OMB has told agencies to “prepare now” to implement encryption to counter the “threat posed by the prospect of a cryptanalytically relevant quantum computer.
” “Once operational, a CRQC is expected to be able to compromise certain widely used cryptographic algorithms used to secure federal data and information systems,” said memo M-23-02. “Additionally, agencies must remain cognizant that encrypted data can be recorded now and later decrypted by operators of a future CRQC.
The memo provides guidance for carrying out National Security Memorandum 10 issued in May on mitigating risk to cryptographic systems from quantum computing, which is capable of analyzing information in ways that traditional computers cannot—including potentially for breaking security protections. Technical guidance on post-quantum cryptography is to come from the National Institute of Standards and Technology.
The memo describes “preparatory steps” pending that guidance including requirements for agencies to inventory their active cryptographic systems, with a focus on high value assets and high impact systems and to annually assess their funding needs.
Agencies further “are encouraged to work with software vendors to identify candidate environments, hardware, and software” for testing of post-quantum cryptography in areas such as web browsers, content delivery networks, cloud service providers, devices and endpoints, and enterprise devices that initiate or terminate encrypted traffic.
The memo describes “preparatory steps” pending that guidance including requirements for agencies to inventory their active cryptographic systems, with a focus on high value assets and high impact systems and to annually assess their funding needs.
Agencies further “are encouraged to work with software vendors to identify candidate environments, hardware, and software” for testing of post-quantum cryptography in areas such as web browsers, content delivery networks, cloud service providers, devices and endpoints, and enterprise devices that initiate or terminate encrypted traffic.