Back to Frameworks
Commercial National Security Algorithm Suite (CNSA) 2.0
United States (National Security Agency)
v2.0 (2022, timeline to 2033)
20 domains
29 controls
The Commercial National Security Algorithm Suite (CNSA) 2.0, announced by the NSA in September 2022, defines a set of cryptographic algorithms-including AES‑256, SHA‑384, ECDSA P‑384, RSA‑3072, CRYSTALS‑Kyber (KEM) and CRYSTALS‑Dilithium (signature)-required for National Security Systems (NSS). CNSA 2.0 supersedes CNSA 1.0 and establishes a transition schedule: new NSS must adopt CNSA 2.0 algorithms by 2030, with full migration required by 2035.
Verified
Framework summaries on this platform are AI-assisted interpretations for educational and compliance planning purposes. They do not reproduce or replace the official standards. Refer to the authoritative source for the definitive text. Framework names and trademarks belong to their respective organisations.
Framework Domains (20)
Assurance Testing
1 controls
| Code | Title |
|---|---|
| CNSA2-11 | Test and Evaluation |
Authentication
1 controls
| Code | Title |
|---|---|
| CNSA2-05 | Digital Signature Algorithm Transition |
Cryptographic Algorithm Adoption
3 controls
| Code | Title |
|---|---|
| CNSA2-01 | Software and Firmware Signing Transition |
| CNSA2-02 | Symmetric Encryption Standard |
| CNSA2-03 | Hash Function Standard |
Cryptographic Governance
1 controls
| Code | Title |
|---|---|
| CNSA2-06 | Cryptographic Inventory and Discovery |
Data Protection
2 controls
| Code | Title |
|---|---|
| CNSA2-14 | Data at Rest Protection |
| CNSA2-15 | Data in Transit Protection |
Digital Signatures
3 controls
| Code | Title |
|---|---|
| CNSA2-DS-1 | ML-DSA Digital Signatures |
| CNSA2-DS-2 | LMS Hash-Based Signatures |
| CNSA2-DS-3 | XMSS Stateful Signatures |
Firmware Security
1 controls
| Code | Title |
|---|---|
| CNSA2-16 | Embedded Systems and Firmware |
Hash Functions
2 controls
| Code | Title |
|---|---|
| CNSA2-HASH-1 | SHA-384 Requirement |
| CNSA2-HASH-2 | SHA-512 Support |
Identity
1 controls
| Code | Title |
|---|---|
| CNSA2-13 | Identity and Access Management Alignment |
Implementation and Validation
3 controls
| Code | Title |
|---|---|
| CNSA2-IMP-1 | NIAP Product Validation |
| CNSA2-IMP-2 | CMVP Module Validation |
| CNSA2-IMP-3 | Transition Timeline Compliance |
Key Establishment
2 controls
| Code | Title |
|---|---|
| CNSA2-KE-1 | ML-KEM Key Encapsulation |
| CNSA2-KE-2 | Quantum-Resistant Key Exchange |
Key Exchange
1 controls
| Code | Title |
|---|---|
| CNSA2-04 | Key Establishment Algorithm Transition |
Module Certification
1 controls
| Code | Title |
|---|---|
| CNSA2-09 | Cryptographic Module Validation |
Monitoring
1 controls
| Code | Title |
|---|---|
| CNSA2-18 | Continuous Monitoring of Cryptographic Posture |
Programme Management
1 controls
| Code | Title |
|---|---|
| CNSA2-07 | Migration Planning and Timelines |
Protocol Configuration
1 controls
| Code | Title |
|---|---|
| CNSA2-12 | Network Protocol Profiles |
Supply Chain
1 controls
| Code | Title |
|---|---|
| CNSA2-08 | Vendor and Supply Chain Assurance |
Symmetric Encryption
1 controls
| Code | Title |
|---|---|
| CNSA2-SYM-1 | AES-256 Requirement |
Transition Operations
1 controls
| Code | Title |
|---|---|
| CNSA2-10 | Hybrid Operation During Transition |
Workforce
1 controls
| Code | Title |
|---|---|
| CNSA2-17 | Training and Awareness |
Your Compliance Coverage
If you comply with Commercial National Security Algorithm Suite (CNSA) 2.0, you already cover:
California IoT Security Law
10%
3 controls mapped
Compare →BSIMM
10%
3 controls mapped
