementation status.
Treat signing-chain components (build signing, firmware signing, update mechanisms) as priority items given the 2030 signing deadline.
Record vendor PQC status in the same inventory used for internal systems so reporting is unified.
Flag end-of-life or unmaintained crypto dependencies that will never gain PQC support.
Where O3 helps

SCA and SBOM enumerate the open-source crypto libraries you depend on, and reading cosign/SLSA provenance supports assessment of the software signing chain that CNSA 2.0 targets first.

Reporting

How to report quantum-vulnerable cryptography to ONCD and CISA

M-23-02 is not only an internal exercise. Agencies report quantum-vulnerable cryptography to the Office of the National Cyber Director and CISA, and submit prioritized inventories annually through 2035.

OMB M-23-02 §3NIST SP 1800-38
Standardize on a machine-readable inventory format so submissions are reproducible year over year.
Tag each quantum-vulnerable finding (RSA, DH, ECC) with system, owner, criticality and planned migration wave.
Produce the migration cost estimate within 30 days of completing the inventory, as M-23-02 requires.
Re-baseline annually and report the delta, showing measurable reduction in quantum-vulnerable usage.
Keep evidence linkable to the underlying scan so reviewers can trace any reported number to its source.
Where O3 helps

A CycloneDX CBOM/QBOM is exportable, machine-readable evidence of cryptographic assets and quantum-vulnerable usage, suitable for repeated annual reporting rather than manual spreadsheets.

The whole framework

Every mandate and algorithm across CNSA 2.0, OMB M-23-02 and the NIST FIPS standards.

All 20 requirement areas, each with the reference and a vendor-neutral note on how teams meet it.

10CNSA 2.0
Approved algorithms & migration timeline
5OMB M-23-02
Crypto inventory & reporting mandate
5NIST PQC
FIPS standards & migration practice
Requirement area
ML-KEM-1024 for key establishmentFIPS 203 / CNSA 2.0Replace RSA and ECC key exchange
ML-DSA-87 for general signaturesFIPS 204 / CNSA 2.0Replace RSA and ECDSA signatures
SLH-DSA stateless hash-based signaturesFIPS 205Use where stateful keys are impractical
LMS / XMSS for software & firmware signingCNSA 2.0 / SP 800-208Adopt stateful hash-based signing
AES-256 symmetric encryptionCNSA 2.0Confirm symmetric baseline
SHA-384 or stronger hashingCNSA 2.0Confirm hash baseline
Software & firmware signing exclusively CNSA 2.0CNSA 2.0 timelineComplete by 2030
New NSS acquisitions support CNSA 2.0CNSA 2.0 timelineProcurement requirement by Jan 1, 2027
Broad NSS migration to CNSA 2.0CNSA 2.0 timelineTarget 2030
Full CNSA 2.0 exclusivity across NSSCNSA 2.0 timelineComplete by 2033
Inventory active cryptographic systemsOMB M-23-02 §3Build prioritized crypto inventory
Prioritize High Value Assets firstOMB M-23-02 §3Order inventory by criticality
Report quantum-vulnerable crypto to ONCD & CISAOMB M-23-02 §3Flag RSA, DH and ECC usage
Annual inventory submissionOMB M-23-02Re-submit yearly through 2035
Migration cost estimateOMB M-23-02 §3Produce within 30 days of inventory
Crypto agility in architectureNIST SP 1800-38BMake algorithm choices configurable
Discover crypto in code & dependenciesNIST SP 1800-38Scan source, libraries and protocols
Supply-chain PQC readinessCNSA 2.0 / M-23-02Assess vendors and OSS libraries
Signing-chain / provenance assessmentCNSA 2.0Review build and firmware signing
Hybrid / transition planningNIST PQC migrationSequence waves toward deadlines

Build the cryptographic inventory your PQC migration depends on

M-23-02 and CNSA 2.0 both start with one question: where is your cryptography? O3 generates a CycloneDX CBOM and QBOM straight from your code and dependencies, inventorying cryptographic assets, flagging quantum-vulnerable usage, and giving you machine-readable evidence you can re-run every year. See how O3 maps your stack against the post-quantum deadlines.

Read the NSA CNSA 2.0 advisory
FAQ

Common
questions.

Everything teams ask before rolling this out. Still stuck? Reach our team.

  • CNSA 2.0 is the NSA's Commercial National Security Algorithm Suite 2.0, issued in September 2022. It names the post-quantum algorithms approved for National Security Systems and their vendors, including ML-KEM-1024, ML-DSA-87, and LMS/XMSS for signing. It applies to NSS owners and the suppliers building products for them.
  • Per the NSA timeline, software and firmware signing should be exclusively CNSA 2.0 by 2030, broad NSS migration is targeted for 2030, and full CNSA 2.0 exclusivity across NSS is expected by 2033. New NSS acquisitions must support CNSA 2.0 by January 1, 2027, so procurement starts early.
  • M-23-02 (Nov 18, 2022) directs federal civilian agencies to inventory active cryptographic systems, prioritize High Value Assets, report quantum-vulnerable RSA, Diffie-Hellman and ECC to ONCD and CISA, and estimate migration cost within 30 days of the inventory. Inventories are submitted annually through 2035.
  • They are the NIST post-quantum standards finalized August 13, 2024. FIPS 203 is ML-KEM for key establishment, FIPS 204 is ML-DSA for digital signatures, and FIPS 205 is SLH-DSA, a stateless hash-based signature scheme. CNSA 2.0 selects ML-KEM-1024 and ML-DSA-87 from these standards.
  • A CBOM (cryptographic bill of materials) and QBOM inventory the cryptographic assets and quantum-vulnerable algorithms in a system, expressed in CycloneDX. Because M-23-02 requires a prioritized crypto inventory and CNSA 2.0 requires migration planning, a machine-readable CBOM/QBOM is the foundational artifact for both.
  • Because of harvest-now-decrypt-later. Adversaries can capture encrypted data today and decrypt it once a cryptographically relevant quantum computer exists. Long-lived secrets are at risk immediately, which is why CNSA 2.0 and M-23-02 set deadlines that begin years before quantum hardware is expected.
  • CNSA 2.0 specifies the stateful hash-based signature schemes LMS and XMSS for software and firmware signing, per NIST SP 800-208. These signing use cases lead the migration: CNSA 2.0 calls for software and firmware signing to be exclusively CNSA 2.0 by 2030.
  • Start with discovery, since you cannot migrate what you cannot see. Build a cryptographic inventory across code, libraries, protocols, certificates and firmware, flag quantum-vulnerable RSA, DH and ECC, prioritize High Value Assets per M-23-02, then sequence replacements toward the CNSA 2.0 deadlines using NIST SP 1800-38 as practical guidance.

See O3 Security in Action

See why security and engineering leaders trust O3
to secure their entire software supply chain.