White House to require post-quantum encryption plans from agencies

Agencies will need to begin implementing new post-quantum cryptographic standards in what's expected to be a decade-long, $7 billion transition.

The White House Office of Management and Budget will soon direct agencies to map out plans for adopting post-quantum encryption to protect their most sensitive systems and data.

Federal Chief Information Office Clare Martorana said the new guidance will help agencies begin to adopt new cryptographic standards from the National Institute of Standards and Technology.

“We will be releasing guidance directing agencies to develop a prioritized migration plan to ensure that the most sensitive systems come first,” Martorana said during an event hosted by the White House today. “We can’t do it alone. It’s critical that we continue to foster robust collaboration and knowledge sharing between public and private sectors, which is why conversations like the one we’re having today are so incredibly critical.”

NIST earlier today released three finalized post-quantum encryption standards. The algorithms are the first completed standards under NIST’s post-quantum cryptography standardization project. NIST launched the effort eight years ago. Officials are continuing to evaluate two other sets of algorithms that could serve as backup standards.

NIST officials said the three standards are ready for immediate use.

“There is no need to wait for future standards,” NIST mathematician Dustin Moody said in a statement. “Go ahead and start using these three. We need to be prepared in case of an attack that defeats the algorithms in these three standards, and we will continue working on backup plans to keep our data safe. But for most applications, these new standards are the main event.”

Agencies are starting the shift to post-quantum cryptography, even though a quantum computer capable of breaking current encryption is not yet known to exist. But officials say hackers could steal encrypted data in bulk today and save it to be decrypted by a quantum computer in the future.

“What’s the data that you’d care about if an adversary could use a quantum computer in nine or 10 years to decrypt it?” Deputy National Security Advisor for Cyber and Emerging Technologies Anne Neuberger said at the White House event today. “We have lots of that in the intelligence community. We have lots of that in our Department of Defense, and as such, ensuring that collect now, decrypt later can be addressed is something that’s a priority for us.”

In a report released last week, OMB estimated the government-wide transition to post-quantum cryptography will cost $7.1 billion between 2025 and 2035. The estimate does not include classified systems run by DoD and intelligence agencies.

“This initial projection reflects a high, but expected, level of uncertainty associated with the inventory and transition to PQC,” the report states. “Agencies are required to update their cost estimates annually to allow for adjustments as they gain familiarity with the inventories, costing methodologies, and the transition process. Initial cost estimates represent a rough order of magnitude rather than precise calculations.”

The White House in 2022 directed agencies to begin inventorying their sensitive IT systems that could be susceptible to a cryptographically relevant quantum computer. Martorana said agencies have also been identifying systems that can’t support post-quantum cryptography so they can be replaced.

“Replacing hardware, software and digital systems that are not PQC compliant will likely be a time and resource intensive process,” Martorana said. “But the good news is that many of these modernizations are already underway across the federal government as part of the national cybersecurity strategy implementation effort.”

Copyright © 2024 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.

Related Stories

    cyber, EPA, Water Contamination Nitrates Oregon

    EPA fosters IT resilience through cloud, integrated teams, automation tools

    Read more
    Getty Images/iStockphoto/cybrainCloud Computing

    CISA directs agencies to find, fix cloud security misconfigurations

    Read more