Compare →ISO/IEC 23837 - Security Requirements for Quantum Key Distribution
10%
3 controls mapped
Compare →+ 257 more: IEC 62351 - Power Systems Communication Security (10%), NIST SP 800-171A - Assessing Security Requirements for Controlled Unclassified Information (CUI) (10%)
See all 260 mapped frameworks ↓Maps to 260 other frameworks
29 total controls
California IoT Security Law
3 source controls mapped|4 target controls covered
10%
BSIMM
3 source controls mapped|4 target controls covered
10%
ISO/IEC 23837 - Security Requirements for Quantum Key Distribution
3 source controls mapped|3 target controls covered
10%
IEC 62351 - Power Systems Communication Security
3 source controls mapped|1 target controls covered
10%
NIST SP 800-171A - Assessing Security Requirements for Controlled Unclassified Information (CUI)
3 source controls mapped|4 target controls covered
10%
3GPP Security Architecture (TS 33.501 - 5G Security)
3 source controls mapped|4 target controls covered
10%
AWWA Cybersecurity Guidance for the Water Sector (American Water Works Association)
3 source controls mapped|2 target controls covered
10%
ISO/IEC 27010:2015
3 source controls mapped|1 target controls covered
10%
Bahrain PDPL
3 source controls mapped|1 target controls covered
10%
CCPA/CPRA
3 source controls mapped|1 target controls covered
10%
OWASP ASVS
3 source controls mapped|4 target controls covered
10%
FBI CJIS Security Policy
3 source controls mapped|2 target controls covered
10%
US Gramm-Leach-Bliley Act (GLBA) - Higher Education Safeguards Rule
3 source controls mapped|2 target controls covered
10%
NYDFS Cybersecurity Regulation (23 NYCRR Part 500)
3 source controls mapped|2 target controls covered
10%
HIPAA Security Rule
3 source controls mapped|2 target controls covered
10%
Switzerland FADP
3 source controls mapped|1 target controls covered
10%
OWASP API Security Top 10 - 2023
3 source controls mapped|1 target controls covered
10%
Azure Security Benchmark
3 source controls mapped|1 target controls covered
10%
Belgium CyberFundamentals
3 source controls mapped|1 target controls covered
10%
CISA Zero Trust Maturity Model
3 source controls mapped|1 target controls covered
10%
OWASP Top 10:2025
3 source controls mapped|2 target controls covered
10%
Privacy Act 1988 (Australia)
3 source controls mapped|1 target controls covered
10%
ANSSI Cybersecurity Framework
3 source controls mapped|1 target controls covered
10%
BCBS 239
3 source controls mapped|1 target controls covered
10%
CAIQ (CSA)
3 source controls mapped|1 target controls covered
10%
BSI IT-Grundschutz
3 source controls mapped|1 target controls covered
10%
APPI
3 source controls mapped|1 target controls covered
10%
Argentina PDPA
3 source controls mapped|1 target controls covered
10%
ISO 19011
3 source controls mapped|2 target controls covered
10%
ISO 15189:2022 - Medical Laboratories Requirements for Quality and Competence
3 source controls mapped|2 target controls covered
10%
ISO 31000:2018
3 source controls mapped|2 target controls covered
10%
CIS Controls v8
3 source controls mapped|3 target controls covered
10%
Chile DPL
3 source controls mapped|1 target controls covered
10%
HL7 FHIR Security Framework
3 source controls mapped|2 target controls covered
10%
UK Defence Standard 05-138 - Cyber Security for Defence Suppliers
3 source controls mapped|1 target controls covered
10%
Chile Personal Data Protection Law (Law No. 21.719)
3 source controls mapped|1 target controls covered
10%
ASD Strategies to Mitigate Cyber Security Incidents
3 source controls mapped|1 target controls covered
10%
ISO/IEC 29115:2023 - Entity Authentication Assurance Framework
