On August 21, 2023, the Cybersecurity and Infrastructure Security Agency (“CISA”), National Security Agency (“NSA”), and National Institute of Standards and Technology (“NIST”) issued a joint quantum-readiness factsheet (the “Factsheet”) to inform organizations—particularly those that support critical infrastructure sectors—about quantum computing threats and to urge these organizations to begin planning for future migration to post-quantum cryptographic (“PQC”) standards.  CISA, NSA and NIST are part of a government-wide effort to prepare for the development of computers that can break existing encryption algorithms in a short period of time—which the Factsheet refers to as “cryptanalytically-relevant quantum computers” or “CRQCs”.  The Factsheet provides several recommendations for organizations, including that such organizations should establish a “quantum-readiness roadmap” to prepare for the migration to PQC standards; create a “cryptographic inventory” of the cryptography within the products, applications, and services used by the organization; and engaging with the organizations’ technology vendors about the vendors’ plans for quantum-readiness. 

Quantum-Readiness Roadmap

The Factsheet urges organizations to establish a “quantum readiness roadmap” that will prepare the organizations for the migration to PQC standards, which the Factsheet notes are currently under development by NIST and slated for release in 2024.  The Factsheet suggests that entities can begin by establishing a project management team to plan and scope the organization’s migration to PQC and begin identifying the organization’s reliance on quantum-vulnerable cryptography, such as systems and assets that depend on existing digital signature standards.  The Factsheet notes that this “cryptographic inventory,” which is discussed further below, will enable the organization to identify and prioritize the systems that will need to migrate to PQC in the future and to assess potential risks to the organization that may be presented by CRQCs. 

Cryptographic Inventory

The Factsheet explains that, when prepared, an organization’s cryptographic inventory serves multiple purposes.  For example, according to the Factsheet, organizations are often unaware of the breadth and functional dependency on quantum-vulnerable “public-key cryptography” that is within the products, applications, and services that they use.  A cryptographic inventory provides visibility, supports risk assessment efforts, and facilitates engaging vendors to address potential supply chain risks.  The Factsheet also notes that a cryptographic inventory will help an organization transition to a zero trust architecture, identify data that is accessible from outside their operational environment, and inform what data protected by existing cryptography could be targeted and decrypted when CRQCs become viable.

The Factsheet provides several recommendations for how to develop the cryptographic inventory.  For example, the Factsheet suggests that organizations can use discovery tools to look for vulnerable algorithms in their Information Technology (“IT”) and Operational Technology (“OT”) environments, including algorithms used in network protocols, assets on end user systems and servers, and in the organization’s continuous integration/continuous delivery (“CI/CD”) development pipeline.  The Factsheet recommends that the cryptographic inventory should also identify when and where quantum-vulnerable cryptography is used to protect the organization’s most sensitive and critical data, as well as identify estimates for how long those data need to be protected.

Vendor Engagement

The Factsheet also provides steps that organizations and their vendors should take to address PQC adoption.  Specifically, the Factsheet encourages organizations to engage with the organization’s vendors about the vendors’ quantum-readiness roadmaps.  The Factsheet also notes that organizations should start considering updates to the organization’s contracts with vendors to ensure that older products used by the organization will be upgraded with PQC and new products will have PQC built in.  The Factsheet also encourages vendors to review the NIST-published draft PQC standards to begin planning and testing for integration and to be prepared to support PQC as soon as possible after the NIST standards become final.

Supply Chain

Finally, the Factsheet outlines a number of considerations related to supply chain risks that the use of quantum-vulnerable cryptography by vendors may present to organizations.  The Factsheet recommends that organizations:  (1) prioritize high-impact systems, industrial control systems (“ICS”), and systems with long-term confidentiality needs; (2) identify and develop plans to address quantum-vulnerable cryptography in custom-built technologies, which the Factsheet asserts will likely require the most effort to make quantum-resistant; and (3) engage with vendors to ensure both commercial-off-the-shelf (“COTS”) and cloud-based products supplied by vendors are accounted for in the organizations’ quantum-readiness roadmaps.

