The White House is encouraging agencies to work with software vendors to test out quantum-resistant cryptographic algorithms on their web browsers, enterprise devices, and other IT systems, as part of the Biden administration’s approach to preparing for a post-quantum world.
The Office of Management and Budget in a Nov. 18 memo sets out new deadlines and guidance for agencies to prepare for quantum computers capable of breaking current encryption techniques that protect data and information systems.
While such a computer is only conceptual, national security leaders are concerned that U.S. adversaries could make on a reality over the next decade. There are also concerns that encrypted data stolen today could be decrypted by a quantum computer in the future. In a May national security memorandum, President Joe Biden directed federal leaders to begin preparing for post-quantum cryptographic systems.
“A potential quantum computer by an adversary country is really a nuclear threat to cybersecurity, because the underpinning cryptography relies on a math principle that potentially a quantum computer could break,” Deputy National Security Advisor Anne Neuberger said at an event hosted by the Aspen Institute in July.
The National Institute of Standards and Technology earlier this year identified a first batch of four encryption algorithms that will become a part of NIST’s post-quantum cryptographic standard. NIST expects to finalize the standard by 2024.
While post-quantum cryptography (PQC) tools are still under development, OMB’s memo directs the Cybersecurity and Infrastructure Security Agency along with other agencies should work with companies to help advance their progress.
“The testing of pre-standardized PQC in agency environments will help to ensure that PQC will work in practice before NIST completes PQC standards and commercial implementations are finalized,” the memo states. “Agencies, particularly CISA, are encouraged to work with software vendors to identify candidate environments, hardware, and software for the testing of PQC.”
Agencies could test out these new encryption techniques in a range of environments, including web browsers, content delivery networks, cloud service providers, devices and endpoints, and “enterprise devices that initiate or terminate encrypted traffic,” the memo states.
“To ensure that tests are representative of real-world conditions, they may be conducted, or allowed to operate, in production environments, with appropriate monitoring and safeguards, alongside the use of current approved and validated algorithms,” the memo continues. “In many cases, the test may be conducted by the vendor across many customers or end users, and agencies are encouraged to participate in these tests.”
Over the next 60 days, NIST, CISA, and the FedRAMP Program Management Office — which supports the federal cloud security authorization process — will work to “enable the exchange of PQC testing information and best practices among agencies as well as with private sector partners,” the memo states.
Deadlines and funding
The OMB memo directs agencies by May 4, 2023, to inventory their information systems that are potentially susceptible to quantum computers capable of breaking encryption. The lists will be submitted to the White House Office of the National Cyber Director, as well as CISA.
“Initially, agencies should focus their inventory on their most sensitive systems,” the memo states. “OMB expects to direct inventory by agencies of systems or assets not in the above scope through future guidance on Federal Information System Modernization Act of 2014 requirements. At this point in time, those systems need not be included in the inventory submitted to ONCD and CISA.”
Agencies have 30 days to designate an official as the lead for “cryptographic inventory and migration” issues.
The Office of the National Cyber Director along with OMB, CISA and FedRAMP will release further instructions on the collection and transmission of the inventory in 90 days. CISA and the NSA will also evaluate whether a security classification guide is needed to further help with the inventory process.
Agencies also have just 30 days to submit to the White House an assessment of the funding required to migrate systems to post-quantum cryptography.
CISA, the NSA and NIST will also spend the next year developing a strategy on “automated tooling and support” for agency assessments in the progress toward adopting post-quantum cryptography.
“This strategy is expected to address discovery options for internet-accessible information systems or assets, as well as internal discovery of information systems or assets that are not internet-accessible,” the memo states. “Discovery methods will support open-source software tools and use existing CISA or agency capabilities, such as Continuous Diagnostics and Mitigation (CDM), where feasible. The strategy will also describe the limitations of available assessment methods, as well as any gaps in automated capabilities or tools.”