CNSA 2.0 · new NSS acquisitions · 1 January 2027 · EO 14409 CBOM

Prove what ran. Name who ran it. Verify it offline.

NSS programs adding quantum workloads before 1 January 2027 need execution provenance — not another PQC migration tool. One signed, append-only ledger that proves what ran, names who ran it, and verifies offline. Vendor-neutral across IBM Quantum, IonQ, Amazon Braket, Rigetti, Quantinuum, and air-gapped hardware.

Request evidence pack CNSA 2.0 readiness brief
days · CNSA 2.0 new NSS acquisitions · 1 Jan 2027
days · EO 14409 federal CBOM element definition window
Live demo · seal → verify
Book a technical briefing
AUDIT LEDGER · live demo
Stage · idle
Time Workload Environment Submitter Verify
14:02:11 opt-routing-q3 cloud · IBM Quantum a.lovelace ✓ signed
13:47:58 risk-model-v12 cloud · IonQ c.shannon ✓ signed
13:22:04 chem-sim-h2o cloud · Amazon Braket e.noether ✓ signed
12:58:31 maxcut-r3 cloud · Rigetti p.shor ✓ signed
12:41:07 vqe-lih-04 cloud · Quantinuum j.preskill ✓ signed
Retention7 years
SignaturesML-DSA-87
ExportPDF · CSV
P.01 Offline-verifiable

Audit records verify without calling Nuqasm or the cloud provider.

Inspect schema
P.02 Open audit schema

Published JSON schema and AU mapping — inspect before you buy.

Full schema AU mapping
P.03 EO 14409 · CBOM

Published SBOM and reproducible builds — supply-chain evidence aligned to the federal CBOM mandate.

Request evidence pack
§01

Quantum workloads are entering the controls your team already enforces.

The requirement is dated. The capability isn't built.

Regulated programs are beginning to run real workloads on quantum processors, and the federal calendar for securing them is no longer hypothetical. The audit trail, non-repudiation, and electronic-records integrity you already require for safety-critical classical systems don't yet have a quantum answer. Nuqasm is that answer — and it's ready before the deadlines, not after.

Why now · fixed deadlines Four mandates
CNSA 2.0 · 1 Jan 2027

New NSS acquisitions must be CNSA 2.0-compliant from January 1, 2027 — ML-DSA-87 signatures, ML-KEM-1024 key establishment, SP 800-208 firmware signing. Most quantum tooling doesn't implement these at NSS parameter levels. Nuqasm runs them by default. Your classical systems are migrating; this is how your quantum systems migrate with them.

CNSA 2.0
EO 14409 · CBOM

Executive Order 14409 (June 22, 2026) sets fixed PQC migration deadlines and directs NIST and CISA to define a federal Cryptography Bill of Materials — a complete, verifiable inventory of the algorithms, keys, and signatures a system runs. Nuqasm already publishes an SBOM and ships reproducible builds. You'd be deploying what the mandate is about to require, not scrambling to add it.

EO 14409
SP 800-53 · AU

Audit & Accountability

Your ATO boundary requires tamper-protected, time-correlated audit records with non-repudiation (AU-2, -3, -8, -9, -10, -11, -12). The quantum cloud providers emit account-level API logs — not experiment-level records you can attribute to a named individual and prove unmodified. Nuqasm writes the record the boundary actually requires.

SP 800-53
Verification

The evaluation question

"Prove this workload ran as approved, on validated hardware, in a known calibration state — and that the results you're citing are the results it produced." Today that answer is reconstructed after the fact, by hand. Nuqasm makes it a query: every execution writes a signed, append-only record, verifiable offline.

V&V
§02

From researcher submission to auditor verification.

One system of record · every workload · every environment

Nuqasm captures a cryptographically bound execution record at every stage of the quantum computation lifecycle — from the moment a researcher submits a workload to the moment an auditor verifies what ran. The record is signed, time-stamped, immutable, and complete. Your compliance team opens a dashboard. Your researcher keeps their existing workflow.

