CNSA 2.0 Timelines Are Closer Than They Appear

NIST finalized FIPS 203, 204, and 205 in August 2024, standardizing ML-KEM, ML-DSA, and SLH-DSA. Separately, the NSA's CNSA 2.0 provides migration guidance for national security systems (NSS), with target dates starting in 2025 for software signing and extending to 2030 for full transition.

These CNSA 2.0 timelines apply specifically to national security systems and their vendors — they are not direct mandates for commercial organizations. However, they signal the direction of future compliance expectations. Financial regulators, healthcare frameworks, and enterprise procurement standards are likely to follow, as they have historically with previous NIST/NSA cryptographic transitions.

The practical takeaway: if your organization handles data with a secrecy shelf-life longer than 10 years, the migration planning window is now, not when your auditor asks about it. The distinction between finalized NIST standards and evolving NSA policy guidance matters — but the direction is clear.