Industry · GOVERNMENT crypto policy
QNSP for Defense & National Security
Air-gapped, CNSA 2.0-aligned PQC for defense contractors, intelligence agencies, and classified workloads.
Air-gapped or on-prem QNSP deployments with offline ML-DSA-87 signing, distributed edge routing, and tamper-evident audit replay. Aligned to CNSA 2.0 mandates, ITAR, IL5, and NSS classifications. Government crypto-policy tier locks to FIPS-finalized algorithms only.
Threat model
What we're defending against
The HNDL, regulatory, and operational threats specific to this vertical.
Classified data with multi-decade confidentiality
NSS data retained under TOP SECRET for 50+ years is a primary harvest-now-decrypt-later target. Capture in 2025, decrypt circa 2035 — operationally relevant for an entire human generation.
Hostile cryptanalytic adversary with sustained budget
Threat model assumes a nation-state-scale adversary running coordinated capture programmes against allied infrastructure. Algorithm agility and rapid rotation are not optional.
Supply-chain attack on the root of trust
If keys never leave a customer-controlled HSM (Thales Luna, Entrust nShield, NSA-certified), a compromised vendor cannot weaponise downstream signatures.
Air-gap operational necessity
Classified, special-access, and sensitive-compartmented environments cannot depend on internet-reachable services. Offline signing, distributed edge routing, and tamper-evident audit replay are baseline requirements.
Compliance mapping
Frameworks this vertical operates under
QNSP supports continuous evaluation for 7 live frameworks; other named frameworks are architecturally supported with evidence available on request.
| Framework | How QNSP maps |
|---|---|
| CNSA 2.0 | NSA mandate to transition NSS to ML-KEM, ML-DSA, SLH-DSA by 2030–2033. Government tier locks QNSP to exactly the CNSA 2.0 algorithm subset. |
| FIPS 140-3 | Module-level validation roadmap; QNSP architecturally targets FIPS 140-3 via NIST CAVP algorithm validation (in progress with NIST CAVP). |
| NIST SP 800-208 | Stateful hash-based signatures (XMSS, LMS) for code-signing and firmware — QNSP supports SLH-DSA family. |
| ITAR | Export-controlled cryptographic technology — QNSP air-gapped deployment keeps all key material and source under customer control. |
| DoD IL5 | Impact Level 5 sensitive-unclassified workloads — supported via air-gapped + customer-managed HSM topology. |
QNSP architecture
Capabilities mapped to this vertical
How QNSP services compose to meet this vertical's needs.
Fully disconnected on-prem with offline signing and distributed edge routing
Customer-managed HSM (Thales Luna, Entrust nShield, AWS CloudHSM, Azure Dedicated HSM, etc.) as root of trust
Locks to ML-KEM-1024 + ML-DSA-87 + SLH-DSA-256f — FIPS-finalized only, no draft standards
Cryptographically chained audit logs verifiable offline against pinned ML-DSA-87 public key
Outcomes
What deploying QNSP for this vertical delivers
- ✓Government crypto-policy tier — ML-KEM-1024 + ML-DSA-87 + SLH-DSA-256f, FIPS-finalized only
- ✓Customer-managed HSM root of trust — QNSP never holds the master keys
- ✓Air-gapped operation — no internet dependency, distributed edge routing
- ✓Tamper-evident audit chain verifiable offline for IG and OIG review
For your engineers
Build patterns that map to this vertical
When you've evaluated the platform, hand these references to your engineering team.
Next step