The Cybersecurity and Infrastructure Security Agency (CISA) is sharing details on what vendors can expect from its list of product categories that support post-quantum cryptography (PQC), which a CISA official said this week that the agency is on track to deliver in December.
The product category list is mandated by a White House executive order, which tasks CISA with releasing the list and thereafter regularly updating it.
President Joe Biden issued an executive order in January that called for the product category list by July. However, President Donald Trump amended the executive order in June, setting a December deadline for the list.
“We are actually ahead of schedule,” Garfield “Gary” Jones, the associate chief of strategic technology at CISA, said on Thursday at the Quantum Summit in Reston, Va. “This product list is actually going to be available in December and fully available in December.”
“This product list is basically going to have PQC-enabled products on it. If your product is not PQC-enabled, you probably won’t be able to do business with the government as we move forward,” Jones warned. “I’m not saying by December, no, but by 2035, we have to start making these PQC-enabled products available and implemented into agencies.”
The White House has established the year 2035 as the primary target for completing the migration to PQC across federal agencies.
With cryptographically-relevant quantum computers (CRQCs) rapidly approaching, Jones said the list will help ensure products coming into the federal government support PQC and have the proper safeguards.
Specifically, he said that when CISA says “PQC-enabled products,” it is looking for products that have enabled the algorithms issued by the National Institute of Standards and Technology (NIST) for PQC.
The three algorithms, known as the Federal Information Processing Standards (FIPS), are designed to resist future attacks by quantum computers. Jones said that to qualify as a PQC-enabled product, vendors must implement the FIPS 203, FIPS 204, and FIPS 205.
“Our primary task on this is basically to establish criteria to identify these PQC-enabled products. We’re going to establish an initial category list, which has the product types and has the product categories,” Jones said. “We don’t have the exact products in there just yet, but we’re trying to establish a criteria so that you’re able to get on this list.”
After releasing the product category list in December, the next step will be developing a list with actual products on it that are PQC-enabled.
Jones clarified that CISA’s work on the product category list is going to be focused on the Federal Civilian Executive Branch (FCEB), not the National Security System (NSS) – which typically involves intelligence or military systems.
In addition to implementing the FIPS, Jones said that for any product to get on the list, it has to be “generally available,” adding, “It has to be ready. It can’t be a demo.” He also said the product must be ready for multiple vendors.
“I know everyone says, ‘My product, it’s the only one.’ No, this is not ‘Highlander.’ This is, you’re going to have to have it ready for multiple places,” Jones said.
Finally, he said the product must be “interoperable” so that it can work with other products in the federal government.
While CISA’s initial product categories have not been released yet, Jones shared the first preview of the categories on Wednesday and encouraged vendors to “take notes” so that they know what to expect.
“The product categories. So, we’re going to have the networking and hardware and software category. We’re going to have the telecommunications hardware. We’re going to have computers, which is basically the operating systems, the hypervisors and containers, things like that,” Jones explained. “Then we have the ‘SANs,’ which are the storage area network, cloud services, identity – which is the ICAM stuff, the identity, credential, and access management. We’re going to have collaboration software as part of that category.”
“Then, we have data management, which is your databases and your SQL servers and so forth. And the web software, which are your browsers and your servers, which is really important as a lot of us use it,” he continued. “And finally, the endpoint enterprise security – that is another piece that is extremely important. So, that’s going to contain your encryption, your antivirus, and your … CDM tools, and so forth. So, things like that are where we’re looking at.”
Jones said CISA is going to evaluate products by first seeing if the vendor has a “public announcement” saying that their product is out there. Then, he said they will “have to submit” to get on the product list.
CISA is working with the General Services Administration (GSA) and other agencies to determine “where the submission will come from,” Jones said.
He noted that he doesn’t have a timeline on when vendors will be able to submit, adding, “That’s probably up to the White House.” However, CISA’s submission of its initial list of product categories to the White House in December is the first step in this process.
“Vendor submission is really important. CISA, of course, will review the evidence to make sure that you have the right stuff in there, you have those FIPS,” Jones said.
Once CISA evaluates all of that, it will put the PQC-enabled product on the list. However, Jones said that as vendors update their products, they will need to let CISA know.
“We’re going to be making sure that if you sent updates out and you haven’t told us … we haven’t decided what will happen to the product, but odds are, you know, it will probably not be on the list, okay? Because there’s a trust factor that is going to go along with this,” he said.
“CISA is really going to be maintaining this product list and product categories by the executive order. We’re going to use this evidence-based system to really evaluate how things are,” he said, adding, “We’re going to have that initial category list out … and then we’re going to expand it, and we’re going to refine it as the market changes.”