The Office of the National Cyber Director (ONCD) has released specific instructions to Federal agencies on inventorying their cryptographic systems as they prepare to transition to the era of quantum-resistant cryptography, per the White House’s National Security Memorandum 10 (NSM-10).
ONCD’s guidelines will help instruct Federal agencies on how to inventory their most critical cryptographic systems by May 4, the office’s Director for Budget and Assessment, Dylan Presman, explained during ATARC’s Quantum Speaker Series.
“Today, the Office of the National Cyber Director released guidance and templates to Federal departments and agencies on the inventory of cryptographic systems,” Presman said during the virtual event on Feb. 15. “Departments and agencies are responsible for submitting to the administration prioritized inventories of cryptographic systems by May 4.”
NSM-10, Promoting United States Leadership in Quantum Computing While Mitigating Risk to Vulnerable Cryptographic Systems, was released by the Biden-Harris administration last May.
The memo outlines the threat posed by the prospect of a cryptanalytically relevant quantum computer, requiring agencies to prepare now to implement post-quantum cryptography.
Once operational, a quantum computer is expected to be able to compromise certain widely used cryptographic algorithms used to secure Federal data and information systems, the White House warned.
Additionally, and most importantly, agencies must remain cognizant that encrypted data can be recorded now and later decrypted by operators of a future quantum computer.
“Quantum computers will be mature enough in 20 to 30 years,” Presman explained. “But it’s not just about when quantum computers will be ready, it’s about the shelf life of data.”
Presman warned that classified and sensitive data – like medical records, intellectual property, or names of witnesses – can have a lifespan of 25 to 50 years, or sometimes even longer. It’s critical that the U.S. government continue to protect this information.
“The time is already running short on putting in place systems to secure our classic computers,” the White House official warned. “We know that foreign adversaries plan and are currently collecting encrypted data from public and private entities with plans to decrypt it later when they have access to a sufficiently developed quantum computer.”
“It’s what’s called harvest now, decrypt later,” he said.
The Office of Management and Budget (OMB) released M-23-02, Migrating to Post-Quantum Cryptography, in November to inform agencies of forthcoming requirement to transition to quantum-resistant systems, and told leadership to expect ONCD’s specific instructions by mid-February.
Presman said that after agencies submit their prioritized list of systems that need to migrate to post-quantum cryptography by May 4, they will be expected to develop a plan to do so.