In response to the evolving cybersecurity landscape, federal agencies are undergoing a paradigm shift towards a zero-trust architecture, prompted by Executive Order 14028 and OMB Memorandum M-22-09. This strategic move emphasizes the widespread adoption of robust encryption, acknowledging the potential threat posed by cryptanalytically relevant quantum computers (CRQC) and the need for preparation in post-quantum cryptography (PQC).
I. The Quantum Threat: Preparing for Post-Quantum Cryptography (PQC)
As outlined in NSM-10, federal agencies are urged to recognize the looming threat of CRQC and take proactive measures to implement PQC. This involves conducting a prioritized inventory of cryptographic systems, focusing particularly on High Value Assets (HVAs) and high-impact systems.
Requirements: Agencies are directed to establish requirements for inventorying all currently deployed cryptographic systems, excluding National Security Systems. This encompasses active software or hardware implementations of cryptographic algorithms providing services such as encryption key creation, encrypted connections, or digital signature creation and validation.
Timelines: Agencies are required to submit a prioritized inventory by May 4, 2023, and annually thereafter until 2035. Initial focus should be on the most sensitive systems, with further guidance on expanding the inventory scope expected in the future.
II. Assessing Funding for Cryptographic Migration
Within 30 days of submitting the annual cryptographic inventory, agencies must assess the funding required for migrating information systems and assets to post-quantum cryptography in the following fiscal year. This assessment is crucial for informed decision-making and aligns with the directives of NSM-10 Section 3(c)(iv).
Process: ONCD, in coordination with OMB, will release instructions to agencies for submitting funding assessments and collecting requirements for migrating common cryptographic systems across agencies. This process aims to simplify and reduce the burden of agency cost assessments.
III. Automated Cryptographic Assessment Process: Navigating Progress Towards PQC Adoption
Within one year of this memorandum, CISA, in coordination with NSA and NIST, will release a strategy on automated tooling and support for assessing agency progress towards the adoption of PQC. This strategy will address discovery options for both internet-accessible and internal information systems.
IV. Testing Pre-Standardized PQC in Production Environments
Agencies are encouraged to collaborate with software vendors to identify candidate environments, hardware, and software for testing pre-standardized PQC in production. This approach ensures that PQC will function effectively before finalizing standards, with NIST, CISA, and the FedRAMP PMO facilitating the exchange of testing information and best practices among agencies.
V. Cryptographic Migration Working Group: Coordinating Agency Efforts
To provide assistance and coordination, OMB and ONCD will establish a Cryptographic Migration Working Group. Consisting of NIST, CISA, NSA, the FedRAMP PMO, and agency representatives, this group will be chaired by the Federal Chief Information Security Officer.
Conclusion: Embracing Quantum-Resistant Solutions with Venari Security
As federal agencies embark on this transformative journey towards quantum-resistant cryptography, technology solutions like Venari Security’s cryptographic discovery tool play a pivotal role in helping organisations take stock over their encrypted attack surface.
Our technology ensures the secure and efficient transition of cryptographic systems, aligning with the directives outlined in NSM-10. By embracing innovative tools like Venari Security, agencies can navigate the complexities of cryptographic migration and fortify their cybersecurity posture in the quantum era.
Read the full US Memorandum below ⬇️