DHS and NIST release post-quantum cryptography guidance

The Department of Homeland Security and the Department of Commerce’s National Institute of Standards and Technology on Monday released a guide designed to help organizations prepare for risks introduced by advancements in quantum computing.

Over the next decade or so, researchers believe that it will be possible to build a quantum computer—a machine that uses quantum properties to solve problems that would be extremely difficult or take incredible amounts of time for conventional computers to solve—that could render most of today’s encryption algorithms useless.

"If large-scale quantum computers are ever built, they will be able to break many of the public-key cryptosystems currently in use,” according to NIST, which is leading the federal effort to standardize one or more quantum-resistant public-key cryptographic algorithms. “This would seriously compromise the confidentiality and integrity of digital communications on the Internet and elsewhere.”

The roadmap published Monday intends to make it easier for organizations to transition to the new post-quantum cryptography standard once it becomes available. The seven-step process emphasizes creating an inventory of encrypted systems, and prioritizing data that is most at risk. They include:

1. Organizations should direct their Chief Information Officers to increase their engagement with standards developing organizations for latest developments relating to necessary algorithm and dependent protocol changes.
2. Organizations should inventory the most sensitive and critical datasets that must be secured for an extended amount of time. This information will inform future analysis by identifying what data may be at risk now and decrypted once a cryptographically relevant quantum computer is available.
3. Organizations should conduct an inventory of all the systems using cryptographic technologies for any function to facilitate a smooth transition in the future.
4. Cybersecurity officials within organizations should identify acquisition, cybersecurity, and data security standards that will require updating to reflect post-quantum requirements.
5. From the inventory, organizations should identify where and for what purpose public key cryptography is being used and mark those systems as quantum vulnerable.
6. Prioritizing one system over another for cryptographic transition is highly dependent on organization functions, goals, and needs. 
7. Using the inventory and prioritization information, organizations should develop a plan for systems transitions upon publication of the new post-quantum cryptographic standard. Cybersecurity officials should provide guidance for creating transition plans.

DHS Secretary Alejandro Mayorkas in March emphasized that the transition to post-quantum encryption would be one of the Department’s priorities, and issued internal guidance to drive DHS’s own preparedness. 

“Now is the time for organizations to assess and mitigate their related risk exposure,” Mayorkas said in a statement Monday. “As we continue responding to urgent cyber challenges, we must also stay ahead of the curve by focusing on strategic, long-term goals.  This new roadmap will help protect our critical infrastructure and increase cybersecurity resilience across the country.”