6 months to go! White House orders federal civilian agencies to kick off their ‘post-quantum’ encryption migration work by May 4, 2023

 US Federal agencies must produce an annual risk-based inventory of high-value, high-impact systems, by May 4, 2023. Designate a leading officer by December 18, 2022.

Quantum computing, once viewed as a futuristic technology that would change everything, if it ever moved from the fantastical to the practical, is a reality of our times. As we progress through a Quantum Decade, the decade when enterprises begin to see business value from quantum computing, it is also high time for organizations to begin considering information security in this new era.

There are massive amounts of sensitive information managed and stored online in the cloud or on connected servers and the amount of data created daily is only growing. A lot of this information requires encryption to keep it confidential or protected, but also for maintaining data integrity, authentication, and non-repudiation. But just as modern encryption algorithms have replaced the outdated Data Encryption Standard to protect data, so will Quantum Cryptography end up replacing the current day ciphers. That is also known now as the era of Post-Quantum Cryptography, or PQC. With this reality in view, preparatory steps are being taken by governments to get ready for securing systems is a world where quantum computers will easily solve today’s encryption schemes, rendering them obsolete over time.

Federal Agencies Go First

While the standards for post-quantum cryptography are still being finalized by the NIST, an anticipated transition to PQC is quickly approaching, and first in line are American federal agencies.

After being asked to get on a Zero Trust journey to better their security posture, preparatory steps have been provided by The U.S. Office of Management and Budget (OMB) for a PQC future. These include preparing an inventory of active cryptographic systems the agencies have in use.

What is being targeted at this time is:

1.   Prioritizing assets that are either high value or high impact

2.   Systems that will become a vulnerable target to an attack via a cryptanalytically relevant quantum computer (CRQC)

This inventory should be submitted by May 4, 2023 and designating a leading officer for the overall project should be done within 30 days of release of the executive order, which was published on Nov.18, 2022.

Further instructions on how to collect and transmit the required inventory are to be expected in February 2023, and annually thereafter. These will include a procedure and a tool that agencies can use so that the result is more uniform across the board.

Moving Fast

This initiative is moving fast because quantum computing is maturing quickly and the eventuality of breaking current-day encryption is imminent. Threat actors, nation state attackers and cybercriminals alike, are awaiting the breaking point and the threat to information security can be highly impactful to digitized systems, data, and many types of communications across all sectors.

Many times, business leaders fail to understand the urgency of the situation and the high-stakes requirement to prepare.

A Timeline View

Within 30 days from Nov.18, 2022

-          Designate a leading officer to coordinate the migration vis-à-vis the OMB

-          Expect to see a cryptographic migration working group created for coordination and support in the migration process

Within 60 days from Nov.18,2022

-          Expect the release of an information exchange mechanism to enable sharing of PQC testing information and best practices among agencies as well as with private sector partners

Within 90 days from Nov.18, 2022

-          Receive procedure and tool to inventory systems from ONCD. Expect annual updates.

-          Receive procedure for submitting annual funding assessment and the collection of the funding. Expect annual updates.

Within 1 year from Nov.18, 2022

-          Expect a strategy document on using automated tooling and support to discover systems and data for the PQC migration

By May 4^th, 2023

-          Submit first inventory of cryptographic systems

-          Prepare to submit inventory annually until May 2035

30 Days from May 4, 2023

-          Submit funding assessment for the migration for the following fiscal year

-          Prepare to submit funding assessment annually

 

More to Come

With little time left to begin, agencies are looking at a long-term transition process designed to migrate cryptographic systems to quantum-resistant cryptography by 2035. The goal: laying down the grounds for mitigating quantum risk in the coming decades to keep data encrypted and secure in the foreseeable future.

To that effect, the NIST held a competition that yielded some quantum-safe encryption tools, ones designed to withstand the potential assault of a future quantum computer. Four of the selected quantum-safe encryption algorithms will become part of NIST’s post-quantum cryptographic standard, expected to be finalized around 2024.

While federal agencies are urged to start now, all organizations collecting and processing data that should remain encrypted over time would be advised to begin the process as well. Between now and 2035, I expect to see most organizations rely on the standards and best practices that will be derived from this first group of organizations’ experiences.

To read the Executive Order, click here.