Last month, the National Security Agency (NSA) announced the publication of the “Commercial National Security Algorithm Suite 2.0.” The purpose of the document is to inform and guide National Security System (NSS) owners, operators and vendors on PQ requirements for “networks that contain classified information or are otherwise critical to military and intelligence activities. He also set some timing parameters to start this transition. So when does their timeline begin? They identified that the first area to address is software and firmware signing, and that this transition should start immediately.
But that should come as no surprise. We are convinced that the time has come to prepare for the post-quantum. There is consensus that within a decade there will be a quantum computer powerful enough to disrupt cryptography as we know it. Additionally, we know that the transition is not just another crypto refresh cycle. The migration to secure quantum algorithms is much more complicated and will take several years.
The reason the NSA is looking into this issue and setting such aggressive deadlines is because they know data needs to be secure. Government agencies – as well as other industries such as financial services and healthcare – have long-lived data (sensitive data that must live and remain confidential for more than 10 years) that must be protected today. today with quantum-resistant cryptography, so they stay secure for the lifetime of the data.
But the need to prepare is not exclusive to government. All organizations should take steps to prepare, including:
1 – Inventory data
- Again, it’s important to understand where your valuable and/or long-lived data resides, and the associated data streams. Once you have this catalog and inventory, you know where to start, where your main concerns lie.
2 – Inventory crypto assets
- Some organizations are already struggling to know what crypto assets reside in their environment and having full visibility into this is essential when creating a post-quantum preparedness plan. In addition to visibility, it is also important to ensure compliance, control and automation of these assets.
3 – Build a crypto agility strategy and roadmap
- Cryptographic agility will be essential for the PQ transition. Cryptographic agility is the ability to easily switch from one algorithm to another – like a PQ. And given that this is not a mature set of algorithms, being agile even after the PQ transition will also be essential. It is also important for organizations to identify areas of risk related to crypto, including processes, people, and technology. Entrust has a Crypto Agility Maturity Assessment that does just that. It also includes the development of a priority roadmap for remediation and increased agility in accordance with the NIST/DHS PQ reference model.
4 – Test and plan the migration
- All eyes are on the NIST PQ competition to determine recommended algorithms that are safe for PQ, but in the meantime, Round 3 finalist algorithms have been announced and testing can begin. For example, Entrust PKIaaS PQ supports all 3 algorithms and allows organizations to start testing these types of certificates in their applications.
Although the timelines are unclear, the conclusions are clear: now is the time to prepare for PQ, from building a PQ readiness team to developing a strategy and roadmap of the QP.
For more information on post-quantum preparation, see our resources page.
The post NSA Releases Post-Quantum Readiness Timeline…Begins Immediately appeared first on Entrust Blog.
*** This is a syndicated Entrust Blog Security Bloggers Network blog written by Samantha Mabey. Read the original post at: https://www.entrust.com/blog/2022/10/the-nsa-releases-a-post-quantum-preparedness-timeline-that-begins-immediately/