3 source controls mapped|1 target controls covered
10%
Cyber Essentials Plus
3 source controls mapped|1 target controls covered
10%
ISO/IEC 27400:2022
3 source controls mapped|1 target controls covered
10%
3GPP Security
3 source controls mapped|5 target controls covered
10%
ISO/IEC 27011:2024
3 source controls mapped|1 target controls covered
10%
AWS Well-Architected Security Pillar
3 source controls mapped|1 target controls covered
10%
C5 (Germany)
3 source controls mapped|1 target controls covered
10%
ISO/IEC 27557:2022 - Organisational Privacy Risk Management
3 source controls mapped|1 target controls covered
10%
AS9100D:2016 - Quality Management Systems for Aviation, Space, and Defence
3 source controls mapped|1 target controls covered
10%
ISO 27005
3 source controls mapped|1 target controls covered
10%
ISO 20000-1
3 source controls mapped|1 target controls covered
10%
ISO/IEC 42001:2023
3 source controls mapped|1 target controls covered
10%
EMV 3‑D Secure (3DS) - Payment Authentication Protocol
3 source controls mapped|1 target controls covered
10%
EDM Council CDMC - Cloud Data Management Capability Framework
3 source controls mapped|1 target controls covered
10%
NIST SP 800-53 Rev 5
3 source controls mapped|3 target controls covered
10%
SWIFT CSCF
3 source controls mapped|1 target controls covered
10%
W3C Verifiable Credentials (VC) Data Model 2.0
3 source controls mapped|1 target controls covered
10%
PAS 1192-5:2015 - Security-Minded Approach to BIM and Digital Built Environments
3 source controls mapped|3 target controls covered
10%
Canada ITSG-33 - IT Security Risk Management
3 source controls mapped|3 target controls covered
10%
New Zealand Information Security Manual (NZISM)
3 source controls mapped|3 target controls covered
10%
MARS-E - Minimum Acceptable Risk Standards for Exchanges
3 source controls mapped|3 target controls covered
10%
South Korea Cloud Security Assurance Program (CSAP)
3 source controls mapped|3 target controls covered
10%
NRC 10 CFR 73.54 - Nuclear Facility Cybersecurity
3 source controls mapped|3 target controls covered
10%
SWIFT CSP
3 source controls mapped|1 target controls covered
10%
UK PSTI Act
3 source controls mapped|4 target controls covered
10%
ISO 27799
3 source controls mapped|2 target controls covered
10%
RBI Cybersecurity Framework for Banks
3 source controls mapped|1 target controls covered
10%
ISO 27002:2022
3 source controls mapped|5 target controls covered
10%
PDPA Singapore
3 source controls mapped|1 target controls covered
10%
NIST SP 800-181
3 source controls mapped|4 target controls covered
10%
Qatar DPL
3 source controls mapped|1 target controls covered
10%
CTDPA (Connecticut Data Privacy Act)
3 source controls mapped|1 target controls covered
10%
DORA
3 source controls mapped|1 target controls covered
10%
Cloud Security Alliance Cloud Controls Matrix (CCM) v4.0.1
3 source controls mapped|3 target controls covered
10%
NIST SP 800-183
3 source controls mapped|4 target controls covered
10%
PCI DSS v4.0
3 source controls mapped|3 target controls covered
10%
NIST SP 800-218
3 source controls mapped|3 target controls covered
10%
FDA 21 CFR Part 11
3 source controls mapped|2 target controls covered
10%
Kentucky Consumer Data Protection Act
3 source controls mapped|1 target controls covered
10%
Colorado Privacy Act
3 source controls mapped|1 target controls covered
10%
OWASP MASVS
3 source controls mapped|3 target controls covered
10%
NIST SP 800-63-4
3 source controls mapped|3 target controls covered
10%
OpenSSF Scorecard
3 source controls mapped|5 target controls covered
10%
Mauritius DPA
3 source controls mapped|1 target controls covered
10%
