Standards
Comprehensive reference for NIST, IETF, NSA, and industry standards governing post-quantum cryptography. Links go to official publications; dates are finalization dates unless noted otherwise.
NIST FIPS standards (final)
FIPS 203, 204, and 205 were finalized simultaneously on 2024-08-13, completing the first round of NIST PQC standardization.
| Standard | Algorithm | Family | Finalized | Publication |
|---|---|---|---|---|
| FIPS 203 | ML-KEM | Module-Lattice KEM (CRYSTALS-Kyber) | 2024-08-13 | |
| FIPS 204 | ML-DSA | Module-Lattice Signature (CRYSTALS-Dilithium) | 2024-08-13 | |
| FIPS 205 | SLH-DSA | Stateless Hash-Based Signature (SPHINCS+) | 2024-08-13 |
NIST standards in progress
FIPS 206 — FN-DSA (FALCON)
FN-DSA is an NTRU-lattice based signature algorithm offering the smallest signatures among standardized lattice schemes. Based on FALCON. As of mid-2026, the initial public draft (IPD) has not been published — the document is in NIST/DoC clearance review. Finalization timeline is not yet announced. No link is available; the CSRC FIPS 206 placeholder page should be monitored for IPD release.
SP 800-227 — Recommendations for Key-Encapsulation Mechanisms
Finalized 2025-09-18. Covers security requirements, parameter selection, and implementation considerations for ML-KEM. SP 800-227 final publication.
HQC — 4th-round selection
NIST selected HQC on 2025-03-11 as a second KEM alongside ML-KEM, documented in NIST IR 8545. HQC uses code-based cryptography — different mathematical assumptions from ML-KEM's lattices, providing cryptographic diversity. A draft FIPS is expected 2026; a FIPS number has not yet been assigned. NIST press release.
IETF LAMPS — PQC in X.509 and CMS
The IETF LAMPS working group standardized algorithm identifiers and CMS structures for using the NIST PQC algorithms in X.509 certificates, CRLs, OCSP, and signed messages. These are published RFCs; earlier working group drafts are superseded.
| RFC | Scope | Published |
|---|---|---|
| RFC 9881 | X.509 algorithm identifiers and key/signature formats for ML-DSA (FIPS 204) | 2025-10 |
| RFC 9882 | ML-DSA in CMS — code signing, S/MIME, document signing | 2025-10 |
| RFC 9909 | X.509 algorithm identifiers and key formats for SLH-DSA (FIPS 205) | 2025-12 |
| RFC 9814 | SLH-DSA in CMS | 2025-07 |
| RFC 9935 | X.509 algorithm identifiers and key formats for ML-KEM (FIPS 203) | 2026-03 |
| RFC 9936 | ML-KEM in CMS — key encapsulation in signed/encrypted messages | 2026-03 |
| RFC 9763 | Related certificates for multi-authentication — binds classical and PQ certs via RelatedCertificate extension |
2025-06 |
Other relevant IETF RFCs
| RFC | Scope |
|---|---|
| RFC 9180 | HPKE — Hybrid Public Key Encryption (classical DHKEM variants; PQ KEM integration is specified in draft-ietf-hpke-pq) |
| RFC 8784 | IKEv2 post-quantum: mixing PSK with DH for quantum-resistant VPNs |
Hybrid TLS 1.3 key exchange (X25519MLKEM768, etc.) is specified in draft-ietf-tls-hybrid-design; already deployed in Chrome, Firefox, and Cloudflare ahead of RFC publication.
NSA CNSA 2.0
The Commercial National Security Algorithm Suite 2.0 specifies required algorithms for National Security Systems (NSS). The algorithm set is:
- Key encapsulation: ML-KEM-1024
- Digital signatures: ML-DSA-87
- Firmware/software signing (stateful hash-based): LMS or XMSS
- SLH-DSA is excluded from CNSA 2.0.
- Classical algorithms remain permitted during transition; exclusive use of CNSA 2.0 algorithms is required by 2033.
CNSA 2.0 transition timeline
| Deadline | Requirement |
|---|---|
| 2024 | FIPS 203, 204, 205 finalized by NIST — standards baseline complete. |
| 2025 | Software/firmware signing and web browsers/servers begin preferring CNSA 2.0. |
| 2026–2027 | Networking equipment and operating systems begin transition to PQ algorithms. |
| 2030 | Traditional networking (VPNs, routers) must use PQ algorithms. |
| 2033 | Exclusive CNSA 2.0 use required across all categories. Classical-only deployments no longer approved for NSS. |
Source: CNSA 2.0 Algorithms (NSA) and the NSA CNSA 2.0 page (verified against the NSA CNSA 2.0 FAQ, Dec 2024 update).
