SecurityBrief US - Technology news for CISOs & cybersecurity decision-makers
United States
International Women’s Day
392 opinions Read now

Guides

#
cloud security
#
cybersecurity
#
endpoint protection
#
firewalls
#
ransomware

Search

Us datacenter with abstract padlock post quantum crypto security
#
Firewalls
#
Network Security
#
Quantum Computing

CIQ advances Rocky Linux with NIST post-quantum step

Thu, 5th Feb 2026
Author image
By Sofiah Nichole Salivio, News Editor

CIQ said its Network Security Services (NSS) module for Rocky Linux from CIQ has gained NIST Cryptographic Algorithm Validation Program (CAVP) certification for two post-quantum cryptography algorithms and has entered the US government's Modules in Process list.

It positioned the move as a step towards full FIPS 140-3 validation for a post-quantum-enabled cryptographic module on an enterprise Linux platform. CIQ described the listing as a milestone for regulated and public sector buyers tracking how quickly suppliers can move cryptographic components through NIST's validation pipeline.

NIST programmes

CAVP certification covers the correctness of specific cryptographic algorithms. The Modules in Process list tracks modules progressing through the Cryptographic Module Validation Program, the route to a FIPS 140-3 certificate. Vendors often cite Modules in Process status during procurement cycles when full validation is still pending.

CIQ said its NSS module for Rocky Linux from CIQ 9.6 includes the NIST-approved post-quantum algorithms ML-KEM and ML-DSA. ML-KEM is a key establishment mechanism, while ML-DSA is a digital signature algorithm. NIST has standardised both as part of its post-quantum cryptography programme.

CIQ said the NSS work is aimed at environments where cryptography must meet compliance requirements. NSS is used for TLS in a range of software and can act as a cryptographic provider for Java applications when systems operate in FIPS mode, according to the company.

Engineering work

Rocky Linux shipped NSS version 3.112 with ML-KEM and ML-DSA support in September 2025. CIQ said the code was complete at that point but did not meet FIPS requirements. Distinguished Engineer Jeremy Allison led work to modify NSS for a FIPS 140-3 submission, it added.

"The ML-KEM and ML-DSA code in NSS was feature complete, but not FIPS compliant," said Jeremy Allison, Distinguished Engineer at CIQ. "CIQ has enabled and open-sourced FIPS 140-3 compliance code in nss-3.112 for these increasingly important algorithms to provide security for our customers and help them prepare for the post-quantum future."

CIQ said the engineering work is open source, with code published in public repositories. It framed the effort as a contribution to broader adoption of post-quantum cryptography in commonly used components.

CNSA 2.0 pressure

Buyer attention has increased as governments and critical infrastructure operators plan migrations away from classical public key cryptography. The US National Security Agency's Commercial National Security Algorithm Suite 2.0 sets milestones beginning in 2027 and targets a full migration by 2035 for National Security Systems.

CIQ also referenced "harvest now, decrypt later", which describes the risk that attackers collect encrypted traffic or stored data today and decrypt it later if cryptographically relevant quantum computers become available.

In this context, suppliers of operating systems and core libraries face pressure to ship standards-based post-quantum algorithms, integrate them safely, and complete validation work that allows organisations to claim compliance in audits and procurement processes.

Broader roadmap

CIQ said its post-quantum effort spans five FIPS cryptographic modules it tracks: NSS, OpenSSL, the Linux kernel, GnuTLS and LibGCrypt. It added that NSS is now in Modules in Process with CAVP certification for ML-KEM and ML-DSA.

For OpenSSL, CIQ said post-quantum support arrived in OpenSSL 3.5. It expects the FIPS 140-3 validation process to begin for Rocky Linux from CIQ 10.2 in the third quarter of 2026 and for Rocky Linux from CIQ 9.10 in mid-2027. For the kernel, it said it is monitoring upstream development. It added that post-quantum work is stabilising upstream in GnuTLS and that LibGCrypt is awaiting a stable upstream release.

CIQ said it expects full FIPS 140-3 validation for the NSS module in the second quarter of 2027, based on its current pace and the validation process.

A Modules in Process listing can be relevant for organisations that must show progress towards validated cryptography while planning deployments, although acceptance varies by framework and regulator. CIQ said NSS with ML-KEM and ML-DSA in Modules in Process status is available now for Rocky Linux from CIQ customers.

"Organisations making platform decisions today need confidence that their infrastructure partner can deliver quantum-resistant solutions," said Gregory Kurtzer, chief executive officer of CIQ. "Achieving MIP status with CAVP-certified PQC algorithms demonstrates CIQ can solve these complex engineering challenges and gives customers confidence in the roadmap for OpenSSL and other cryptographic modules as we build the quantum-resistant stack they'll need."
Related stories
DNSFilter adds DNS PreCheck to protect roaming staff
MIND unveils Autonomous DLP Analyst to cut alert noise
Sweep wins cybersecurity firms for Salesforce control
Xiid secures EV charging, healthcare AI & multi-cloud
AI agents drive surge in cyber threats & extortion

Top stories

Schneider Electric unveils open software-defined DCS
GTIA honours 2026 North America IT channel leaders
Manifest tool boosts SBOMs for critical C & C++ code
Stryker probes global cyber attack via MDM systems
Global CISO Council launched to steer AI governance