Singapore Government Instruction Manual on ICT&SS Management (IM8)
3 source controls mapped|1 target controls covered
10%
NIST SP 800-88
3 source controls mapped|4 target controls covered
10%
NATO STANAG 4774 (Confidentiality Metadata Labels) and STANAG 4778 (Metadata Binding)
3 source controls mapped|2 target controls covered
10%
OSFI B-13
3 source controls mapped|1 target controls covered
10%
Personal Data Act (personopplysningsloven)
3 source controls mapped|1 target controls covered
10%
MITRE ATT&CK
3 source controls mapped|4 target controls covered
10%
UNECE WP.29 R156
3 source controls mapped|4 target controls covered
10%
NSA Guidance for Transition to Quantum-Resistant Cryptography
3 source controls mapped|3 target controls covered
10%
NIST SP 800-150
3 source controls mapped|3 target controls covered
10%
Monetary Authority of Singapore Technology Risk Management Guidelines
3 source controls mapped|1 target controls covered
10%
CCSDS 350.0-G-3 - Space Communications Security (Consultative Committee for Space Data Systems)
3 source controls mapped|4 target controls covered
10%
NIST SP 800-115 (Technical Guide to Information Security Testing and Assessment)
3 source controls mapped|4 target controls covered
10%
Ley Orgánica de Protección de Datos Personales (LOPDP)
3 source controls mapped|1 target controls covered
10%
Peru DPL
3 source controls mapped|1 target controls covered
10%
CNCF Security Technical Advisory Group (TAG)
3 source controls mapped|2 target controls covered
10%
NIST SP 800-207
3 source controls mapped|3 target controls covered
10%
TISAX - Trusted Information Security Assessment Exchange
3 source controls mapped|3 target controls covered
10%
Law No. 172-13 on the Protection of Personal Data
3 source controls mapped|1 target controls covered
10%
China PIPL
3 source controls mapped|1 target controls covered
10%
EAR - Export Administration Regulations
3 source controls mapped|2 target controls covered
10%
EU Digital Markets Act
3 source controls mapped|1 target controls covered
10%
SSDF (NIST)
3 source controls mapped|4 target controls covered
10%
RFC 2350 - Expectations for Computer Security Incident Response (BCP 21)
3 source controls mapped|1 target controls covered
10%
NIST SP 800-171A Rev 3 - Assessing CUI Security Requirements
3 source controls mapped|3 target controls covered
10%
FedRAMP Rev 5
3 source controls mapped|3 target controls covered
10%
ISO 27701
3 source controls mapped|1 target controls covered
10%
NIST SP 800-187
3 source controls mapped|5 target controls covered
10%
Iowa Consumer Data Protection Act
3 source controls mapped|1 target controls covered
10%
ISO 27043
3 source controls mapped|4 target controls covered
10%
Utah Consumer Privacy Act
3 source controls mapped|1 target controls covered
10%
PCI SSF
3 source controls mapped|1 target controls covered
10%
NIST SP 800-160
3 source controls mapped|5 target controls covered
10%
Spain ENS
3 source controls mapped|1 target controls covered
10%
NIST SP 800-92
3 source controls mapped|4 target controls covered
10%
NIST SP 800-137
3 source controls mapped|4 target controls covered
10%
NIST AI Risk Management Framework (AI RMF 1.0)
3 source controls mapped|1 target controls covered
10%
NIST AI 600-1: Generative AI Profile
3 source controls mapped|1 target controls covered
10%
NIST Privacy Framework 1.0
3 source controls mapped|1 target controls covered
10%
Saudi Arabia PDPL
3 source controls mapped|1 target controls covered
10%
ISO 27017
3 source controls mapped|1 target controls covered
10%
Taiwan PDPA
3 source controls mapped|1 target controls covered
10%
HKMA SPM
3 source controls mapped|1 target controls covered