NIST SP 800-63 Rev 4 — Digital Identity Guidelines
Framework for identity proofing, authentication, and federation. Revision 4 finalized 2025-07-31. Defines assurance levels for risk-based credential management across three volumes (63A identity proofing, 63B authentication, 63C federation).
Identity Assurance Level (IAL)
How confident the system is that a person is who they claim to be during enrollment.
| Level | Description |
|---|---|
| IAL1 | Lightweight identity proofing. Self-asserted attributes accepted; low-risk applications. |
| IAL2 | Remote or in-person proofing. Evidence supports real-world identity binding. |
| IAL3 | In-person proofing required. Trained operator verifies identity documents. |
Authenticator Assurance Level (AAL)
Confidence that the person accessing the system is the same person who enrolled.
| Level | Description |
|---|---|
| AAL1 | Single-factor authentication. Password or PIN acceptable. |
| AAL2 | Two distinct factors required. MFA with approved authenticators. |
| AAL3 | Hardware-based authenticator required. Verifier impersonation resistant. |
Federation Assurance Level (FAL)
Strength of federated authentication assertions between identity provider and relying party.
| Level | Description |
|---|---|
| FAL1 | Bearer assertion (e.g., signed JWT). No holder-of-key binding. |
| FAL2 | Injected assertion. Front-channel assertion that cannot be replayed by the RP. |
| FAL3 | Holder-of-key assertion with hardware crypto module. Assertion encrypted to RP; subscriber proves key possession. |
Document suite: SP 800-63-4 overview · 63A: Identity Proofing · 63B: Authentication · 63C: Federation.
Federal PKI and compliance frameworks
Federal PKI (FPKI)
The Federal PKI provides the trust infrastructure for U.S. Government digital certificates. The Federal Bridge CA enables cross-certification between agency PKIs.
- Federal Bridge CA: Cross-certifies agency and partner PKIs
- Federal Common Policy CA: Root for civilian agencies
- DoD PKI: Defense Information Systems Agency (DISA) operated
FISMA and RMF
The Federal Information Security Modernization Act requires agencies to implement the NIST Risk Management Framework (RMF) for system authorization. Key references:
- SP 800-37: Risk Management Framework
- SP 800-53: Security and Privacy Controls
- SP 800-53A: Assessment Procedures
FedRAMP
Standardized security assessment for cloud services used by federal agencies. Authorization tiers: Low (minimal data sensitivity), Moderate (controlled unclassified information), High (law enforcement, emergency services).
CMMC 2.0
Cybersecurity Maturity Model Certification for DoD contractors. Protects Federal Contract Information (FCI) and Controlled Unclassified Information (CUI). Under the final rule (32 CFR, December 2024):
- Level 1: Foundational — 15 practices, FCI protection
- Level 2: Advanced — 110 practices, CUI protection
- Level 3: Expert — 110+ practices, critical CUI
DISA STIGs
Security Technical Implementation Guides provide hardening standards for DoD systems. The PKI, TLS, and OS STIGs are most relevant for certificate infrastructure deployment.
OMB M-23-02
Requires federal agencies to inventory cryptographic systems and prepare migration plans for post-quantum cryptography. Three-step mandate: inventory all cryptographic systems and protocols; prioritize systems most vulnerable to harvest-now-decrypt-later attacks; develop migration roadmaps to PQC algorithms.
Industry and vendor standards
CA/Browser Forum
The CA/B Forum Baseline Requirements govern certificate issuance for WebPKI. PQC adoption is in progress: the S/MIME Baseline Requirements enabled PQC certificate profiles via ballot SMC013 (July 2025). A TLS Baseline Requirements ballot for ML-DSA certificate profiles was in progress as of mid-2026 and had not yet been finalized.
OpenSSL 3.5+
OpenSSL 3.5.0 released 2025-04-08 — designated LTS (supported through 2030-04-08). Native support for ML-KEM, ML-DSA, and SLH-DSA via the default provider; no oqs-provider required for the three finalized FIPS algorithms. FN-DSA/FALCON and HQC still require external providers.
ML-KEM documentation · ML-DSA documentation
PQC standards are evolving rapidly. The NIST CSRC and IETF LAMPS mailing list are the authoritative sources for new publications and draft revisions.