6 months to go! White House orders federal civilian agencies to kick off their ‘post-quantum’ encryption migration work by May 4, 2023
US Federal agencies must produce an annual risk-based inventory of high-value, high-impact systems, by May 4, 2023. Designate a leading officer by December 18, 2022.
Quantum computing,
once viewed as a futuristic technology that would change everything, if it ever
moved from the fantastical to the practical, is a reality of our times. As we progress
through a Quantum Decade, the decade when enterprises begin to see business
value from quantum computing, it is also high time for organizations to begin
considering information security in this new era.
There are massive amounts of sensitive information managed and stored
online in the cloud or on connected servers and the amount of data created
daily is only growing. A lot of this information requires encryption to keep it
confidential or protected, but also for maintaining data integrity,
authentication, and non-repudiation. But just as modern encryption algorithms
have replaced the outdated Data Encryption Standard to protect data, so will
Quantum Cryptography end up replacing the current day ciphers. That is also known
now as the era of Post-Quantum Cryptography, or PQC. With this reality in view,
preparatory steps are being taken by governments to get ready for securing
systems is a world where quantum computers will easily solve today’s encryption
schemes, rendering them obsolete over time.
Federal Agencies Go First
While the standards for post-quantum cryptography are still being finalized by the NIST, an anticipated transition to PQC is quickly approaching, and first
in line are American federal agencies.
After being
asked to get on a Zero Trust journey to better their security posture, preparatory
steps have been provided by The U.S. Office of Management and Budget (OMB) for a
PQC future. These include preparing an inventory of active cryptographic systems
the agencies have in use.
What is being targeted at this time is:
1. Prioritizing
assets that are either high value or high impact
2. Systems that will
become a vulnerable target to an attack via a cryptanalytically relevant
quantum computer (CRQC)
This
inventory should be submitted by May 4, 2023 and designating a leading officer for the
overall project should be done within 30 days of release of the executive
order,
which was published on Nov.18, 2022.
Further
instructions on how to collect and transmit the required inventory are to be
expected in February 2023, and annually thereafter. These will include a
procedure and a tool that agencies can use so that the result is more uniform
across the board.
Moving Fast
This initiative is moving fast because quantum computing is maturing
quickly and the eventuality of breaking current-day encryption is imminent.
Threat actors, nation state attackers and cybercriminals alike, are awaiting
the breaking point and the threat to information security can be highly
impactful to digitized systems, data, and many types of communications across all sectors.
Many times, business leaders fail to understand the urgency of the
situation and the high-stakes requirement to prepare.
A Timeline View
Within 30 days from Nov.18, 2022
-
Designate a leading officer to coordinate the migration vis-à-vis
the OMB
-
Expect to see a cryptographic migration working group
created for coordination and support in the migration process
Within 60 days from Nov.18,2022
-
Expect the release of an information exchange mechanism to
enable sharing of PQC testing information and best practices among agencies as
well as with private sector partners
Within 90 days from Nov.18, 2022
-
Receive procedure and tool to inventory systems from
ONCD. Expect annual updates.
-
Receive procedure for submitting annual funding assessment
and the collection of the funding. Expect annual updates.
Within 1 year from Nov.18, 2022
-
Expect a strategy document on using automated tooling and
support to discover systems and data for the PQC migration
By May 4th, 2023
-
Submit first inventory of cryptographic systems
-
Prepare to submit inventory annually until May 2035
30 Days from May 4, 2023
-
Submit funding assessment for the migration for the
following fiscal year
-
Prepare to submit funding assessment annually
More to Come
With little time left to begin, agencies are looking at a long-term transition
process designed to migrate cryptographic systems to quantum-resistant
cryptography by 2035. The goal: laying down the grounds for mitigating quantum
risk in the coming decades to keep data encrypted and secure in the foreseeable
future.
To that effect, the NIST held a competition that yielded some quantum-safe encryption tools,
While federal agencies are urged to start now, all organizations collecting
and processing data that should remain encrypted over time would be advised to
begin the process as well. Between now and 2035, I expect to see most
organizations rely on the standards and best practices that will be derived
from this first group of organizations’ experiences.
To read the Executive Order, click
here.
Comments
Post a Comment