10%
POPIA
3 source controls mapped|1 target controls covered
10%
PTES
3 source controls mapped|4 target controls covered
10%
ISO/SAE 21434
3 source controls mapped|4 target controls covered
10%
FAA Cybersecurity Framework for Aviation
3 source controls mapped|1 target controls covered
10%
Oman National Cybersecurity Framework
3 source controls mapped|1 target controls covered
10%
Uruguay DPL
3 source controls mapped|1 target controls covered
10%
ASD Information Security Manual (ISM)
3 source controls mapped|6 target controls covered
10%
Australian Information Security Manual
3 source controls mapped|2 target controls covered
10%
ISO 13485
3 source controls mapped|2 target controls covered
10%
DISA Security Technical Implementation Guides (STIGs)
3 source controls mapped|5 target controls covered
10%
MDS2 (Medical Device)
3 source controls mapped|2 target controls covered
10%
NIST SP 800-61
3 source controls mapped|3 target controls covered
10%
Virginia CDPA
3 source controls mapped|1 target controls covered
10%
UK Gambling Commission - Cyber Resilience Requirements
3 source controls mapped|1 target controls covered
10%
NIST SP 800-53A Rev. 5
3 source controls mapped|1 target controls covered
10%
NIST Special Publication 800-34 Revision 1, Contingency Planning Guide for Federal Information Systems
3 source controls mapped|1 target controls covered
10%
Digital Economy Partnership Agreement (DEPA)
3 source controls mapped|1 target controls covered
10%
Saudi NCA ECC
3 source controls mapped|1 target controls covered
10%
US ITAR and EAR - Export Control and Data Security
3 source controls mapped|2 target controls covered
10%
Proposal for a Regulation on Cyber Resilience Act (CRA)
3 source controls mapped|4 target controls covered
10%
FFIEC IT Examination Handbook
3 source controls mapped|1 target controls covered
10%
US Executive Order 14028 - Improving the Nation's Cybersecurity
3 source controls mapped|1 target controls covered
10%
NIST SP 800-123
3 source controls mapped|4 target controls covered
10%
NIST SP 800-146
3 source controls mapped|1 target controls covered
10%
APRA CPS 234
3 source controls mapped|1 target controls covered
10%
ISO 27018
3 source controls mapped|1 target controls covered
10%
Turkey KVKK
3 source controls mapped|1 target controls covered
10%
Turkey Personal Data Protection Law (KVKK - Law No. 6698)
3 source controls mapped|1 target controls covered
10%
ILO Nursing Personnel Convention C149 (1977)
3 source controls mapped|1 target controls covered
10%
6th Anti-Money Laundering Directive (AMLD6, Directive (EU) 2018/1673) - superseded by AMLD7
3 source controls mapped|1 target controls covered
10%
ISO 8000 - Data Quality
3 source controls mapped|1 target controls covered
10%
FATF Recommendation 16 - Virtual Asset Travel Rule
3 source controls mapped|1 target controls covered
10%
Privacy by Design (PbD) - Seven Foundational Principles
3 source controls mapped|1 target controls covered
10%
BS 65000:2014 - Guidance on Organizational Resilience
3 source controls mapped|1 target controls covered
10%
IRS Publication 1075 - Tax Information Security Guidelines
3 source controls mapped|1 target controls covered
10%
ENISA Privacy‑Enhancing Technologies (PET) reports and recommendations
3 source controls mapped|2 target controls covered
10%
3GPP 5G Security Architecture (TS 33.501)
3 source controls mapped|2 target controls covered
10%
Montana Consumer Data Privacy Act
3 source controls mapped|1 target controls covered
10%
SLSA
3 source controls mapped|4 target controls covered
10%
Nigeria Open Banking Regulatory Framework (CBN, 2023)
