CIQ's NSS Module First to Achieve CAVP Certification for Post-Quantum Cryptography Algorithms
NSS with ML-KEM and ML-DSA algorithms passes lab testing and enters Modules in Process list, making Rocky Linux from CIQ one of the first Enterprise Linux distributions advancing FIPS-validated post-quantum cryptography with NSS
RENO, Nev., Feb. 4, 2026 /PRNewswire/ -- CIQ today announced that Network Security Services (NSS) for Rocky Linux from CIQ (RLC) 9.6 with post-quantum cryptography (PQC) algorithms has achieved Cryptographic Algorithm Validation Program (CAVP) certification from the National Institute of Standards and Technology (NIST) and entered the Modules in Process (MIP) list. This milestone makes Rocky Linux from CIQ the first Enterprise Linux distribution with an NSS module containing NIST-approved PQC algorithms advancing toward full FIPS 140-3 validation.
The NSS module includes two NIST-approved PQC algorithms: ML-KEM (Module-Lattice-Based Key Encapsulation Mechanism) for secure key exchange, and ML-DSA (Module-Lattice-Based Digital Signature Algorithm) for digital signatures. These algorithms are designed to resist attacks from both classical and quantum computers.
When Rocky Linux released NSS version 3.112 in September 2025 with ML-KEM and ML-DSA support, the algorithms were feature complete but not FIPS compliant. CIQ Distinguished Engineer and Samba Project Co-Creator Jeremy Allison led the effort to enhance NSS to meet FIPS 140-3 standards for submission to NIST.
"The ML-KEM and ML-DSA code in NSS was feature complete, but not FIPS compliant," said Allison. "CIQ has enabled and open-sourced FIPS 140-3 compliance code in nss-3.112 for these increasingly important algorithms to provide security for our customers and help them prepare for the post-quantum future."
All of CIQ's FIPS PQC engineering work is open source and available on GitHub, contributing to the broader security community.
The National Security Agency's CNSA 2.0 sets a compressed timeline for National Security Systems to adopt quantum–resistant cryptography, with key transition milestones beginning in 2027 and a full migration targeted by 2035. However, the "harvest now, decrypt later" threat makes immediate preparation critical. Adversaries can collect encrypted data today and decrypt it once quantum computers become capable.
NSS provides application-level cryptography for browser sessions, SSL/TLS connections, and serves as the cryptographic provider for Java applications when systems operate in FIPS mode. This makes PQC-enabled NSS relevant not just for web communications but for the broad range of Java-based enterprise applications common in government and regulated industries.
"Organizations making platform decisions today need confidence that their infrastructure partner can deliver quantum-resistant solutions," said Gregory Kurtzer, CEO of CIQ. "Achieving MIP status with CAVP-certified PQC algorithms demonstrates CIQ can solve these complex engineering challenges and gives customers confidence in the roadmap for OpenSSL and other cryptographic modules as we build the quantum-resistant stack they'll need."
CIQ's cryptographic strategy extends beyond NSS. The company is tracking PQC implementation across all five FIPS cryptographic modules:
- NSS — ML-KEM and ML-DSA in MIP with CAVP certification, full FIPS 140-3 validation anticipated Q2 2027 at current velocity
- OpenSSL — PQC support added in OpenSSL 3.5; FIPS 140-3 validation process begins for Rocky Linux from CIQ 10.2 in Q3 2026 and RLC 9.10 in mid-2027
- Kernel — Monitoring upstream PQC development
- GnuTLS — PQC stabilization ongoing upstream
- LibGCrypt — Awaiting stable PQC release upstream
As upstream projects stabilize PQC implementations, CIQ will continue pursuing FIPS validation to deliver comprehensive quantum-resistant infrastructure.
NSS with ML-KEM and ML-DSA post-quantum algorithms in MIP status is available now for Rocky Linux from CIQ customers. Many compliance frameworks accept MIP status while awaiting full CMVP validation. The MIP listing and technical details are available on the NIST Cryptographic Module Validation Program website. CIQ's open source FIPS PQC compliance code is available on GitHub.
Read more about the CAVP certification in this CIQ blog post.
For more information about CIQ's post-quantum cryptography roadmap and FIPS validation strategy, visit ciq.com or contact CIQ for technical consultations.
About CIQ
CIQ delivers secure and performant software infrastructure for the demands of all modern workloads, from the most mundane to the most extreme HPC and AI jobs. We believe infrastructure should drive the future of your business and that both the operating system of a single machine and the orchestration layer to manage a cluster of machines and even hybrid environments needs to be optimized for your requirements. We are an open source company who has started and contributed to critical infrastructure projects such as Rocky Linux, Warewulf, Fuzzball, Ascender and Apptainer. For more information, visit ciq.com
MEDIA CONTACT:
Cristin Connelly
Cathey.co for CIQ
[email protected]
SOURCE CIQ
Share this article