To stay ahead of emerging threats, federal agencies must proactively adapt their cryptographic systems to withstand future quantum computing capabilities. This strategy outlines how automated tools can help ensure a smooth and effective transition to post-quantum cryptography.

Why It Matters
The Cybersecurity and Infrastructure Security Agency (CISA) has developed a strategic approach to support Federal Civilian Executive Branch (FCEB) agencies in transitioning to post-quantum cryptography (PQC). The promulgated this strategy in a document titled “Strategy for Migrating to Automated Post-Quantum Cryptography Discovery and Inventory Tools“. The threat posed by cryptographically-relevant quantum computers (CRQCs) demands proactive measures to protect cryptographic systems. (We’ve been reporting on the need for migrating to the post-quantum world for quite a while).  This strategy helps agencies assess their progress toward PQC adoption by utilizing automated tools that inventory and identify quantum-vulnerable cryptographic assets. The implications are significant: quantum computing advancements could potentially break widely-used encryption algorithms, posing risks to critical federal data. This strategy helps mitigate those risks and ensures preparedness for a post-quantum future. 

Key Points

• Purpose: The strategy aims to facilitate FCEB agencies in assessing their progress toward PQC adoption. Automated cryptography discovery and inventory (ACDI) tools are central to this effort.
• Background: National Security Memorandum 10 and OMB Memorandum 23-02 emphasize the urgency of transitioning to PQC to counter future threats posed by quantum computers. The strategy aligns with these directives, focusing on safeguarding cryptographic systems crucial for national security.
• Goals: Key objectives include using ACDI tools to create comprehensive cryptographic inventories, integrating these tools with Continuous Diagnostics and Mitigation (CDM) programs, and reducing resource demands through automation.
• Approach: Agencies are instructed to inventory data across three methods—automated tools like ACDI, existing CDM capabilities, and manual collection where needed. CyberScope remains the primary tool for reporting cryptographic assets and vulnerabilities.
• On-Going Research: There are still uncertainties regarding the detection capabilities of current automated tools, particularly for embedded cryptographic algorithms. CISA collaborates with NIST and industry partners to advance tool capabilities and refine inventory methodologies.

What’s Next
The timeline for migrating to PQC spans several years. Initial steps include a pilot program to integrate ACDI tools with CDM capabilities, followed by ongoing assessments and updates to CyberScope and other reporting mechanisms. Agencies are expected to begin deployment of updated tools as they become available, with full migration efforts extending into the late 2020s. CISA will continue monitoring progress and offer support to agencies struggling with the transition.

Further Reading
For detailed guidance on implementing PQC and CISA’s recommendations, refer to the NIST Special Publication (SP) 1800-38.

For Additional Insights See

• Quantum Computing and Quantum Security Sensemaking: A reference to key OODA research on all things quantum.
• The Executive’s Guide to Quantum Security: A reference to steps to take now to ensure quantum security including protecting against Harvest Now Decrypt Later attacks.
• Is Quantum Computing Ushering in an Era of No More Secrets?: Context from OODA’s Matt Devost on the very near future of quantum computing.
• What To Do About Quantum Uncertainty: Guess what, besides uncertainty at a quantum level there is great uncertainty among business and policy makers regarding Quantum Computing.
• AI, quantum computing and 5G could make criminals more dangerous than ever, warn police: Quantum is one of many emerging technologies that law enforcement professionals are tracking
• Intel offers AI breakthrough in quantum computing: This article is more about quantum simulations for AI, but shows the ecosystem that is developing around the technology
• Quantum Computing That Can Crack Modern Encryption More Than a Decade Away: When we see reports like this we wonder what qualifies the experts to say this. But in this case the experts are the National Academies of Sciences.
• Could quantum computers render current bitcoin and most blockchain cryptography powerless?: There is a worry that new algorithms that could run on quantum computing could attack blockchain and asymmetric encryption.