New post-quantum cryptography guidance offers first steps toward migration

New guidance from CISA, NSA and NIST officials demonstrates a roadmap for organizations to migrate to post-quantum cryptography.

New guidance from CISA, NSA and NIST officials demonstrates a roadmap for organizations to migrate to post-quantum cryptography. Chayanan / Getty Images

Several agencies partnered to release the first federal recommendations for organizations to begin upgrading their networks and systems to quantum cryptography-resilient security schemes. 

Federal agencies are leading the charge to usher in the shift to post-quantum cryptography standards, releasing an authoritative factsheet Monday surrounding PQC standards and the impact of quantum information technologies. 

The Quantum-Readiness: Migration to Post-Quantum Cryptography fact sheet — co-released by the Cybersecurity and Infrastructure Security Agency, the National Security Agency and the National Institute of Standards and Technology — lays out a roadmap for public and private entities to use as quantum computing technologies continue to advance and potentially threaten the standard cryptographic schemes that safeguards modern digital infrastructure.

Among the recommendations included in the roadmap is an emphasis on close communication between organizations and technology vendors — a reflection of the Biden administration’s goal of fostering better partnerships between the public and private sectors. 

“It is imperative for all organizations, especially critical infrastructure, to begin preparing now for migration to post-quantum cryptography,” said CISA Director Jen Easterly in a statement. “CISA will continue to work with our federal and industry partners to unify and drive efforts to address threats posed by quantum computing. Our collective aim is to ensure that public and private sector organizations have the resources and capabilities necessary to effectively prepare and manage this transition.”

Upgrading today’s cryptography to be able to withstand a potential attack from a fault-tolerant quantum computer is a long overhaul. CISA and NIST recommend in their new document to begin by having firms analyze which parts of their network systems and assets rely on quantum-vulnerable cryptography; that is, which network components create and validate security measures like digital signatures.

“Having an inventory of quantum-vulnerable systems and assets enables an organization to begin the quantum risk assessment processes, demonstrating the prioritization of migration,” the document says. 

The agencies prioritize technology vendors’ role in facilitating migration efforts. Given that PQC migration will involve software and occasional firmware updates, the document prompts vendors to chart their own timelines for PQC migration efforts for successful product integration. 

“The authoring agencies also urge organizations to proactively plan for necessary changes to existing and future contracts,” the document says. “Considerations should be in place ensuring that new products will be delivered with PQC built-in, and older products will be upgraded with PQC to meet transition timelines.”

This new guidance supports the timeline imposed by a Biden administration memorandum, which requests that government agencies modernize their networks to PQC standards by the year 2035. 

“Post-quantum cryptography is about proactively developing and building capabilities to secure critical information and systems from being compromised through the use of quantum computers,” said Rob Joyce, director of NSA Cybersecurity. “The transition to a secured quantum computing era is a long-term intensive community effort that will require extensive collaboration between government and industry. The key is to be on this journey today and not wait until the last minute.”