Prepare for a New Cryptographic Standard to Protect Against Future Quantum-Based Threats

The National Institute of Standards and Technology (NIST) has announced that
a new post-quantum cryptographic standard will replace current public-key
cryptography, which is vulnerable to quantum-based attacks. Note: the term
“post-quantum cryptography” is often referred to as “quantum-resistant
cryptography” and includes, “cryptographic algorithms or methods that are
assessed not to be specifically vulnerable to attack by either a CRQC
[cryptanalytically relevant quantum computer] or classical computer.” (See the National
Security Memorandum on Promoting United States Leadership in Quantum Computing
While Mitigating Risks to Vulnerable Cryptographic Systems
for more
information).

Although NIST will not publish the new post-quantum cryptographic standard
for use by commercial products until 2024, CISA and NIST strongly recommend organizations
start preparing for the transition now by following the Post-Quantum Cryptography Roadmap, which
includes:

  • Inventorying your organization’s systems for
    applications that use public-key cryptography.
  • Testing the new post-quantum cryptographic standard in
    a lab environment; however, organizations should wait until the official
    release to implement the new standard in a production environment.
  • Creating a plan for transitioning your organization’s
    systems to the new cryptographic standard that includes:
    • Performing an
      interdependence analysis, which should reveal issues that may impact the
      order of systems transition;
    • Decommissioning old
      technology that will become unsupported upon publication of the new standard;
      and
    • Ensuring validation and
      testing of products that incorporate the new standard.
  • Creating acquisition policies regarding post-quantum
    cryptography. This process should include:
    • Setting new service
      levels for the transition.
    • Surveying vendors to
      determine possible integration into your organization’s roadmap and to
      identify needed foundational technologies.
  • Alerting your organization’s IT departments and vendors
    about the upcoming transition.
  • Educating your organization’s workforce about the
    upcoming transition and providing any applicable training.

For additional guidance and background, CISA and NIST strongly encourage
users and administrators to review: