The Cybersecurity and Infrastructure Security Agency (CISA) – alongside the National Security Agency (NSA) and National Institute of Standards and Technology (NIST) – released a joint factsheet today encouraging early planning for migration to post-quantum cryptographic standards by developing a Quantum-Readiness Roadmap.
“Quantum-Readiness: Migration to Post-Quantum Cryptography” is urging organizations – especially those that support critical infrastructure – to begin preparing now by creating quantum-readiness roadmaps, conducting inventories, applying risk assessments and analysis, and engaging vendors.
According to the factsheet, NIST is working to publish the first set of post-quantum cryptographic (PQC) standards, to be released in 2024, to protect against future, potentially adversarial, cryptanalytically-relevant quantum computer (CRQC) capabilities. A CRQC would have the potential to break public-key systems that are used to protect information systems today, the agencies noted.
NIST released a draft version of its Migration to Post-Quantum Cryptography guidelines in April, and a major theme of the preliminary document is to help organizations understand the security architecture in their networks so that they firmly grasp where post-quantum security measures will need to be implemented, and where to prioritize modernization.
“While the PQC standards are currently in development, the authoring agencies encourage organizations to create a quantum-readiness roadmap by first establishing a project management team to plan and scope the organization’s migration to PQC,” the factsheet reads.
The team should be led by an organization’s Information Technology and Operational Technology procurement experts.
CISA, NSA, and NIST are urging the agencies’ quantum-readiness project teams to first identify the organization’s current reliance on quantum-vulnerable cryptography. Having an inventory of quantum-vulnerable systems and assets enables an organization to begin the quantum risk assessment processes, demonstrating the prioritization of migration, the factsheet notes.
“Organizations are often unaware of the breadth of application and functional dependencies on public-key cryptography that exist within the products, applications, and services widely deployed within their operational environments, leading to a lack of visibility,” the agencies wrote. “The project team should lead the creation of such an inventory. The team should also include the organization’s cybersecurity and privacy risk managers who can prioritize the assets that would be most impacted by a CRQC, and that would expose the organization to greater risk.”
All Federal efforts to migrate to post-quantum cryptography follows President Biden’s May 2022 National Security Memorandum to leverage Federal resources and help all U.S. digital systems migrate to quantum-resilient cybersecurity standards by 2035.
The Office of Management and Budget released a memo in November to inform agencies of the forthcoming requirement to transition to quantum-resistant systems. That rule came from the White House’s Office of the National Cyber Director (ONCD) in February, calling on all government entities to submit to the administration prioritized inventories of cryptographic systems by May 4, 2023.
It is unclear whether or not agencies met this deadline earlier this year.
The Biden administration is requiring agencies to prepare now to implement post-quantum cryptography. Once operational, a quantum computer is expected to be able to compromise certain widely used cryptographic algorithms used to secure Federal data and information systems, the White House warned.
Additionally, and most importantly, agencies must remain cognizant that encrypted data can be recorded now and later decrypted by operators of a future quantum computer.
“The time is already running short on putting in place systems to secure our classic computers,” ONCD’s Director for Budget and Assessment, Dylan Presman, said in February. “We know that foreign adversaries plan and are currently collecting encrypted data from public and private entities with plans to decrypt it later when they have access to a sufficiently developed quantum computer.”
“It’s what’s called harvest now, decrypt later,” he said.
Presman said that after agencies submit their prioritized list of systems that need to migrate to post-quantum cryptography by May 4, they will be expected to develop a plan to do so.