White House tells agencies to participate in post-quantum crypto testing | Federal Information Network

The White House is encouraging agencies to work with software vendors to test quantum-resistant cryptographic algorithms on their web browsers, corporate devices and other computing systems, as part of the Biden administration’s approach to prepare for a post-quantum world.

The Office of Management and Budget, in a Nov. 18 memo, sets new timelines and guidance for agencies to prepare for quantum computers capable of breaking current encryption techniques that protect data and information systems.

Although such a computer is only a concept, national security officials fear that US adversaries will become a reality within the next decade. There are also fears that encrypted data stolen today could be decrypted by a quantum computer in the future. In a May national security memorandum, President Joe Biden called on federal leaders to begin preparing for post-quantum cryptosystems.

“A potential quantum computer by an adversary country is truly a nuclear threat to cybersecurity because the underlying cryptography is based on a mathematical principle that a quantum computer could potentially break,” Deputy National Security Advisor Anne Neuberger said. at an event hosted by the Aspen Institute. in July.

Earlier this year, the National Institute of Standards and Technology identified an initial batch of four encryption algorithms that will be part of NIST’s post-quantum cryptographic standard. NIST plans to finalize the standard by 2024.

While post-quantum cryptography (PQC) tools are still under development, the OMB memo directs the Cybersecurity and Infrastructure Security Agency and other agencies to work with companies to help them progress.

“Testing the pre-standards PQC in agency environments will help ensure that the PQC will work in practice before NIST completes the PQC standards and commercial implementations are finalized,” the memo reads. “Agencies, especially CISA, are encouraged to work with software vendors to identify candidate environments, hardware, and software for PQC testing.”

Agencies could test these new encryption techniques in a range of environments, including web browsers, content delivery networks, cloud service providers, devices and endpoints, and “corporate devices.” that initiate or terminate encrypted traffic,” the memo reads.

“To ensure that the tests are representative of real-world conditions, they may be performed or allowed to run in production environments, with appropriate monitoring and safeguards, alongside the use of current approved and validated algorithms,” continues the memo. “In many cases, testing may be done by the vendor with many customers or end users, and agencies are encouraged to participate in such testing.”

Over the next 60 days, NIST, CISA, and the FedRAMP Program Management Office — which supports the federal cloud security clearance process — will work to “enable the exchange of PQC testing information and best practices between agencies as well as with private sector partners,” the note states.

Deadlines and financing

The OMB memo directs agencies by May 4, 2023 to inventory their information systems potentially susceptible to quantum computers capable of breaking encryption. Lists will be submitted to the White House Office of the National Cyber ​​Director, as well as to CISA.

“As a first step, agencies should focus their inventory on their most sensitive systems,” the memo reads. “OMB plans to direct agency inventory of systems or assets not in scope above through future guidance on the requirements of the Federal System Modernization Act of 2014. information. At this stage, these systems do not need to be included in the inventory submitted to ONCD and CISA. »

The inventory requirements exclude classified information systems, as the National Security Agency issued post-quantum guidance for such systems earlier this fall.

Agencies have 30 days to designate a lead responsible for “cryptographic inventory and migration” issues.

The Office of the National Director of Cybersecurity along with the OMB, CISA, and FedRAMP will issue further instructions on collecting and submitting inventory in 90 days. CISA and NSA will also assess whether a security classification guide is needed to further assist the inventory process.

Agencies also only have 30 days to submit to the White House an assessment of the funding needed to migrate systems to post-quantum crypto.

CISA, NSA, and NIST will also spend the next year developing a strategy on “automated tooling and support” for agency assessments in progress toward post-quantum crypto adoption.

“This strategy should address options for discovery of information systems or assets that are accessible over the Internet, as well as internal discovery of information systems or assets that are not accessible over the Internet,” the memo states. “Discovery methods will support open source software tools and utilize existing CISA or agency capabilities, such as continuous diagnostics and mitigation (CDM), where possible. The strategy will also describe the limitations of available assessment methods, as well as any gaps in automated capabilities or tools.