From Requests to Requirements:
On the 18th of January, President Biden signed an Executive Order that instantly re-shaped priorities and plans across all Federal Agencies.
You may recall the previous order that was put out in May 2021. What’s new?
Where May 2021 set out intentions, January 2022 sets out demands. Advice becomes requirements, and those requirements now have deadlines. In some cases agencies have 180 days (18th of July), and in some cases 30 days (18th of February).
Within 6 months agencies will be required to implement MFA, encrypt all data at rest and in transit, and launch their preparation for post quantum cryptography:
“Within 180 days of the date of this memorandum, agencies shall identify any instances of encryption not in compliance with NSA-approved Quantum Resistant Algorithms”
Post Quantum Cryptography becomes a Priority 1 Issue
These are aggressive deadlines.
But where MFA adoption has been a highly recommended initiative for nearly a decade, scanning for non-quantum cryptography is a relatively new initiative for Federal Agencies.
We have all seen click bait headlines of a “quantum apocalypse” vying for our attention, but is the threat really so imminent?
In late 2021 the NSA shared estimations that a migration to new cryptography could take 20 years to complete across all National Security Systems (NSS). Some estimates put the availability of a cryptographically significant quantum computer at just a quarter of this time frame.
So preparations really do need to start now, and new methodologies need to be adopted to drive faster migrations.
Building a Crypto-Inventory & Migration Plan in 180 Days
From our experience working with customers, there is often a will to get ahead with these initiatives, but the initial phases of preparing to migrate cryptography can cause bottlenecks.
Biden’s Memorandum requires agencies to “identify instances of encryption not in compliance with NSA-approved Quantum Resistant Algorithms”. In short, each agency needs to create a Crypto-Inventory.
For anyone with experience in overseeing previous migrations from SHA-1 or MD5, you will know that crypto-inventories are only useful if they are always up to date, show dependencies and relationships between cryptographic objects, and integrate into your process for the actual migration.
And if you need such an Inventory fast, a built for purpose tool is usually going to be the best practice approach.
Onto Migration Plans
The memorandum says agencies must provide: “a timeline to transition these systems to use compliant encryption, to include quantum resistant encryption” in the same 180 days.
How do you create a timeline for something like this?
The key element is understanding how people, process, and technology interact during a migration.
In terms of process, how do you currently build and update your applications? If you are deep into CI/CD then it makes sense to leverage this agility-engine and it’s existing processes for the updates required. In reality though, large agencies will find their inventory shows their technology exists in many different states, so your migration plan must reflect different streams and approaches, even for legacy applications where you can’t directly change the code.
When it comes to people, the best results come from assigning ownership. This is a great opportunity to integrate cryptography updates into your incident response plans and ensure you always have a virtual team assigned for urgent changes.
Lastly, the ideal technology will give your people the visibility they need, integrate into their processes, and give them confidence that the updates are securely implemented.
The impact this memorandum will have on resource allocation across all federal agencies should not be understated. No cyber security strategy ever goes 100% according to plan, but to have priorities completely overhauled in January might be a shock to the system. For those who need it, there is outside help available in the form of Cryptosense.
Download our latest white paper: "Building a Crypto-Agile Organization", to learn how agile cryptography can help you prepare for PQC.