CIQ's NSS Module First to Achieve CAVP Certification for Post-Quantum Cryptography Algorithms

Rocky Linux from CIQ becomes first Enterprise Linux distribution with NIST-approved PQC algorithms advancing toward FIPS 140-3 validation.

Published on Feb. 4, 2026

Got story updates? Submit your updates here. ›

CIQ announced that its Network Security Services (NSS) module for Rocky Linux from CIQ (RLC) 9.6 with post-quantum cryptography (PQC) algorithms has achieved Cryptographic Algorithm Validation Program (CAVP) certification from NIST and entered the Modules in Process (MIP) list. This milestone makes Rocky Linux from CIQ the first Enterprise Linux distribution with an NSS module containing NIST-approved PQC algorithms advancing toward full FIPS 140-3 validation.

Why it matters

The NSS module includes two NIST-approved PQC algorithms: ML-KEM for secure key exchange and ML-DSA for digital signatures, designed to resist attacks from both classical and quantum computers. This is a critical step in preparing for the post-quantum future, as the National Security Agency's CNSA 2.0 sets a timeline for National Security Systems to adopt quantum-resistant cryptography by 2035.

The details

CIQ Distinguished Engineer and Samba Project Co-Creator Jeremy Allison led the effort to enhance NSS to meet FIPS 140-3 standards for submission to NIST. All of CIQ's FIPS PQC engineering work is open source and available on GitHub. NSS provides application-level cryptography for browser sessions, SSL/TLS connections, and Java applications, making PQC-enabled NSS relevant for a broad range of enterprise applications.

  • In September 2025, Rocky Linux released NSS version 3.112 with ML-KEM and ML-DSA support.
  • In February 2026, CIQ announced that the NSS module has achieved CAVP certification and entered the MIP list.

The players

CIQ

An open source company that has started and contributed to critical infrastructure projects such as Rocky Linux, Warewulf, Fuzzball, Ascender and Apptainer.

Jeremy Allison

CIQ Distinguished Engineer and Samba Project Co-Creator who led the effort to enhance NSS to meet FIPS 140-3 standards.

Gregory Kurtzer

CEO of CIQ.

National Institute of Standards and Technology (NIST)

The organization that provided the CAVP certification for CIQ's NSS module.

National Security Agency (NSA)

The agency that set the CNSA 2.0 timeline for National Security Systems to adopt quantum-resistant cryptography.

Got photos? Submit your photos here. ›

What they’re saying

“The ML-KEM and ML-DSA code in NSS was feature complete, but not FIPS compliant. CIQ has enabled and open-sourced FIPS 140-3 compliance code in nss-3.112 for these increasingly important algorithms to provide security for our customers and help them prepare for the post-quantum future.”

— Jeremy Allison, CIQ Distinguished Engineer and Samba Project Co-Creator (CIQ)

“Organizations making platform decisions today need confidence that their infrastructure partner can deliver quantum-resistant solutions. Achieving MIP status with CAVP-certified PQC algorithms demonstrates CIQ can solve these complex engineering challenges and gives customers confidence in the roadmap for OpenSSL and other cryptographic modules as we build the quantum-resistant stack they'll need.”

— Gregory Kurtzer, CEO of CIQ (CIQ)

What’s next

CIQ anticipates full FIPS 140-3 validation for the NSS module with ML-KEM and ML-DSA in Q2 2027 at the current velocity. The company is also tracking PQC implementation across other FIPS cryptographic modules, including OpenSSL, Kernel, GnuTLS, and LibGCrypt, with plans to pursue FIPS validation as upstream projects stabilize their PQC implementations.

The takeaway

CIQ's achievement of CAVP certification and MIP status for its NSS module with NIST-approved post-quantum cryptography algorithms positions Rocky Linux as a leading Enterprise Linux distribution in the transition to quantum-resistant infrastructure, providing customers with confidence in the roadmap for critical cryptographic components.