3 source controls mapped|1 target controls covered
10%
NIS2 Directive Implementing Acts
3 source controls mapped|1 target controls covered
10%
NIST SP 800-66
3 source controls mapped|2 target controls covered
10%
NIST SP 800-161
3 source controls mapped|4 target controls covered
10%
NIST SP 800-128
3 source controls mapped|4 target controls covered
10%
Indonesia PDP Law
3 source controls mapped|1 target controls covered
10%
UNECE WP.29 R155
3 source controls mapped|3 target controls covered
10%
ISO 22739:2024 - Blockchain and Distributed Ledger Technologies Vocabulary
3 source controls mapped|1 target controls covered
10%
NIST SP 800-144
3 source controls mapped|1 target controls covered
10%
TIBER-EU (Threat Intelligence-Based Ethical Red Teaming - European Union)
3 source controls mapped|1 target controls covered
10%
Maryland Online Data Privacy Act of 2024
3 source controls mapped|1 target controls covered
10%
Secure by Design: A Guide for Manufacturers (CISA)
3 source controls mapped|2 target controls covered
10%
New Jersey Data Privacy Act
3 source controls mapped|1 target controls covered
10%
MTCS (Singapore)
3 source controls mapped|1 target controls covered
10%
Nigeria Data Protection Regulation (NDPR)
3 source controls mapped|1 target controls covered
10%
NIST Post-Quantum Cryptography Standards (FIPS 203, 204, 205)
3 source controls mapped|5 target controls covered
10%
Liechtenstein DPA
3 source controls mapped|1 target controls covered
10%
SIG (Shared Assessments)
3 source controls mapped|4 target controls covered
10%
Sigstore - Software Artifact Signing and Verification
3 source controls mapped|3 target controls covered
10%
PDPA Thailand
3 source controls mapped|1 target controls covered
10%
ESRB Privacy Certified
3 source controls mapped|2 target controls covered
10%
Hungary Act CXII of 2011 on Informational Self-Determination and Freedom of Information (Info Act)
3 source controls mapped|2 target controls covered
10%
CISA Cross-Sector Cybersecurity Performance Goals (CPG) 2.0
3 source controls mapped|3 target controls covered
10%
ISO 27001:2022
3 source controls mapped|1 target controls covered
10%
FIDO2 and W3C WebAuthn Standard
3 source controls mapped|1 target controls covered
10%
Tennessee IPA
3 source controls mapped|1 target controls covered
10%
ETSI EN 303 645
3 source controls mapped|5 target controls covered
10%
MARS-E
3 source controls mapped|2 target controls covered
10%
Law 1581 of 2012 - Statutory Framework for the Protection of Personal Data
3 source controls mapped|1 target controls covered
10%
Philippines DPA
3 source controls mapped|1 target controls covered
10%
Philippines Data Privacy Act (RA 10173)
3 source controls mapped|1 target controls covered
10%
Malaysia PDPA 2010
3 source controls mapped|1 target controls covered
10%
FTC GLBA Safeguards Rule (16 CFR Part 314)
3 source controls mapped|1 target controls covered
10%
DoD Zero Trust Reference Architecture
3 source controls mapped|1 target controls covered
10%
NIST SP 800-172
3 source controls mapped|1 target controls covered
10%
SOC for Cybersecurity - Cybersecurity Risk Management Examination
3 source controls mapped|1 target controls covered
10%
NIST SP 800-145
3 source controls mapped|1 target controls covered
10%
CSA STAR (Security, Trust, Assurance, and Risk)
3 source controls mapped|1 target controls covered
10%
NIST SP 800-190
3 source controls mapped|1 target controls covered
10%
CFTC System Safeguards (17 CFR 37, 38, 39, 49)
3 source controls mapped|2 target controls covered
10%
GLI-33 - Gaming Laboratories International Event Wagering Systems
3 source controls mapped|2 target controls covered
