CISA’s Announcement on NIST’s New Cryptographic Standards

The Cybersecurity & Infrastructure Security Agency (CISA), recently made an announcement following NIST’s new post-quantum cryptographic standards. The announcement cited that NIST and CISA “strongly recommend” organizations start preparing for the transition even though NIST will not be publishing new post-quantum cryptographic standards for commercial usage by 2024. A few guidelines/suggestions the organizations have suggested include:

  • Inventorying your organization’s systems for applications that use public-key cryptography.
  • Testing the new post-quantum cryptographic standard in a lab environment; however, organizations should wait until the official release to implement the new standard in a production environment.
  • Creating a plan for transitioning your organization’s systems to the new cryptographic standard that includes:
    • Performing an interdependence analysis, which should reveal issues that may impact the order of systems transition;
    • Decommissioning old technology that will become unsupported upon publication of the new standard; and
    • Ensuring validation and testing of products that incorporate the new standard.
  • Creating acquisition policies regarding post-quantum cryptography. This process should include:
    • Setting new service levels for the transition.
    • Surveying vendors to determine possible integration into your organization’s roadmap and to identify needed foundational technologies.
  • Alerting your organization’s IT departments and vendors about the upcoming transition.
  • Educating your organization’s workforce about the upcoming transition and providing any applicable training.

For more information on the issue please refer to CISA’s announcement, as well as the website of the National Cybersecurity Center of Excellence (NCCoE) regarding post-quantum cryptography.


NIST Announces Third Round Post-Quantum Cryptography Standardization Process Results & Fourth Round Candidates

On July 5th, the National Institute of Standards and Technology (NIST) announced its results for the third round of the Post-Quantum Cryptography (PQC) standardization process.

Out of the four candidate algorithms for standardization, NIST recommended CRYSTALS-KYBER (key-establishment) and CRYSTALS-Dilithium (digital signatures) for most use cases. Furthermore, FALCON and SPHINCS+ (digital signature) will also be standardized.

On the other hand, Classic McElice, which is highly regarded as secure, was a finalist yet was not standardized by NIST in this round. There is a possibility this algorithm will be standardized at the end of the fourth round.

For more information on this topic, please see the NIST report and the detailed briefing of the candidates chosen.