The Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency (NSA), and the National Institute of Standards and Technology (NIST) have published new guidance to encourage organizations to begin early planning for post-quantum cryptography migration.
Titled Quantum-Readiness: Migration to Post-Quantum Cryptography (PDF), the document details the impact of quantum capabilities and urges organizations – especially those in critical infrastructure – to create quantum-readiness roadmaps, conduct inventories, assess risks, and start engaging with vendors.
Following a White House memo and a CISA alert on quantum computing risks, the new guidance comes in anticipation of NIST’s post-quantum cryptographic (PQC) standards, expected to be released in 2024.
“Early planning is necessary as cyber threat actors could be targeting data today that would still require protection in the future (or in other words, has a long secrecy lifetime), using a catch now, break later or harvest now, decrypt later operation,” the guidance reads.
According to the document, existing cryptographic products, protocols, and services, which rely on public key algorithms, will likely be updated or replaced to become quantum-resistant and protect against future threats.
CISA, NSA, and NIST encourage organizations to proactively prepare for migrating to products that adhere to post-quantum cryptographic standards and to implement measures to reduce the risks posed by a ‘cryptanalytically-relevant quantum computer’ (CRQC).
“While the PQC standards are currently in development, the authoring agencies encourage organizations to create a quantum-readiness roadmap by first establishing a project management team to plan and scope the organization’s migration to PQC,” the document reads.
Quantum-readiness project teams, the guidance notes, should assess an organization’s reliance on quantum-vulnerable cryptography, such as those performing operations related to digital signatures, including software and firmware updates, and then begin the quantum risk assessment processes and vendor engagement.
“Organizations are often unaware of the breadth of application and functional dependencies on public-key cryptography that exist within the products, applications, and services widely deployed within their operational environments, leading to a lack of visibility. The project team should lead the creation of such an inventory,” CISA, NSA, and NIST note.
The three agencies encourage manufacturers and vendors of products that use quantum-vulnerable cryptography to review the NIST-published draft PQC standards and prepare themselves to support PQC as soon as the standards are finalized.
Related: IBM Delivers Roadmap for Transition to Quantum-safe Cryptography
Related: News Analysis: UK Commits $3 Billion to Support National Quantum Strategy
Related: Cyber Insights 2023 | Quantum Computing and the Coming Cryptopocalypse