Connect with us

Hi, what are you looking for?


Management & Strategy

US Government Publishes Guidance on Migrating to Post-Quantum Cryptography

CISA, NSA, and NIST urge organizations to create quantum-readiness roadmaps and prepare for post-quantum cryptography migration.

The Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency (NSA), and the National Institute of Standards and Technology (NIST) have published new guidance to encourage organizations to begin early planning for post-quantum cryptography migration.

Titled Quantum-Readiness: Migration to Post-Quantum Cryptography (PDF), the document details the impact of quantum capabilities and urges organizations – especially those in critical infrastructure – to create quantum-readiness roadmaps, conduct inventories, assess risks, and start engaging with vendors.

Following a White House memo and a CISA alert on quantum computing risks, the new guidance comes in anticipation of NIST’s post-quantum cryptographic (PQC) standards, expected to be released in 2024.

“Early planning is necessary as cyber threat actors could be targeting data today that would still require protection in the future (or in other words, has a long secrecy lifetime), using a catch now, break later or harvest now, decrypt later operation,” the guidance reads.

According to the document, existing cryptographic products, protocols, and services, which rely on public key algorithms, will likely be updated or replaced to become quantum-resistant and protect against future threats.

CISA, NSA, and NIST encourage organizations to proactively prepare for migrating to products that adhere to post-quantum cryptographic standards and to implement measures to reduce the risks posed by a ‘cryptanalytically-relevant quantum computer’ (CRQC).

“While the PQC standards are currently in development, the authoring agencies encourage organizations to create a quantum-readiness roadmap by first establishing a project management team to plan and scope the organization’s migration to PQC,” the document reads.

Advertisement. Scroll to continue reading.

Quantum-readiness project teams, the guidance notes, should assess an organization’s reliance on quantum-vulnerable cryptography, such as those performing operations related to digital signatures, including software and firmware updates, and then begin the quantum risk assessment processes and vendor engagement.

“Organizations are often unaware of the breadth of application and functional dependencies on public-key cryptography that exist within the products, applications, and services widely deployed within their operational environments, leading to a lack of visibility. The project team should lead the creation of such an inventory,” CISA, NSA, and NIST note.

The three agencies encourage manufacturers and vendors of products that use quantum-vulnerable cryptography to review the NIST-published draft PQC standards and prepare themselves to support PQC as soon as the standards are finalized.

Related: IBM Delivers Roadmap for Transition to Quantum-safe Cryptography

Related: News Analysis: UK Commits $3 Billion to Support National Quantum Strategy

Related: Cyber Insights 2023 | Quantum Computing and the Coming Cryptopocalypse

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join security experts as they discuss ZTNA’s untapped potential to both reduce cyber risk and empower the business.


Join Microsoft and Finite State for a webinar that will introduce a new strategy for securing the software supply chain.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

CISO Strategy

SecurityWeek spoke with more than 300 cybersecurity experts to see what is bubbling beneath the surface, and examine how those evolving threats will present...

CISO Conversations

Joanna Burkey, CISO at HP, and Kevin Cross, CISO at Dell, discuss how the role of a CISO is different for a multinational corporation...

CISO Conversations

In this issue of CISO Conversations we talk to two CISOs about solving the CISO/CIO conflict by combining the roles under one person.

CISO Strategy

Security professionals understand the need for resilience in their company’s security posture, but often fail to build their own psychological resilience to stress.

Management & Strategy

SecurityWeek examines how a layoff-induced influx of experienced professionals into the job seeker market is affecting or might affect, the skills gap and recruitment...

Artificial Intelligence

ChatGPT is increasingly integrated into cybersecurity products and services as the industry is testing its capabilities and limitations.

Cybersecurity Funding

2022 Cybersecurity Year in Review: Top news headlines and trends that impacted the security ecosystem