10%
EIOPA Guidelines on ICT Security and Governance (EIOPA‑BoS‑23/146, 2023)
3 source controls mapped|2 target controls covered
10%
Telecommunications Sector Security Reforms (TSSR)
3 source controls mapped|2 target controls covered
10%
Defence Security Principles Framework (DSPF)
3 source controls mapped|2 target controls covered
10%
Protective Security Policy Framework (PSPF) Release 2024
3 source controls mapped|2 target controls covered
10%
UK Open Banking Standard
3 source controls mapped|2 target controls covered
10%
ISMAP (Japan)
3 source controls mapped|1 target controls covered
10%
NIST SP 800-122
3 source controls mapped|1 target controls covered
10%
South Korea ISMS-P
3 source controls mapped|1 target controls covered
10%
FTC Safeguards Rule (16 CFR Part 314)
3 source controls mapped|1 target controls covered
10%
LGPD
3 source controls mapped|1 target controls covered
10%
Oregon Consumer Privacy Act
3 source controls mapped|1 target controls covered
10%
AICPA SOC 1
3 source controls mapped|1 target controls covered
10%
SSAE 18 SOC 1 - Report on Controls at a Service Organisation (ICFR)
3 source controls mapped|1 target controls covered
10%
Minnesota Consumer Data Privacy Act
3 source controls mapped|1 target controls covered
10%
Nebraska Data Privacy Act
3 source controls mapped|1 target controls covered
10%
MITRE D3FEND
3 source controls mapped|4 target controls covered
10%
NAIC Insurance Data Security Model Law (MDL-668)
3 source controls mapped|3 target controls covered
10%
Mexico LFPDPPP
3 source controls mapped|1 target controls covered
10%
Rwanda DPL
3 source controls mapped|1 target controls covered
10%
Jamaica DPA
3 source controls mapped|1 target controls covered
10%
FERPA
3 source controls mapped|1 target controls covered
10%
New Hampshire Data Privacy Act
3 source controls mapped|1 target controls covered
10%
UK Data Protection Act 2018
3 source controls mapped|1 target controls covered
10%
India DPDP Act
3 source controls mapped|1 target controls covered
10%
PIPEDA
3 source controls mapped|1 target controls covered
10%
FISMA
3 source controls mapped|1 target controls covered
10%
Privacy Act 2020
3 source controls mapped|1 target controls covered
10%
GLBA
3 source controls mapped|1 target controls covered
10%
HKMA Cyber Resilience Assessment Framework (C-RAF)
3 source controls mapped|1 target controls covered
10%
COPPA
3 source controls mapped|1 target controls covered
10%
NIST SP 800-124 Revision 2 - Guidelines for Managing the Security of Mobile Devices
3 source controls mapped|3 target controls covered
10%
HITECH Act
3 source controls mapped|1 target controls covered
10%
OWASP SAMM
3 source controls mapped|3 target controls covered
10%
Vietnam PDPD
3 source controls mapped|1 target controls covered
10%
NIST SP 800-171
3 source controls mapped|1 target controls covered
10%
AICPA SOC 3
3 source controls mapped|1 target controls covered
10%
PSD2 SCA
3 source controls mapped|1 target controls covered
10%
PCI PIN Security
3 source controls mapped|1 target controls covered
10%
Indiana Consumer Data Protection Act
3 source controls mapped|1 target controls covered
10%
Open Banking Security
3 source controls mapped|1 target controls covered
10%
Texas Data Privacy Act
3 source controls mapped|1 target controls covered
10%
Ghana Cybersecurity Act
3 source controls mapped|1 target controls covered
10%
Kenya DPA
3 source controls mapped|1 target controls covered
10%
Kenya Data Protection Act
3 source controls mapped|1 target controls covered
10%
Iceland DPA
3 source controls mapped|1 target controls covered
10%
UK Telecommunications (Security) Act 2021