Looking Forward

The Factsheet builds on the Quantum Computing Cybersecurity Preparedness Act, enacted in December 2022, which requires the Office and Management and Budget (“OMB”) to issue guidance for U.S. executive branch agencies “on the migration of information technology to post-quantum cryptography,” which includes a requirement that each agency develop an inventory of quantum-vulnerable cryptography, similar to one of the recommended actions in the Factsheet.  A similar effort to migrate national security systems (including those used by the Department of Defense and Intelligence Community) to PQC is also underway.  The Factsheet signals the U.S. Government’s continued interest in PQC and the development of strategies to address CRQCs and suggests that the U.S. Government believes the private sector—particularly owners and operators of critical infrastructure—needs to begin similar preparations.  Additionally, since the March 2022 passage of the Cyber Incident Reporting for Critical Infrastructure Act, the door to regulation of critical infrastructure appears open.  Accordingly, entities within or supporting the critical infrastructure sectors may wish to continue monitoring for further developments in this space, including the forthcoming release of the NIST PQC standards in 2024, and may also wish to begin preparations for PQC now in anticipation of possible future requirements or legislation.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Caleb Skeath Caleb Skeath

Caleb Skeath helps companies manage their most complex and high‑stakes cybersecurity and data security challenges, combining deep regulatory insight, technical fluency, and practical judgment informed by leading incident response matters.

Caleb Skeath advises in‑house legal and security teams on the full lifecycle of…

Caleb Skeath helps companies manage their most complex and high‑stakes cybersecurity and data security challenges, combining deep regulatory insight, technical fluency, and practical judgment informed by leading incident response matters.

Caleb Skeath advises in‑house legal and security teams on the full lifecycle of cybersecurity and privacy risk—from governance and preparedness through incident response, regulatory engagement, and follow‑on litigation. A Certified Information Systems Security Professional (CISSP), he is trusted by clients across highly regulated and technology‑driven sectors to provide clear, practical guidance at moments when legal judgment, technical understanding, and business realities must be aligned.

Caleb has deep experience leading and overseeing responses to complex cybersecurity incidents, including ransomware, data theft and extortion, business email compromise, advanced persistent threats and state-sponsored threat actors, insider threats, and inadvertent data loss. He regularly helps in‑house counsel structure and manage investigations under attorney‑client privilege; coordinate with internal IT, information security, and executive stakeholders; and engage with forensic firms, crisis communications providers, insurers, and law enforcement. A central focus of his practice is advising on notification obligations and strategy, including the application of U.S. federal and state data breach notification laws and requirements along with contractual notification obligations, and helping companies make defensible, risk‑informed decisions about timing, scope, and messaging.

In addition to his work responding to cybersecurity incidents, Caleb works closely with clients’ legal, technical, and compliance teams on cybersecurity governance, regulatory compliance, and pre‑incident planning. He has extensive experience drafting and reviewing cybersecurity policies, incident response plans, and vendor contract provisions; supervising cybersecurity assessments under privilege; and advising on training and tabletop exercises designed to prepare organizations for real‑world incidents. His work frequently involves translating evolving regulatory expectations into actionable guidance for in‑house counsel, including in highly-regulated sectors such as the financial sector (including compliance with NYDFS cybersecurity regulations, the Computer Security Incident Notification Rule, and GLBA guidelines and guidance) and the pharmaceutical and healthcare sector (including compliance with GxP standards, FDA medical device guidance, and HIPAA).

Caleb’s practice also addresses evolving and emerging areas of cybersecurity and data security law, including advising clients on compliance with the Department of Justice’s Data Security Program, CISA‑related security requirements for restricted transactions, and preparation for new regulatory regimes such as the CCPA cybersecurity audit requirements and federal incident reporting obligations. He regularly counsels clients on how artificial intelligence and connected devices intersect with cybersecurity, privacy, and consumer protection risk, and how to support innovation while managing regulatory exposure.

