The White House is asking agencies to participate in tests of post-quantum cryptography

The White House is encouraging agencies to work with software vendors to test quantum-resistant encryption algorithms on web browsers, enterprise devices, and other IT systems, as part of the Biden administration’s approach to preparing for a post-quantum world.

In a November 18 note, the Office of Management and Budget outlines new deadlines and guidance for agencies to prepare for quantum computers capable of breaking existing encryption technologies that protect data and information…

Read more

The White House is encouraging agencies to work with software vendors to test quantum-resistant encryption algorithms on web browsers, enterprise devices, and other IT systems, as part of the Biden administration’s approach to preparing for a post-quantum world.

Office of Management and Budget in Note November 18th It sets new deadlines and guidelines for agencies to prepare for quantum computers capable of breaking existing encryption technologies that protect data and information systems.

While such a computer is only a conceptual concept, national security leaders worry that enemies of the United States could craft a reality over the next decade. There are also concerns that encrypted data stolen today could be decrypted by a quantum computer in the future. in National Security Memorandum in May, President Joe Biden has directed federal leaders to begin preparing for post-quantum cryptographic systems.

“A potential quantum computer by an enemy nation is really a nuclear threat to cybersecurity, because the underlying cryptography is based on a mathematical principle that a quantum computer could potentially break,” Deputy National Security Adviser Anne Neuberger said at an event hosted by the Aspen Institute. in July.

The National Institute of Standards and Technology earlier this year identified the first batch of four cryptographic algorithms that will become part of NIST’s Post-Quantum Encryption Standard. NIST expects to finish the standard by 2024.

While post-quantum cryptography (PQC) tools are still in development, the OMB memo directs the Cybersecurity and Infrastructure Security Agency along with other agencies to work with the companies to assist in their advancement.

The memo states, “Pre-testing of standardized PQC in agency environments will help ensure that PQC will work in practice before NIST completes standardized PQC and commercial applications are completed.” “Agencies, particularly CISA, are encouraged to work with software vendors to identify candidate environments, hardware, and software for PQC testing.”

Agencies can test these new encryption technologies in a range of environments, including web browsers, content delivery networks, cloud service providers, devices, endpoints, and “enterprise devices that initiate or terminate encrypted traffic,” the note states.

“To ensure that tests are representative of real-world conditions, they can be performed, or allowed to run, in production environments, with appropriate monitoring and safeguards, along with the use of currently validated and validated algorithms,” the note continues. “In many cases, testing may be conducted by the vendor across multiple customers or end users, and agencies are encouraged to participate in these tests.”

Over the next 60 days, NIST, CISA, and the FedRAMP Office of Management—which supports the federal cloud security mandate process—will “enable the exchange of PQC testing information and best practices between agencies as well as with private sector partners,” the memo states.

Deadlines and funding

The OMB memo directs the agencies by May 4, 2023, to take an inventory of their information systems potentially vulnerable to quantum computers capable of breaking encryption. The lists will be submitted to the White House Office of the National Cyber ​​Director, as well as CISA.

“Initially, agencies should focus their inventory on their most sensitive systems,” the memo states. OMB expects to guide the agencies’ inventory of systems or assets that are not in the scope above through future guidance on the requirements of the Federal Information System Modernization Act of 2014. At this time, these systems do not need to be included in the inventory submitted to ONCD and CISA.”

Inventory requirements exclude classified information systems, eg The NSA has issued post-quantum guidance for those systems earlier this fall.

Agencies have 30 days to designate an administrator as a lead for Crypto Inventory and Migration issues.

The Office of the National Cyber ​​Director along with OMB, CISA and FedRAMP will issue further instructions on collecting and moving inventory within 90 days. CISA and NSA will also assess whether safety classification evidence is needed to further assist the inventory process.

The agencies also have just 30 days to submit an assessment to the White House for the funding required to migrate systems to post-quantum encryption.

CISA, NSA, and NIST will also spend the next year developing a strategy around “automated tools and support” to assess the agencies in their progress toward adopting post-quantum cryptography.

“This strategy is expected to address discovery options for information systems or assets accessible via the Internet, as well as internal discovery for information systems or assets that are not accessible via the Internet,” the memo says. Discovery methods will support open source software tools and use existing CISA or agency capabilities, such as Continuous Diagnostics and Mitigation (CDM), where applicable. The strategy will also describe the limitations of available assessment methods, as well as any gaps in capabilities or automated tools.

Leave a Comment