The Shift to Post-Quantum Cryptography
Contractors for the federal government must stay up to date on evolving technologies and security problems. One such critical progression is the move to post-quantum cryptography (PQC). The "Report on Post-Quantum Cryptography," required by the Quantum Computing Cybersecurity Preparedness Act, describes the Federal Government's strategy for transitioning to PQC to protect information systems from future quantum attacks. This change is necessary because quantum computers have the ability to break present cryptography methods, posing serious threats to national security and data integrity.
The paper outlines a thorough strategy for this transition, highlighting the importance and complexity of the migration. Under the leadership of the Biden-Harris Administration, the Federal Government intends to make great progress in PQC adoption, guided by the requirements of National Security Memorandum 10 (NSM-10). Quantum computers show enormous promise in a variety of sectors, but their ability to break existing cryptographic systems needs a proactive strategy to protect federal information systems.
The transition to PQC is based on four key principles. First and foremost, it is critical to have a comprehensive and up-to-date cryptocurrency inventory. This inventory establishes a baseline for identifying and prioritizing quantum-vulnerable devices and data. Automated cryptographic inventory solutions, as recommended by the Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (CISA), can help speed up the process, although manual inventories are still required for thoroughness.
Second, the possibility of "record-now-decrypt-later" necessitates that the transition to PQC begin before the introduction of a cryptanalytically relevant quantum computer. Malicious actors could currently keep encrypted data and decrypt it after CRQCs are operational, jeopardizing previously assumed secure data. This scenario emphasizes the importance of taking prompt steps to establish PQC, which ensures long-term security against prospective quantum attacks.
Third, agencies should prioritize systems and data for PQC transfer. The first priority should be to protect high-impact information systems, high-value assets, and particularly vulnerable systems. This prioritizing ensures that vital data and functions receive the most timely protection against quantum-based assaults. Agencies must also constantly reassess their priorities and timeframes in order to respond to changing threats and technological breakthroughs.
Fourth, identifying systems that cannot support PQC early on in the process is critical to avoiding migration delays. Some legacy systems may lack the ability to integrate new encryption methods. Replacing or modernizing these systems will be a costly task that necessitates meticulous planning and long-term investment.
The paper also discusses the financial requirements for this transition. The Office of Management and Budget (OMB) and the Office of the National Cyber Director (ONCD), in collaboration with CISA and the National Institute of Standards and Technology (NIST), estimate that moving prioritized information systems to PQC will cost around $7.1 billion between 2025 and 2035. These estimates will be revised on an annual basis to reflect new data and improved methodology.
NIST is crucial in the development and standardization of PQC algorithms. Since 2016, NIST has overseen an open process for evaluating and selecting secure and standardized PQC algorithms. This method requires considerable collaboration with foreign cryptographers and security researchers to assure the algorithms' robustness and compatibility. The Cryptographic Module Validation Program (CMVP), a collaboration between NIST and the Canadian Centre for Cyber Security, guarantees that these algorithms are properly implemented and work as intended.
The NIST National Cybersecurity Center of Excellence (NCCoE) has also launched a project to investigate the best methods for PQC transfer. This project seeks to give agencies with guidelines on cryptographic discovery, compatibility, and performance testing, allowing for a simpler transition to PQC.
Contractors can better prepare for the future of quantum computing by learning about and participating in the Federal Government's PQC plan. This proactive approach not only reduces possible risks, but also positions contractors to support the government's purpose of protecting key information systems from emerging threats.