The US Department of Homeland Security (DHS), in collaboration with the US Department of Commerce’s National Institute of Standards and Technology (NIST) released a roadmap to help organizations reduce risks related to the advancement of quantum computing technology.
“The transition to post-quantum encryption algorithms is as much dependent on the development of such algorithms as it is on their adoption. While the former is already ongoing, planning for the latter remains in its infancy. We must prepare for it now to protect the confidentiality of data that already exists today and remains sensitive in the future,” U.S. Secretary of Homeland Security, Alejandro Mayorkas, said in a statement.
The new guide provides organizations with concrete and achievable steps they can take to prepare for the transition to post-quantum cryptography.
“Organizations should consider taking inventory of their current cryptographic systems, the data being protected, and prioritizing their systems for transition. Early preparations will ensure a smooth and efficient transition to the new post-quantum cryptography standard once available,” DHS said.
The seven-steps process includes:
1. Organizations should direct their Chief Information Officers to increase their engagement with standards developing organizations for latest developments relating to necessary algorithm and dependent protocol changes.
2. Organizations should inventory the most sensitive and critical datasets that must be secured for an extended amount of time. This information will inform future analysis by identifying what data may be at risk now and decrypted once a cryptographically relevant quantum computer is available.
3. Organizations should conduct an inventory of all the systems using cryptographic technologies for any function to facilitate a smooth transition in the future.
4. Cybersecurity officials within organizations should identify acquisition, cybersecurity, and data security standards that will require updating to reflect post-quantum requirements.
5. Fr om the inventory, organizations should identify wh ere and for what purpose public key cryptography is being used and mark those systems as quantum vulnerable.
6. Prioritizing one system over another for cryptographic transition is highly dependent on organization functions, goals, and needs. To supplement prioritization efforts, organizations should consider the following factors when evaluating a quantum vulnerable system:
a. Is the system a high value asset based on organizational requirements?
b. What is the system protecting (e.g. key stores, passwords, root keys, singing keys, personally identifiable information, sensitive personally identifiable information)?
c. What other systems does the system communicate with?
d. To what extent does the system share information with federal entities?
e. To what extent does the system share information with other entities outside of your organization?
f. Does the system support a critical infrastructure sector?
g. How long does the data need to be protected?
7.Using the inventory and prioritization information, organizations should develop a plan for systems transitions upon publication of the new post-quantum cryptographic standard. Cybersecurity officials should provide guidance for creating transition plans.