Stage 01submit

Researcher submits

Workload authored in Qiskit, PennyLane, or OpenQASM. Nuqasm captures the source, the submitter's signed approval, and the policy block declaring which environments are allowed.

Maps to AU-2 · AU-3 Part 11 §11.10(a) · §11.200
Stage 02seal

Workload is sealed

Packaged into a signed .qcap archive using ML-DSA-87 (CNSA 2.0 default) or ML-DSA-65 for non-NSS configurations. Tamper-evident, verifiable offline without network.

Maps to AU-9 · AU-10 Part 11 §11.10(e) · CNSA 2.0
Stage 03route

Policy routes

The sealed capsule runs where policy allows — simulator, UQBench appliance, or approved cloud backends (IBM Quantum, IonQ, Amazon Braket, Rigetti, Quantinuum). Never modified. Always verified before execution. One source of truth.

Maps to AC-3 · AU-12 CM-5
Stage 04execute

Provenance captured

Runtime records the full chain: transpiled circuit, compiler version, hardware backend, calibration snapshot at execution, shot-by-shot results. Every attribute bound to the capsule signature.

Maps to AU-3 · AU-8 Part 11 §11.10(e)
Stage 05attest

Auditor verifies

Every execution writes an append-only record. Your compliance team queries, filters, exports audit-ready reports. Your auditor receives verifiable evidence — not a spreadsheet.

Maps to AU-6 · AU-11 · AU-12 Part 11 §11.10(c)
§03

Policy determines destination. Not a different source of truth.

Three deployment modes · one trust boundary · your policy chooses

Nuqasm separates the execution environment from the source of truth. Policy declares where a workload may run. The runtime enforces it. The audit record is identical regardless of environment. Your compliance team reviews one ledger, not three.

environment · evaluateno cost

Simulator

For labs and evaluation teams validating provenance workflows before production routing. No external data flow. Inherits host ATO.

Data residencyLocal only
NetworkOffline capable
RetentionLocal ledger · 1 yr
CertificationsHost-inherited
Use caseValidate workflow
Qubits20 (simulated)
environment · sovereignuqbench

Air-Gapped Appliance

Desk-side hardware with integrated QPU. Facility-local, no cloud dependency, SCIF-compatible.

Data residencyFacility-local
NetworkAir-gap enforced
RetentionAppend-only · 7 yr+
CertificationsDISA STIG · on roadmap
Use caseClassified / NSS
Qubits15 physical
environment · managedcloud routing

Cloud Routing

Sealed workloads routed to IBM Quantum, IonQ, Amazon Braket, Rigetti, Quantinuum, or local UQBench — with Nuqasm-side capture of full execution record.

Data residencyProvider regions
Key exchangeML-KEM-1024
RetentionFederated · 3 yr
CertificationsFedRAMP Moderate · on roadmap
Use caseProduction workloads
BackendsIBM Quantum · IonQ · Amazon Braket · Rigetti · Quantinuum
§04

Procurement buys control satisfaction, not features.

Every capability traces to a specific control

The table maps Nuqasm capabilities to the specific regulatory controls your compliance team is already responsible for. The full mapping — with evidence artifacts, control narratives, and auditor handoff documentation — is in the full evidence packet.

FIPS 203 · 204 NIST SP 800-53 CNSA 2.0 EO 14409 · CBOM
Open by design

Audit record schema — verify without calling us

Every field maps to SP 800-53 AU controls. Inspect offline, integrate with your SIEM, or hand to your auditor.

