The Cybersecurity & Infrastructure Security Agency (CISA), recently made an announcement following NIST’s new post-quantum cryptographic standards. The announcement cited that NIST and CISA “strongly recommend” organizations start preparing for the transition even though NIST will not be publishing new post-quantum cryptographic standards for commercial usage by 2024. A few guidelines/suggestions the organizations have suggested include:
- Inventorying your organization’s systems for applications that use public-key cryptography.
- Testing the new post-quantum cryptographic standard in a lab environment; however, organizations should wait until the official release to implement the new standard in a production environment.
- Creating a plan for transitioning your organization’s systems to the new cryptographic standard that includes:
- Performing an interdependence analysis, which should reveal issues that may impact the order of systems transition;
- Decommissioning old technology that will become unsupported upon publication of the new standard; and
- Ensuring validation and testing of products that incorporate the new standard.
- Creating acquisition policies regarding post-quantum cryptography. This process should include:
- Setting new service levels for the transition.
- Surveying vendors to determine possible integration into your organization’s roadmap and to identify needed foundational technologies.
- Alerting your organization’s IT departments and vendors about the upcoming transition.
- Educating your organization’s workforce about the upcoming transition and providing any applicable training.
For more information on the issue please refer to CISA’s announcement, as well as the website of the National Cybersecurity Center of Excellence (NCCoE) regarding post-quantum cryptography.