XCO is based on Ubuntu 18.04, and ntpsec from the upstream package maintainers does not allow for a comprehensive and well-supported usage of NTS. However, if this is an absolute requirement, you can achieve NTS support on XCO by manually compiling and deploying a recent version of ntpsec, but this is not a supported solution. This comes at the cost of not using the sanctioned Ubuntu packaging system for package updates, and this tradeoff may not be worth it within certain operational environments.
Enforcing authentication where XCO acts as a client to existing NTP infrastructureIf XCO is to act only as a client for authenticated NTP, then upstream NTP servers where XCO is pointed also need to support authenticated NTP. You can use public NTP servers for this purpose, such as those of the US National Institute of Standards and Technology (NIST). For more information, see the NIST website. The following is an excerpt from the site:
"The time messages will be authenticated using symmetric-key encryption in a manner that is fully compatible with the published NTP documentation. (Autokey and asymmetric key modes will not be used.) Each registered user will be assigned a unique encryption key, which will be linked to the IP address(es) of the user's system(s).
A registered user will be able to communicate with the authenticated server using this assigned encryption key or using a default key of 0, which is equivalent to disabling the encryption algorithm. Users who are not registered will not be able to connect to this server, but can use any of the other NIST servers, which will not be modified."
Enforcing authentication where XCO provides its own NTP server