Full schema AU mapping 
{
  "submitter": { "identity": "j.preskill", "signatureAlgorithm": "ML-DSA-87" },
  "execution": { "backend": "ibm_kyoto", "outcome": "success" },
  "ledger": { "immutable": true, "retentionPolicy": "7yr+" },
  "signatures": [{ "algorithm": "ML-DSA-87", "signedFields": ["workload","execution"] }]
}
Get full mapping PDF
12
SP 800-53 AU controls
mapped & documented
CNSA2.0
Signature & KEM
default configuration
7yr
Sovereign retention
configurable tier
0
Cloud dependencies
in sovereign mode
3
Execution environments
one ledger of record
SPEC · UQOS/CTRL Published mapping
AU-3Content of audit records
Every record includes submitter identity, timestamp, environment, hardware backend, calibration snapshot, execution outcome.
SP 800-53
AU-9Audit protection
Append-only ledger with cryptographic chain. Tamper-evident archives. No overwrite operations permitted.
SP 800-53
AU-10Non-repudiation
ML-DSA-87 signatures bind submitter identity to workload and execution record. Offline-verifiable.
FIPS 204
AU-11Retention
Configurable retention (1 yr / 3 yr / 7 yr+) with immutable storage. Policy-scoped per workload.
SP 800-53
§11.10(e)Audit trail
Secure, computer-generated, time-stamped audit trail that preserves full version history without obscuring previous records.
Part 11
§11.200Electronic signatures
ML-DSA signatures cryptographically bound to named individual. Unique, verifiable, indelibly linked to the record.
Part 11
Key exchangeCloud routing
ML-KEM-1024 quantum-resistant key encapsulation. No classical-only TLS paths for enterprise workloads.
CNSA 2.0
SP 800-208Firmware signing
Reproducible builds with signed release manifests. SBOM published per runtime version for procurement review.
Shipped
ParametersConfiguration
CNSA 2.0 default (ML-DSA-87 / ML-KEM-1024) for NSS. Lower parameters (ML-DSA-65 / ML-KEM-768) available for non-NSS deployments.
Configurable
§05

For NSS programs facing a dated acquisition requirement.

CNSA 2.0 · 1 Jan 2027 · program security officer · ISSM · authorizing official

Defense · NSS · beachhead

CNSA 2.0 is dated — your quantum stack still needs execution provenance

New NSS acquisitions must be CNSA 2.0-compliant from 1 January 2027 — ML-DSA-87 signatures, ML-KEM-1024 key establishment, SP 800-208 firmware signing. Nuqasm is execution provenance: one signed ledger that proves what ran, names who submitted it, and verifies offline — in SCIF-compatible air-gapped deployments or routed cloud backends.

Anchor
CNSA 2.0 · CNSSP-15 · NIST SP 800-53 High · EO 14409 CBOM · NIAP path
Buyer
Program security officer · authorizing official · ISSM
CNSA 2.0 readiness brief Request evidence pack
§06

Priced below the cost that's already on your books.

Two budgets are funded now — PQC readiness and ATO schedule

Anchor: Two budgets are funded right now — and Nuqasm sits below both. Post-quantum readiness (cryptographic inventory, CNSA 2.0 migration, CBOM evidence) is a line item your security org is already spending against ahead of the 2027–2031 deadlines. And a single delayed or re-worked authorization — an ATO that slips because the audit evidence wasn't there — costs more in schedule than a Nuqasm deployment at any tier. We're priced under the work you're already paying for, not against a role you haven't hired.
days CNSA 2.0 new-acquisition deadline · already met by default
days until federal CBOM elements are defined · already shipping
1 ATO worth of schedule risk · the cost Nuqasm offsets
Tier
Price
Includes
Action
Evaluate
$0 / no contract
20-qubit simulator, full sealing workflow, Qiskit / PennyLane / OpenQASM support, local ledger with 1-year retention. For labs and evaluation teams validating provenance before production routing.
Download runtime
Standard
$80K–$120K / year
Simulator + cloud environments, 3-year audit retention, 5 compliance users, quarterly compliance reports, SOC 2 Type 2 evidence, full control mapping documentation.
Request quote
Sovereign
$150K–$250K + UQBench CapEx from $200K
All environments including UQBench appliance, 7-year retention, unlimited users, custom audit templates, CNSA 2.0 default, classified-network compatible, dedicated compliance liaison.
Sovereign briefing

No per-seat pricing for researchers. Price scales with environments, not people — so adding the compliance, security, and evaluation users who actually read the ledger costs nothing.

§07

Self-serve to the document your team needs.

Pick the door that fits your role — no forced sales call

Request access Delivered by email

No sales call attached. Documents delivered instantly by email.