Agencies Release Quantum Readiness Factsheet

Three U.S. government agencies have released a factsheet that aims to guide organizations through the process of migrating to post-quantum cryptography (PQC) standards.

The Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA) and National Institute of Standards and Technology (NIST) set out their recommended approach in the document, Quantum-Readiness: Migration to Post-Quantum Cryptography.

The guide aims to inform organizations, especially those that support critical infrastructure, of the threat of quantum computers to the public key encryption they rely upon to transmit data securely.

It includes recommendations to establish a quantum-readiness roadmap, steps to prepare a useful cryptographic inventory, considerations for understanding and assessing the supply chain, how organizations should engage with their technology vendors to discuss PQC, and the responsibilities of technology vendors.

“A successful post-quantum cryptography migration will take time to plan and conduct,” the document states.

“CISA, NSA and NIST urge organizations to begin preparing now by creating quantum-readiness roadmaps, conducting inventories, applying risk assessments and analysis and engaging vendors.”

It adds that early planning is necessary as cyber threat actors could be targeting data today that would still require protection in the future as it has a long secrecy lifetime. This theft of data that hackers cannot currently decrypt but which future quantum computers could enable them to do so is known as a harvest now, decrypt later approach.

Related:SandboxAQ Releases Open-Source Post-Quantum Cryptography Algorithms

NIST is in the process of selecting quantum-resistant public-key cryptographic algorithms through its post-quantum cryptography standardization process. It aims to publish its standardization documents in 2024. 

According to CISA, the critical infrastructure sectors are chemical, commercial facilities, communications, critical manufacturing, dams, defense industry, emergency services, energy, financial services, food and agriculture, government facilities, health care, information technology, nuclear, transportation and water.