Caleb also has extensive experience helping clients navigate high-stakes cybersecurity-related inquiries from the Federal Trade Commission, state Attorneys General, and other sector-specific regulators, including incident-specific inquiries as well as broader inquiries related to an entity’s cybersecurity practices and the security of product or service offerings. For companies that have entered into cybersecurity-related settlement agreements with regulators, Caleb has helped guide them through compliance with settlement agreement obligations, including navigating required third-party assessments and strategically responding to cybersecurity incidents that can arise while a company is subject to a settlement agreement. Caleb also routinely works hand-in-hand with colleagues in Covington’s class action litigation, commercial litigation, and insurance recovery practices to prepare for and successfully navigate incident-related disputes that can devolve into litigation.

Read more about Caleb SkeathEmail
Show more Show less
Photo of Moriah Daugherty Moriah Daugherty

Moriah Daugherty advises clients on a broad range of cybersecurity and national security matters, with a particular focus on risk management and governance, regulatory compliance, incident response and crisis management, and internal and government investigations.

Moriah specializes in counseling clients on a variety…

Moriah Daugherty advises clients on a broad range of cybersecurity and national security matters, with a particular focus on risk management and governance, regulatory compliance, incident response and crisis management, and internal and government investigations.

Moriah specializes in counseling clients on a variety of issues related to cybersecurity risk management and governance, including evaluating security controls, practices, and policies and preparing for cybersecurity incidents and data breaches, including the potential for related investigations, regulatory inquiries, and litigation. She regularly counsels clients on responding to a broad range of cybersecurity incidents, including breaches of personal data and incidents involving extortion and ransomware, targeting and theft of intellectual property by advanced persistent threats, and state-sponsored theft of sensitive U.S. government information.

Drawing on her government experience, Moriah leads cyber-related internal investigations and investigations conducted in response to government inquiries, whistleblower complaints, and threats of litigation, including matters involving allegations of noncompliance with U.S. government cybersecurity regulations and fraud under the False Claims Act.

Prior to becoming a lawyer, Moriah spent eight years working for the Federal Bureau of Investigation and U.S. Department of Justice.

Read more about Moriah DaughertyEmail
Show more Show less
Photo of John Webster Leslie John Webster Leslie

Web Leslie advises clients on a broad range of challenges and opportunities at the intersection of technology and security, including investigations, regulatory, and transactional matters related to cybersecurity, national security, critical infrastructure, and data privacy.

In his white-collar practice, Web helps clients navigate…

Web Leslie advises clients on a broad range of challenges and opportunities at the intersection of technology and security, including investigations, regulatory, and transactional matters related to cybersecurity, national security, critical infrastructure, and data privacy.

In his white-collar practice, Web helps clients navigate both government and internal investigations. He specializes in complex civil and criminal investigations related to alleged government contracts fraud and other cybersecurity-related allegations under the False Claims Act, FTC Act, and equivalent state laws. Additionally, Web assists clients in responding to a variety of cyber incidents, ranging from intrusions and extortion by advanced persistent threats to business email compromises and large-scale data breaches. Web also helps clients investigate insider threat activity and potential noncompliance with regulatory and contractual cybersecurity requirements.

In his advisory and transactional practice, Web assists clients across a wide range of industries and critical infrastructure sectors manage risk in an evolving regulatory landscape. He regularly advises on cybersecurity compliance and best practices, information security program development, incident response preparedness, insider threat risks, third-party risk management, and international cyber regulations, among other areas. Web also advises clients on a variety of government and industry standards, including the NIST Cybersecurity Framework 2.0, NIST SP 800-53, NIST SP 800-171, FedRAMP and state equivalents (e.g., GovRAMP, TX-RAMP), CJIS, ISO/IEC standards (e.g., ISO 27001), SOC2 Type 2, and other sector-specific requirements (e.g., HIPAA Security Rule, PCI DSS, DFARS Clause 252.204-7012, NERC Critical Infrastructure Protection).

In addition to his regular practice, Web counsels pro bono clients on data breach, immigration, and criminal law matters.

Web previously served in government in different roles at the Department of Homeland Security (DHS), including at the National Protection and Programs Directorate—known today as the Cybersecurity and Infrastructure Security Agency (CISA)—where he specialized in cybersecurity and critical infrastructure protection, public-private partnerships, and interagency cyber operations. He also served as Special Assistant to the Secretary of Homeland Security.

Read more about John Webster LeslieEmail
Show more Show less