RENO, Nev., February 04, 2026 -- CIQ today announced that Network Security Services (NSS) for Rocky Linux from CIQ (RLC) 9.6 with post-quantum cryptography (PQC) algorithms has achieved Cryptographic Algorithm Validation Program (CAVP) certification from the National Institute of Standards and Technology (NIST) and entered the Modules in Process (MIP) list. This milestone makes Rocky Linux from CIQ the first Enterprise Linux distribution with an NSS module containing NIST-approved PQC algorithms advancing toward full FIPS 140-3 validation.

The NSS module includes two NIST-approved PQC algorithms: ML-KEM (Module-Lattice-Based Key Encapsulation Mechanism) for secure key exchange, and ML-DSA (Module-Lattice-Based Digital Signature Algorithm) for digital signatures. These algorithms are designed to resist attacks from both classical and quantum computers.

When Rocky Linux released NSS version 3.112 in September 2025 with ML-KEM and ML-DSA support, the algorithms were feature complete but not FIPS compliant. CIQ Distinguished Engineer and Samba Project Co-Creator Jeremy Allison led the effort to enhance NSS to meet FIPS 140-3 standards for submission to NIST.

"The ML-KEM and ML-DSA code in NSS was feature complete, but not FIPS compliant," said Allison. "CIQ has enabled and open-sourced FIPS 140-3 compliance code in nss-3.112 for these increasingly important algorithms to provide security for our customers and help them prepare for the post-quantum future."

All of CIQ's FIPS PQC engineering work is open source and available on GitHub, contributing to the broader security community.

The National Security Agency's CNSA 2.0 sets a compressed timeline for National Security Systems to adopt quantum–resistant cryptography, with key transition milestones beginning in 2027 and a full migration targeted by 2035. However, the "harvest now, decrypt later" threat makes immediate preparation critical. Adversaries can collect encrypted data today and decrypt it once quantum computers become capable.

NSS provides application-level cryptography for browser sessions, SSL/TLS connections, and serves as the cryptographic provider for Java applications when systems operate in FIPS mode. This makes PQC-enabled NSS relevant not just for web communications but for the broad range of Java-based enterprise applications common in government and regulated industries.

"Organizations making platform decisions today need confidence that their infrastructure partner can deliver quantum-resistant solutions," said Gregory Kurtzer, CEO of CIQ. "Achieving MIP status with CAVP-certified PQC algorithms demonstrates CIQ can solve these complex engineering challenges and gives customers confidence in the roadmap for OpenSSL and other cryptographic modules as we build the quantum-resistant stack they'll need."

CIQ's cryptographic strategy extends beyond NSS. The company is tracking PQC implementation across all five FIPS cryptographic modules:

• NSS — ML-KEM and ML-DSA in MIP with CAVP certification, full FIPS 140-3 validation anticipated Q2 2027 at current velocity
• OpenSSL — PQC support added in OpenSSL 3.5; FIPS 140-3 validation process begins for Rocky
• Linux from CIQ 10.2 in Q3 2026 and RLC 9.10 in mid-2027
• Kernel — Monitoring upstream PQC development
• GnuTLS — PQC stabilization ongoing upstream
• LibGCrypt — Awaiting stable PQC release upstream

As upstream projects stabilize PQC implementations, CIQ will continue pursuing FIPS validation to deliver comprehensive quantum-resistant infrastructure.

NSS with ML-KEM and ML-DSA post-quantum algorithms in MIP status is available now for Rocky Linux from CIQ customers. Many compliance frameworks accept MIP status while awaiting full CMVP validation. The MIP listing and technical details are available on the NIST Cryptographic Module Validation Program website. CIQ's open source FIPS PQC compliance code is available on GitHub.