3 source controls mapped|1 target controls covered
10%
O-RAN WG11 Security Specification
3 source controls mapped|1 target controls covered
10%
NIST SP 800-82 Revision 3: Guide to Industrial Control Systems (ICS) Security
3 source controls mapped|1 target controls covered
10%
Delaware Online Privacy and Protection Act (proposed)
3 source controls mapped|1 target controls covered
10%
UAE PDPL
3 source controls mapped|1 target controls covered
10%
PCI P2PE
3 source controls mapped|1 target controls covered
10%
CISA Industrial Control Systems (ICS) Security Guidance
1 source controls mapped|1 target controls covered
3%
IACS Unified Requirements E26/E27 - Cyber Resilience of Ships and On-Board Systems
1 source controls mapped|1 target controls covered
3%
DFARS 252.204-7012 - Safeguarding Covered Defense Information
1 source controls mapped|1 target controls covered
3%
Connecticut Data Privacy Act (CTDPA)
1 source controls mapped|1 target controls covered
3%
Illinois Biometric Information Privacy Act (BIPA)
1 source controls mapped|1 target controls covered
3%
Modern Slavery Act 2018 (Australia)
1 source controls mapped|1 target controls covered
3%
Frequently Asked Questions
What is Commercial National Security Algorithm Suite (CNSA) 2.0?
Commercial National Security Algorithm Suite (CNSA) 2.0 is a compliance framework from United States (National Security Agency) with 20 domains and 29 controls. The Commercial National Security Algorithm Suite (CNSA) 2.0, announced by the NSA in September 2022, defines a set of cryptographic algorithms-including AES‑256, SHA‑384, ECDSA P‑384, RSA‑3072, CRYSTALS‑Kyber (KEM) and CRYSTALS‑Dilithium (signature)-required for National Security Systems (NSS). CNSA 2.0 supersedes CNSA 1.0 and establishes a transition schedule: new NSS must adopt CNSA 2.0 algorithms by 2030, with full migration required by 2035. It is used by organisations to establish and maintain compliance with industry standards and regulatory requirements.
How many controls does Commercial National Security Algorithm Suite (CNSA) 2.0 have?
Commercial National Security Algorithm Suite (CNSA) 2.0 has 29 controls organised across 20 domains. The largest domains are Cryptographic Algorithm Adoption (3 controls), Digital Signatures (3 controls), Implementation and Validation (3 controls). Each control defines specific requirements that organisations must implement to achieve compliance.
What frameworks does Commercial National Security Algorithm Suite (CNSA) 2.0 map to?
Commercial National Security Algorithm Suite (CNSA) 2.0 maps to 260 other compliance frameworks. The top mapping partners are California IoT Security Law (10% coverage), BSIMM (10% coverage), ISO/IEC 23837 - Security Requirements for Quantum Key Distribution (10% coverage). Use our comparison tool to explore control-level mappings between frameworks.
How do I get started with Commercial National Security Algorithm Suite (CNSA) 2.0 compliance?
Start your Commercial National Security Algorithm Suite (CNSA) 2.0 compliance journey by running a self-assessment on our platform to identify your current compliance posture. Our AI advisory can answer specific questions about Commercial National Security Algorithm Suite (CNSA) 2.0 requirements, and cross-framework mapping helps you leverage existing controls from other frameworks you may already comply with. Create a free account to access all 29 controls and track your progress.
Start Your Compliance Journey
Create a free account to run self-assessments, get AI advisory, and track your compliance progress across 768 frameworks.
Get Started Free →Free forever — no credit card required