CONFERENCE Cyber AI & Automation Summit - Watch Sessions
Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Management & Strategy

US Government Publishes Guidance on Migrating to Post-Quantum Cryptography

CISA, NSA, and NIST urge organizations to create quantum-readiness roadmaps and prepare for post-quantum cryptography migration.

The Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency (NSA), and the National Institute of Standards and Technology (NIST) have published new guidance to encourage organizations to begin early planning for post-quantum cryptography migration.

Titled Quantum-Readiness: Migration to Post-Quantum Cryptography (PDF), the document details the impact of quantum capabilities and urges organizations – especially those in critical infrastructure – to create quantum-readiness roadmaps, conduct inventories, assess risks, and start engaging with vendors.

Following a White House memo and a CISA alert on quantum computing risks, the new guidance comes in anticipation of NIST’s post-quantum cryptographic (PQC) standards, expected to be released in 2024.

“Early planning is necessary as cyber threat actors could be targeting data today that would still require protection in the future (or in other words, has a long secrecy lifetime), using a catch now, break later or harvest now, decrypt later operation,” the guidance reads.

According to the document, existing cryptographic products, protocols, and services, which rely on public key algorithms, will likely be updated or replaced to become quantum-resistant and protect against future threats.

CISA, NSA, and NIST encourage organizations to proactively prepare for migrating to products that adhere to post-quantum cryptographic standards and to implement measures to reduce the risks posed by a ‘cryptanalytically-relevant quantum computer’ (CRQC).

“While the PQC standards are currently in development, the authoring agencies encourage organizations to create a quantum-readiness roadmap by first establishing a project management team to plan and scope the organization’s migration to PQC,” the document reads.

Quantum-readiness project teams, the guidance notes, should assess an organization’s reliance on quantum-vulnerable cryptography, such as those performing operations related to digital signatures, including software and firmware updates, and then begin the quantum risk assessment processes and vendor engagement.

Advertisement. Scroll to continue reading.

“Organizations are often unaware of the breadth of application and functional dependencies on public-key cryptography that exist within the products, applications, and services widely deployed within their operational environments, leading to a lack of visibility. The project team should lead the creation of such an inventory,” CISA, NSA, and NIST note.

The three agencies encourage manufacturers and vendors of products that use quantum-vulnerable cryptography to review the NIST-published draft PQC standards and prepare themselves to support PQC as soon as the standards are finalized.

Related: IBM Delivers Roadmap for Transition to Quantum-safe Cryptography

Related: News Analysis: UK Commits $3 Billion to Support National Quantum Strategy

Related: Cyber Insights 2023 | Quantum Computing and the Coming Cryptopocalypse

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Don’t miss this Live Attack demonstration to learn how hackers operate and gain the knowledge to strengthen your defenses.

Register

Join us as we share best practices for uncovering risks and determining next steps when vetting external resources, implementing solutions, and procuring post-installation support.

Register

People on the Move

Shanta Kohli has been named CMO at Sysdig.

Cloud security firm Sysdig has appointed Sergej Epp as CISO.

F5 has appointed John Maddison as Chief Product Marketing and Technology Alliances Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.