On May 4th, President Biden signed a new executive order focused on post-quantum cryptography, his second featuring this subject in 2022, and we’ve still 8 months of the year to go.
The January memorandum directed all federal agencies to prepare for post-quantum cryptography by reporting on all vulnerable cryptography on national security systems. But compared to what has just been signed at The White House, the January memorandum was light weight.
The May 4th Memorandum is loaded with new directions for agency collaboration, communication, planning, and technical work, all with the focus of adopting post quantum cryptography. Here are some of the highlights:
Much more Collaboration, Communication & Planning:
The advent of quantum computers will mean cryptography has to be replaced everywhere, and with everyone about to go through this migration, what could be better than sharing best practices and learning from each other?
To this end, the memorandum includes directions to establish a “Migration to Post-Quantum Cryptography Project” whose purpose will be to “develop programs for discovery and remediation of any system that does not use quantum-resistant cryptography”.
There are also instructions for cycles of communication designed to keep the whole US government laser focused on delivering a speedy and successful migration. These include annual reports with “recommendations for accelerating those entities’ migration to quantum-resistant cryptography”, ongoing inventory reports that “document all instances where quantum-vulnerable cryptography is used by NSS”, and working groups to “identify needed tools and data sets, and other considerations to inform the development by NIST of guidance and best practices to assist with quantum resistant cryptography planning and prioritisation”.
Specific requirements for Federal Crypto-Inventories:
In the January memorandum the requirement for a Crypto-Inventory was definitely being hinted at but not made explicit. However this time around we have extremely clear language in Sec5.(c)(v):
“...an inventory of their IT systems that remain vulnerable to CRQCs, with a particular focus on High Value Assets and High Impact Systems.”
Now it is explicit: Federal agencies need to build a Crypto-Inventory, and this now comes with specific requirements:
“Inventories should include current cryptographic methods used on IT systems, including system administrator protocols, non-security software and firmware that require upgraded digital signatures, and information on other key assets.”
We also see that where January’s focus was solely on National Security Systems (NSS), this directive goes further, requiring the Directors of NIST, CISA, and the NSA to:
“establish requirements for inventorying all currently deployed cryptographic systems, excluding National Security Systems (NSS).”
All Federal cryptography is now in scope, and that means much more work ahead.
Recognising an “Imperative” role for Crypto-Agility:
Even our shiny new PQ cryptography will need to be replaced at some point; and if Rainbow is anything to go by then we will need to be prepared to respond quickly in such a scenario.
It’s this awareness (along with the lingering trauma of migrating from MD5, SHA-1, and 3DES) that leads to organisations prioritising crypto-agility. As the Memorandum puts it:
“Central to this migration effort will be an emphasis on cryptographic agility, both to reduce the time required to transition and to allow for seamless updates for future cryptographic standards. This effort is imperative across all sectors of the United States economy, from government to critical infrastructure, commercial services to cloud providers, and everywhere else that vulnerable public-key cryptography is used.”
What is most interesting is the immediate recognition that crypto-agility is not just a nice-to-have or a pie-in-the-sky ideal. Instead, it is recognised as imperative to the overall initiative. This should come as no surprise; because of the sheer size and scale of the federal infrastructure, the NSA estimates that deploying new cryptography across all NSS alone would take about 20 years. The bigger the project, the more critical crypto-agility becomes.
Big Asks, Short Timescales:
As ever, the memorandum is scattered with ambitious timescales, perhaps more ambitious than usual given the current geopolitical climate.
As we hear from businesses on an almost daily basis; building an accurate, useful, and dependable crypto-inventory is incredibly challenging, and requires constant attention to keep up to date. On the other side, crypto-agility remains painfully ill-defined for practical purposes.
If you want to get clarity on how to deliver both, then download our whitepaper: Building a Crypto-Agile Organisation.