The Office of Management and Budget (OMB) has sent out a memorandum that requires all Federal agencies to provide inventory on cryptographic systems that are vulnerable to AI technologies by May 4 of the upcoming year.
The memorandum was released on Nov. 18 and is helping steer agencies in the correct path to follow the National Security Memorandum 10 (NSM-10) that helps outline prospective threats to government systems as well as prepare for post-quantum cryptography (PQC).
“This memorandum describes preparatory steps for agencies to undertake as they begin their transition to PQC by conducting a prioritized inventory of cryptographic systems. Further, this memorandum provides transitional guidance to agencies in the period before PQC standards are finalized by the National Institute of Standards and Technology (NIST), after which OMB will issue further guidance,” stated the memorandum.
Part of these steps in the memorandum describe how OMB has been in close collaboration with the Office of the National Cyber Director (ONCD) to “establish requirements for inventorying all currently deployed cryptographic systems, excluding National Security Systems,” stated the memorandum.
The document also outlines some of the systems that must encompass part of the inventory that the OMB is looking for, which include the following.
- A high impact information systems;
- An Agency HVA;
- Any other systems that an agency determines is likely to be particularly vulnerable to CRQC-based attacks.
The memorandum also sets out to require government departments to give an annual vulnerability report until 2035.
The White House set out a timeline of 30 days after publishing the memorandum for “agencies [to] designate a cryptographic inventory and migration lead for their organization,” and 90 days of publishing the memorandum the “ONCD, in coordination with OMB, CISA and the FedRAMP Program Management Office (PMO), will release instructions for the collection and transmission of this inventory,” stated the memorandum.
