The majority of Federal agencies are still in the early stages of transitioning to post quantum cryptography (PQC), with only seven percent of agencies saying they have a formal PQC plan and project team in place, according to research out today by GDIT.
GDIT’s new research study conducted in partnership with IBM, “Quantum Waves: Agency Guide to PQC,” surveyed 200 senior cybersecurity experts across the Federal government in July and August 2024.
Half of the respondents surveyed are developing strategies for PQC readiness, yet many still lack clear roadmaps or dedicated resources, GDIT said. While 22 percent are engaged in pilot projects and 12 percent are preparing the workforce, nearly one in five said PQC initiatives are not currently a priority.
Despite this, GDIT’s VP of Cyber Matthew McFadden and the company’s Senior Director of Emerging Technology Tim Gilday told reporters that the results of the survey are “fairly hopeful.”
The National Institute of Standards and Technology (NIST) released its first three PQC encryption algorithms for immediate use on Aug. 13, after GDIT’s PQC readiness survey was already administered. The company’s top officials said they expect the release of NIST’s finalized algorithms to be a “forcing function to accelerate [PQC] even more.”
The report’s first recommendation to agencies involves establishing a formal PQC strategy that includes budget allocation and a dedicated project team to monitor progress. In August, the White House estimated that Federal agencies will need $7.1 billion to transition to PQC over the next 10 years.
“A governance team is essential for overseeing this ongoing effort,” the report’s recommendation says.
According to the report, 48 percent of respondents identified legacy systems as a significant barrier to achieving PQC readiness. “Agencies should focus on a remediation strategy for legacy systems, exploring bolt-on solutions as interim measures, until these systems can be modernized to meet PQC standards,” the report recommends.
GDIT made four additional recommendations to agencies based on its findings:
- Empower the workforce with PQC expertise;
- Prioritize cryptographic discovery;
- Assess and prioritize cryptographic risks; and
- Manage cryptography with the right tools.
The Biden-Harris administration began its focus on a post-quantum future with the release of its National Security Memorandum 10 – Promoting United States Leadership in Quantum Computing While Mitigating Risks to Vulnerable Cryptographic Systems – in May 2022.
The document calls for the transition of cryptographic systems to quantum-resistant cryptography by 2035.