Federal civilian agencies have six months to begin submitting inventories and prioritizing high-value cryptographic systems and assets to migrate to “post-quantum” encryption, per a new White House memorandum.
According to the memo, authored by the Office of Management and Budget, agencies will be required to submit a list of systems vulnerable to a cryptographically relevant quantum computer – or a computer capable of breaking certain forms of classical encryption – to the Cybersecurity and Infrastructure Security Agency and the Office of the National Cyber Director starting May 4, 2023. That list must be updated annually through 2035 and will exclude national security systems, which are being protected through a parallel process run by the National Security Agency.
“Initially, agencies should focus their inventory on their most sensitive systems. OMB expects to direct inventory by agencies of systems or assets not in the above scope through future guidance on Federal Information System Modernization Act of 2014 requirements,” wrote OMB Director Shalanda Young. “At this point in time, those systems need not be included in the inventory submitted to ONCD and CISA.”
While the invention of a quantum computer capable of breaking some forms of classical encryption is still believed to be years away, the White House ordered a broad migration to newer algorithms in May, and federal bodies like the National Institute for Standards and Technology have been pushing for agencies and private organizations to begin planning their migrations now, as foreign intelligence agencies and other bad actors may be siphoning up encrypted data now in order to crack it later when the technology matures.
NIST and the NSA recently completed a multi-year effort to identify and vet a handful of new algorithms that they believe will protect organizations from the threat, and federal IT and security officials must now go through the laborious task of identifying vulnerable systems and prioritizing them for new encryption protocols.
Agencies have a month to identify an in-house official to lead their inventory and migration process, and the memo establishes a new working group composed of representatives from CISA, NIST, NSA, and FedRAMP (the civilian federal government’s primary cloud security certification program) and other agencies to coordinate the work and establish procedures for testing the performance of new encryption algorithms in agency environments.
Every agency must include in their reports details on each system’s current encryption algorithm, the service that system provides, whether it’s been designated as “high impact or “high value,” the length of its cryptographic keys, whether it’s part of a larger commercial-off-the-shelf package of software, and the type of data it holds. They must also specify whether the system is operated by the agency itself on-premise, by a third-party cloud provider or operates in a hybrid environment.
By February of next year, CISA, ONCD and FedRAMP will release a tool for submitting vulnerable systems as well as a process to identify shared services used across multiple agencies that rely on outdated encryption. By June of next year, agencies must submit funding estimates to cover the costs of the migration.