NIST’s new PQC Algorithms and What They Mean for Federal Agencies

By: Dr. Matthew McFadden, Vice President of Cyber, GDIT

The cybersecurity landscape is evolving rapidly with last week’s release of new post-quantum cryptography (PQC) algorithms by the National Institute of Standards and Technology (NIST). These algorithms mark a critical step forward in preparing for the post-quantum era, providing a roadmap for agencies to begin their transition to quantum-resistant encryption. NIST is encouraging agencies to begin transitioning to the new standards as soon as possible.

One of the most fundamental aspects of cybersecurity is the act of encryption. Without encryption, it is nearly impossible to safeguard the protection of data – even concepts such as zero trust cannot fully protect data without it. Encryption has become second nature and a mandatory requirement within almost all cybersecurity standards today. However, the challenge now is that PQC is becoming a necessity as the threat of “harvest now and decrypt later” is emerging as a potential risk.

Almost every part of an information system depends on some form of public-key cryptography. Current algorithms for public-key cryptography are vulnerable to being decrypted by quantum computing, which has the potential to break these algorithms. This means that adversaries, if they have recorded, extracted, or stolen data, may be able to decrypt this information either now or when quantum computers become more advanced. The true capabilities of our adversaries may be uncertain, which magnifies the threat. This includes sensitive emails, websites used to transmit or store data, or even any data traversing the internet – all of which rely on the encryption provided by public-key cryptography.

Public-key cryptography is deeply integrated into agency information systems, so keeping an accurate inventory of it will be a continuous task. Agencies will need to regularly update their discovery and assessment methods and migrate systems, hardware, and software to ensure they are patched, updated, and replaced. This ongoing process will require continuous investment, which will be essential during and after the migration to meet PQC standards.

The transition of federal agency systems based on Office of Management and Budget and Office of National Cyber Director inventories is projected to cost approximately $7.1 billion between 2025 and 2035, as outlined in the OMB’s Report on Post-Quantum Cryptography. This report highlights the significant funding that may be required for agencies to move away from quantum-vulnerable cryptography. While much of the focus has been on high-value assets, non-critical functions, operational technology, and IoT devices must also be considered. Understanding and quantifying the true scope of migration is an ongoing challenge.

The OMB report outlines four key strategies for PQC to be successful:

1. Comprehensive and ongoing cryptographic inventory is a key baseline for successful migration to PQC.
2. The threat of “harvest now, decrypt later” attacks means that the migration to PQC must start before a cryptographically relevant quantum computer (CRQC) is known to be operational.
3. Agencies must prioritize systems and data for PQC migration.
4. Systems that will not be able to support PQC algorithms must be identified as early as possible.

To ensure the long-term defense of critical information systems and the data they store and process, it is crucial to implement and prioritize migration to Post-Quantum Cryptography now that the NIST-approved algorithms are available. By engaging with industry experts and leveraging the latest tools and technologies, agencies can streamline the PQC migration process. Migrating public-key cryptography to PQC will require deliberate planning, and agencies need a trusted partner to ensure their cryptography strategy is innovative and ready for the post-quantum future.