On August 21, 2023, the Cybersecurity and Infrastructure Security Agency (“CISA”), National Security Agency (“NSA”), and National Institute of Standards and Technology (“NIST”) issued a joint quantum-readiness factsheet (the “Factsheet”) to inform organizations—particularly those that support critical infrastructure sectors—about quantum computing threats and to urge these organizations to begin planning for future migration to post-quantum cryptographic (“PQC”) standards. CISA, NSA and NIST are part of a government-wide effort to prepare for the development of computers that can break existing encryption algorithms in a short period of time—which the Factsheet refers to as “cryptanalytically-relevant quantum computers” or “CRQCs”. The Factsheet provides several recommendations for organizations, including that such organizations should establish a “quantum-readiness roadmap” to prepare for the migration to PQC standards; create a “cryptographic inventory” of the cryptography within the products, applications, and services used by the organization; and engaging with the organizations’ technology vendors about the vendors’ plans for quantum-readiness.
The Factsheet urges organizations to establish a “quantum readiness roadmap” that will prepare the organizations for the migration to PQC standards, which the Factsheet notes are currently under development by NIST and slated for release in 2024. The Factsheet suggests that entities can begin by establishing a project management team to plan and scope the organization’s migration to PQC and begin identifying the organization’s reliance on quantum-vulnerable cryptography, such as systems and assets that depend on existing digital signature standards. The Factsheet notes that this “cryptographic inventory,” which is discussed further below, will enable the organization to identify and prioritize the systems that will need to migrate to PQC in the future and to assess potential risks to the organization that may be presented by CRQCs.
The Factsheet explains that, when prepared, an organization’s cryptographic inventory serves multiple purposes. For example, according to the Factsheet, organizations are often unaware of the breadth and functional dependency on quantum-vulnerable “public-key cryptography” that is within the products, applications, and services that they use. A cryptographic inventory provides visibility, supports risk assessment efforts, and facilitates engaging vendors to address potential supply chain risks. The Factsheet also notes that a cryptographic inventory will help an organization transition to a zero trust architecture, identify data that is accessible from outside their operational environment, and inform what data protected by existing cryptography could be targeted and decrypted when CRQCs become viable.
The Factsheet provides several recommendations for how to develop the cryptographic inventory. For example, the Factsheet suggests that organizations can use discovery tools to look for vulnerable algorithms in their Information Technology (“IT”) and Operational Technology (“OT”) environments, including algorithms used in network protocols, assets on end user systems and servers, and in the organization’s continuous integration/continuous delivery (“CI/CD”) development pipeline. The Factsheet recommends that the cryptographic inventory should also identify when and where quantum-vulnerable cryptography is used to protect the organization’s most sensitive and critical data, as well as identify estimates for how long those data need to be protected.
The Factsheet also provides steps that organizations and their vendors should take to address PQC adoption. Specifically, the Factsheet encourages organizations to engage with the organization’s vendors about the vendors’ quantum-readiness roadmaps. The Factsheet also notes that organizations should start considering updates to the organization’s contracts with vendors to ensure that older products used by the organization will be upgraded with PQC and new products will have PQC built in. The Factsheet also encourages vendors to review the NIST-published draft PQC standards to begin planning and testing for integration and to be prepared to support PQC as soon as possible after the NIST standards become final.
Finally, the Factsheet outlines a number of considerations related to supply chain risks that the use of quantum-vulnerable cryptography by vendors may present to organizations. The Factsheet recommends that organizations: (1) prioritize high-impact systems, industrial control systems (“ICS”), and systems with long-term confidentiality needs; (2) identify and develop plans to address quantum-vulnerable cryptography in custom-built technologies, which the Factsheet asserts will likely require the most effort to make quantum-resistant; and (3) engage with vendors to ensure both commercial-off-the-shelf (“COTS”) and cloud-based products supplied by vendors are accounted for in the organizations’ quantum-readiness roadmaps.
The Factsheet builds on the Quantum Computing Cybersecurity Preparedness Act, enacted in December 2022, which requires the Office and Management and Budget (“OMB”) to issue guidance for U.S. executive branch agencies “on the migration of information technology to post-quantum cryptography,” which includes a requirement that each agency develop an inventory of quantum-vulnerable cryptography, similar to one of the recommended actions in the Factsheet. A similar effort to migrate national security systems (including those used by the Department of Defense and Intelligence Community) to PQC is also underway. The Factsheet signals the U.S. Government’s continued interest in PQC and the development of strategies to address CRQCs and suggests that the U.S. Government believes the private sector—particularly owners and operators of critical infrastructure—needs to begin similar preparations. Additionally, since the March 2022 passage of the Cyber Incident Reporting for Critical Infrastructure Act, the door to regulation of critical infrastructure appears open. Accordingly, entities within or supporting the critical infrastructure sectors may wish to continue monitoring for further developments in this space, including the forthcoming release of the NIST PQC standards in 2024, and may also wish to begin preparations for PQC now in anticipation of possible future requirements or legislation.