The National Institute of Standards and Technology (NIST) has announced that
a new post-quantum cryptographic standard will replace current public-key
cryptography, which is vulnerable to quantum-based attacks. Note: the term
“post-quantum cryptography” is often referred to as “quantum-resistant
cryptography” and includes, “cryptographic algorithms or methods that are
assessed not to be specifically vulnerable to attack by either a CRQC
[cryptanalytically relevant quantum computer] or classical computer.” (See the National
Security Memorandum on Promoting United States Leadership in Quantum Computing
While Mitigating Risks to Vulnerable Cryptographic Systems for more
information).
Although NIST will not publish the new post-quantum cryptographic standard
for use by commercial products until 2024, CISA and NIST strongly recommend organizations
start preparing for the transition now by following the Post-Quantum Cryptography Roadmap, which
includes:
- Inventorying your organization’s systems for
applications that use public-key cryptography. - Testing the new post-quantum cryptographic standard in
a lab environment; however, organizations should wait until the official
release to implement the new standard in a production environment. - Creating a plan for transitioning your organization’s
systems to the new cryptographic standard that includes: - Performing an
interdependence analysis, which should reveal issues that may impact the
order of systems transition; - Decommissioning old
technology that will become unsupported upon publication of the new standard;
and - Ensuring validation and
testing of products that incorporate the new standard. - Creating acquisition policies regarding post-quantum
cryptography. This process should include: - Setting new service
levels for the transition. - Surveying vendors to
determine possible integration into your organization’s roadmap and to
identify needed foundational technologies. - Alerting your organization’s IT departments and vendors
about the upcoming transition. - Educating your organization’s workforce about the
upcoming transition and providing any applicable training.
For additional guidance and background, CISA and NIST strongly encourage
users and administrators to review:
- NIST press release, NIST
Announces First Four Quantum-Resistant Cryptographic Algorithms. - The NIST and Post-Quantum
Cryptography, Post-Quantum
Cryptography Standardization, and Migration
to Post-Quantum Cryptography websites.