Changelog

Replaced FIPS 140-3 Level 3 module validation requirement with post-quantum cryptography: inline network encryptors must implement FIPS 203 and FIPS 204 (ML-KEM and ML-DSA) or NSA CNSA 2.0 compliant algorithms. Updated Fig. 1 (SL5 Network Architecture) to remove the "FIPS 140-3 L3" specification labels from the encryptors.

Added supplemental guidance requiring post-quantum cryptographic algorithms for inter-facility encryptors, in line with SC-8(1). NSA Type 1 certified encryptors remain the higher-tier option.

Updated the Security Architecture overview to replace 'FIPS 140-3 Level 3 minimum validation for network encryptors' with 'Post-quantum cryptographic algorithms (FIPS 203 and FIPS 204, or NSA CNSA 2.0) for network encryptors', aligning the narrative section with the SC-8(1) and SC-13 control revisions.

Resolved and removed the open question on cryptographic sufficiency. The SC-8(1) and SC-13 revisions mandating FIPS 203/204 (ML-KEM/ML-DSA) or NSA CNSA 2.0 settle the question of whether NSA Type 1 or post-quantum algorithms are required. The item has been removed from Open Questions.

Removed the "Private SF-86" construct, which assumed a private vetting process equivalent to a government background investigation that does not yet exist. PS-3 now frames high-tier personnel vetting as an active area of research with two paths: (1) a formal government partnership using existing government clearance authorities, or (2) the Sensitivity Levels (SenL) Framework, an industry-adapted clearance model that labs can deploy without government participation, though it would benefit from government information-sharing.

Extended emanations security from passive egress prevention to adversary-controlled active signals, covering inbound signal injection used to influence system behavior. Emissions policies now define the permitted energy flows across each Red Zone boundary in both directions.