Independent AMTSO-registered methodology validates cloud-native firewalls against NIST post-quantum standards as CISA procurement mandate takes effect.
SecureIQLab today published the first independent cloud-native firewall validation methodology to include NIST post-quantum cryptography standards.
Every cloud-native firewall vendor will soon claim quantum-safe posture. Enterprises and federal agencies need a way to verify those claims against a repeatable, vendor-neutral benchmark.”
— David Ellis, VP of Research, SecureIQLab
Key facts:
– First independent cloud-native firewall (CNFW) validation methodology to include NIST post-quantum cryptography (PQC) standards: ML-DSA-65/87 for digital signatures, ML-KEM-768/1024 for key establishment, and SHA-384/512 for integrity.
– Registered with the Anti-Malware Testing Standards Organization (AMTSO) as Test ID AMTSO-LS1-TP195.
– Up to 16 vendors evaluated across three pillars (Security Efficacy, Operational Efficiency, Compliance Validation), with compliance mapping to GDPR, HIPAA, PCI DSS, NIST 800-171, SOC 2, ISO/IEC 27001:2022, and Secure by Design/Default.
– Validation spans multi-cloud (AWS, Azure, GCP), Kubernetes (EKS, AKS, GKE), serverless, GenAI inference endpoints, and Model Context Protocol (MCP) server security.
Also Read: AiThority Interview with Glenn Jocher, Founder & CEO, Ultralytics
– Non-commissioned validation begins June 2026; results published by end of October 2026.
The methodology, Cloud Native Firewall CyberRisk Validation v1.0, is registered with the Anti-Malware Testing Standards Organization (AMTSO) as Test ID AMTSO-LS1-TP195. It arrives in the same window as two landmark federal PQC mandates.
The Cybersecurity and Infrastructure Security Agency (CISA) published a January 2026 list of product categories for which agencies must acquire only PQC-enabled technology. Federal agencies were also due to submit comprehensive PQC transition plans under National Security Memorandum 10 (NSM-10) and OMB Memorandum M-23-02 by the end of April 2026.
The urgency is backed by data. According to the Trusted Computing Group’s 2025 State of PQC Readiness survey, 91% of organizations have no PQC roadmap in place. Cloud Security Alliance Labs reports that only 5% of organizations have deployed quantum-safe encryption, while 81% say their cryptographic libraries and hardware security modules are not ready for migration.
Meanwhile, the attack curve is tightening. The estimated qubits required to break RSA-2048 has fallen from roughly 1 billion in 2012 to approximately 1 million as of May 2025, per F5 Labs. The Global Risk Institute’s 2024 Quantum Threat Timeline Report draws on 32 leading experts. It places the probability of a quantum computer capable of breaking RSA-2048 within 10 years at 19% to more than 30%, depending on how expert opinion is weighted.
“Every cloud-native firewall vendor will soon claim quantum-safe posture. Enterprises and federal agencies need a way to verify those claims against a repeatable, vendor-neutral benchmark,” said David Ellis, VP of Research and Corporate Relations at SecureIQLab. “Our methodology is the first to require empirical PQC evidence at the firewall layer, alongside GenAI workload security and multi-cloud enforcement, so security leaders can meet federal and enterprise mandates with reproducible evidence rather than vendor self-attestation.”
“Post-quantum readiness is about to become one of the most-claimed and hardest-to-verify properties in security. That’s exactly where AMTSO’s transparency and reproducibility standards matter most. They give enterprises and regulators a shared baseline for separating real implementations from marketing. SecureIQLab’s CNFW methodology extending into PQC is a meaningful expansion of what independent validation can credibly cover,” said John Hawes, COO of the Anti-Malware Testing Standards Organization.
Cloud-native firewalls require a separate methodology because they are architecturally distinct from cloud-deployed firewalls. Existing firewall methodologies, including SecureIQLab’s own Advanced Cloud Firewall validation, measure VM-based appliances at VPC perimeters. Cloud-native firewalls embed in the cloud control plane, enforce policy via API across Kubernetes clusters, inspect east-west container traffic, and must now also prove quantum-safe cryptographic support. Traditional firewall methodologies cannot evaluate these mechanisms.
The methodology uses three pillars. Security Efficacy validates threat detection and prevention across scenarios mapped to the MITRE ATT&CK Cloud Matrix, STRIDE, OWASP Cloud-Native Guidelines, and the CSA Cloud Controls Matrix. Encryption validation covers all 22 TLS 1.2 cipher suites, three TLS 1.3 cipher suites, TLS session reuse, and NIST PQC standards ML-DSA, ML-KEM, and SHA-384/512 (NIST FIPS 203/204/205). GenAI workload validation covers inference endpoint protection and MCP server security, including access control, tool-call data exfiltration, and prompt-injection hijacking. Operational Efficiency evaluates IaC-driven deployment, policy management, scalability, incident response, and performance across AWS, Azure, GCP, and Kubernetes environments. Compliance Validation maps firewall capabilities to GDPR, HIPAA, PCI DSS, NIST 800-171, SOC 2, ISO/IEC 27001:2022, and Secure by Design/Default.
The methodology’s PQC coverage aligns with a sequence of federal milestones. CISA published product-category guidance in January 2026, and federal agencies were due to file transition plans by the end of April 2026. NSA Commercial National Security Algorithm (CNSA) 2.0 compliance applies to new National Security System acquisitions from January 2027, with full NSS compliance due by 2033. In the European Union, regulators increasingly treat quantum-vulnerable cryptography as failing the “state-of-the-art” standard under the Digital Operational Resilience Act (DORA) and the NIS2 Directive.
The non-commissioned study, funded entirely by SecureIQLab, evaluates up to 16 CNFW vendors across managed cloud-provider firewall services and third-party containerized solutions. The full planned vendor list is published in the methodology document. Testing begins in June 2026, with individual and comparative reports published by the end of October 2026. The AMTSO attestation is signed by David Ellis, VP of Research and Corporate Relations.
Also Read: The Infrastructure War Behind the AI Boom
[To share your insights with us, please write to psen@itechseries.com ]
Comments are closed.