The Cybersecurity and Infrastructure Security Agency (CISA) is gearing up to release its post-quantum cryptography (PQC) migration roadmap soon, a top CISA official revealed Tuesday.
In 2022, the Office of Management and Budget (OMB) released a memorandum (M-23-02) that directed agencies to create an inventory of their most critical cryptographic systems.
CISA’s PQC migration roadmap will help guide Federal agencies on what to do next, the agency’s Associate Chief of Strategic Technology Gary Jones said.
“[M-23-02] really kick started a lot of the actions that we see today,” Jones said during an ATARC webinar on July 9. “The roadmap that we worked on – and is up for signature – it really identifies the activities after the M-23-02.”
“We had a lot of questions of, ‘Okay, we’ve done the inventory, what do we do next?’ So, we tried to put together a roadmap to say that this is what we see coming down pike after we complete this inventory,” Jones said.
Jones previewed the forthcoming roadmap with his CISA colleague Christian Lowry, who serves as the emerging risks branch chief within the National Risk Management Center. Together, they highlighted the 12 roadmap execution activities as well as a timeline for each one.
The roadmap will apply to all Federal civilian executive branch agencies, Jones explained, but will exclude their national security systems.
CISA’s roadmap directives include activities like publishing PQC standards; monitoring vendor PQC implementation; conducting risk assessments; and conducting education and training, among others.
Notably, the National Institute of Standards and Technology (NIST) is expected to release quantum-resistant algorithms ready for use by the end of this year, but Jones said he expects it to come a little earlier.
“NIST has been working very hard with on these algorithms,” Jones said. “I think they’re getting very close.” NIST released a draft of the algorithms in August 2023 to help agencies move away from standard public-key encryption techniques to more advanced quantum-resistant methods.
“As they release these standards, their work is not finished,” Jones said. “[NIST] will continue to work further to evaluate these algorithms and standards to make sure that they are still relevant and add additional features to them so that they make them even more secure.”
“We anticipate that vendors will start to incorporate this in the next year after the standards are released,” he added.
The roadmap’s timeline for implementation starts in quarter two of fiscal year (FY) 2024 and ends in FY 2035.
Some of the activities don’t have specific deadlines, but rather are continuous over the next ten years – like monitoring systems for compliance.
“The end is FY35,” Jones said. “It really won’t be the end, but that’s when it’s been mandated that we migrate to PQC.”
“A lot of the activities that CISA’s been working on, we’ve been doing from FY30, because we’re trying to be ahead of the game,” Jones explained. “There’s got to be some slack time in there if things go haywire … We’re giving that five-year gap to do some fine tuning if something goes wrong.”
The Biden-Harris administration began its focus on a post-quantum future with the release of its National Security Memorandum 10 – Promoting United States Leadership in Quantum Computing While Mitigating Risks to Vulnerable Cryptographic Systems – in May 2022.
The document calls for the transition of cryptographic systems to quantum-resistant cryptography by 2035.