FIPS-validated cryptography and post-quantum support in one Enterprise Linux distribution

CMMC Level 2 takes effect November 10, 2026. Eight weeks later, on January 1, 2027, CNSA 2.0 requires post-quantum algorithm support for all new National Security Systems acquisitions. Both deadlines affect what operating system a university can run on nodes that handle Controlled Unclassified Information (CUI) under DoD-funded contracts.

FIPS validation requires a CMVP certificate number issued after independent laboratory testing. FIPS mode is a kernel configuration. The distinction determines whether your university passes NIST 800-171 control SC-13.

Understanding the difference gives compliance teams and research computing directors time to verify their OS before either deadline lands.

FIPS mode and FIPS validation are different requirements

FIPS mode tells the kernel to restrict itself to a subset of cryptographic algorithms. It is a configuration setting you toggle. FIPS validation is a separate process: an accredited laboratory independently tests the cryptographic modules, and NIST issues a certificate number listed on the CMVP validated modules list.

NIST 800-171 control SC-13 requires "FIPS-validated cryptography." Under CMMC Level 2, assessors verify this by asking for the CMVP certificate number: a specific, searchable entry on the NIST database. Only validated modules carry that certificate number. FIPS mode alone is a configuration step, one part of a larger validation requirement.

An auditor will ask: "Show me your CMVP certificate." The answer needs to be a certificate number.

Linux distributions vary widely in their CMVP status. Active certificates, modules on the NIST Modules in Process (MIP) list, expired certificates moved to the historical list: each represents a different compliance posture. The status of your OS's cryptographic modules determines whether you pass SC-13 and whether your university maintains eligibility for DoD contracts requiring CMMC Level 2.

CNSA 2.0 adds a post-quantum requirement eight weeks after CMMC

CNSA 2.0 is the NSA's Commercial National Security Algorithm Suite, version 2.0. Starting January 1, 2027, all new acquisitions of National Security Systems equipment must support CNSA 2.0 algorithms by default. For operating systems, that means the cryptographic modules need to include NIST-approved post-quantum cryptography (PQC) algorithms alongside the classical algorithms that current FIPS modules validate against.

Universities feel this because federally funded research that touches national security data flows through systems subject to NSS requirements. If your institution procures new infrastructure after January 2027 for these workloads, the OS needs PQC support.

Two deadlines, eight weeks apart: one requires proof that your cryptography is FIPS-validated (not just in FIPS mode); the other requires proof that your cryptography includes post-quantum algorithms.

PQC algorithm support in Enterprise Linux is still early. NIST finalized FIPS 203, 204, and 205 in August 2024, and the timeline from algorithm standardization to CMVP-validated modules typically runs 18–24 months. The earliest validated PQC modules will arrive in early-to-mid 2026 for vendors that started testing immediately after standardization.

RLC Pro Hardened addresses both deadlines in a single OS

RLC Pro Hardened from CIQ addresses both the FIPS and PQC requirements without requiring separate distributions for each.

For the CMMC/FIPS requirement: RLC Pro Hardened ships with cryptographic modules submitted to NIST's Cryptographic Module Validation Program, along with pre-applied STIG and CIS hardening profiles. The modules carry FIPS 140-3 compliance verified through independent laboratory testing.

For the CNSA 2.0/PQC requirement: CIQ's NSS module has achieved Cryptographic Algorithm Validation Program (CAVP) certification for NIST-approved post-quantum cryptography algorithms (ML-KEM per FIPS 203, ML-DSA per FIPS 204) and is advancing toward full FIPS 140-3 validation. CAVP certification, the algorithm-level testing that precedes module-level validation, is complete. Full CMVP validation is in progress.

A university running RLC Pro Hardened on its CUI-handling nodes has one distribution that addresses both the November 2026 FIPS validation requirement and the January 2027 PQC requirement, without rebuilding or migrating to a different OS between deadlines.

Universities with CUI exposure have eight months to verify their OS

Before November 2026, HPC nodes handling controlled data need to run on an OS with FIPS-validated cryptographic modules that carry a CMVP certificate number. Before January 2027, any new systems acquired for NSS-adjacent workloads need PQC algorithm support.

Three questions to ask your current OS vendor before November:

1. Do your cryptographic modules have an active CMVP certificate number or are they on the Modules in Process list, the historical list, or not submitted at all?

2. Do your modules include NIST-approved post-quantum algorithms (FIPS 203, 204, 205), and what is their CAVP and CMVP status?

3. If the answer to either question is "not yet," what is your projected timeline, and does it clear both dates?

The universities that verify these answers now have eight months to close any gaps on their own timeline. That is a better position than discovering them during a CMMC assessment.

Evaluating your cryptographic compliance posture? Request a discovery call

Building your CMMC compliance plan? Read how CIQ addresses NIST 800-171 control families for HPC