Critical infrastructure systems rely on digital communications to transmit data. To secure the data in transit, cryptographic technologies are used to authenticate the source and protect the confidentiality and integrity of communicated and stored information. As quantum computing advances over the next decade, it is increasing risk to certain widely used encryption methods. This memorandum outlines my Administration’s policies and initiatives related to quantum computing.
CISA's Post-Quantum Cryptography (PQC) Initiative will unify and drive efforts with interagency and industry partners to address threats posed by quantum computing and to support critical infrastructure and government network owners and operators during the transition to post-quantum cryptography.
Nation-states and private companies are actively pursuing the capabilities of quantum computers. Quantum computing opens up exciting new possibilities; however, the consequences of this new technology include threats to the current cryptographic standards that ensure data confidentiality and integrity and support key elements of network security. While quantum computing technology capable of breaking public key encryption algorithms in the current standards does not yet exist, government and critical infrastructure entities - including both public and private organizations - must work together to prepare for a new post-quantum cryptographic standard to defend against future threats.
In March 2021, Secretary of Homeland Security Alejandro N. Mayorkas outlined his vision for cybersecurity resilience and identified the transition to post-quantum encryption as a priority. The following year, the U.S. government outlined its goals to maintain the nation's competitive advantage in quantum information science (QIS) while mitigating the risks of quantum computers to the nation's cyber, economic, and national security in National Security Memorandum 10.
Government and critical infrastructure organizations must take coordinated preparatory actions now to ensure a fluid migration to the new post-quantum cryptographic standard that the National Institute of Standards and Technology (NIST) will publish in 2024.
On July 6, CISA announced the establishment of a Post-Quantum Cryptography (PQC) Initiative to unify and drive agency efforts to address threats posed by quantum computing. In coordination with interagency and industry partners, CISA's new initiative is building on existing Department of Homeland Security (DHS) efforts as well as those underway at the Department of Commerce's National Institute of Standards and Technology (NIST) to support critical infrastructure and government network owners and operators during the transition to post-quantum cryptography.
CISA's PQC Initiative will oversee its activities in four critical areas:
- Risk Assessment: Assess vulnerability across the U.S. critical infrastructure by assessing risk in the 55 National Critical Functions (NCFs). Through this macro-level assessment of priority NCFs, CISA will determine where post-quantum cryptography transition work is underway, where the greatest risk resides, and what may require federal support.
- Planning: Plan where CISA and its partners should focus resources and engagement with owners and operators across public and private sectors.
- Policy and Standards: Work with partners to foster adoption and implementation of policies, standards, and requirements to improve the security of the Federal Civilian Executive Branch (FCEB), state, local, tribal, and territorial (SLTT) entities; critical infrastructure; and the underlying technology that supports all of these entities.
- Engagement and Awareness: Engage stakeholders to develop mitigation plans and encourage implementation of standards once they are available across the FCEB, SLTT, and critical infrastructure sectors. Develop technical products to support these efforts.
Critical infrastructure systems rely on digital communications to transmit data. To secure the data in transit, data encryption built into the devices and systems protects the data from tampering and espionage. As quantum computing advances over the next decade, it presents increasing risk to certain widely used encryption methods.
Identification and inventory of vulnerable critical infrastructure systems across the 55 National Critical Functions (NCFs) is the first step of this preparation and is included in the Post-Quantum Cryptography Roadmap developed by DHS and NIST. To understand these risks to critical infrastructure systems, the RAND Corporation, in support of CISA, analyzed each of the 55 NCFs and assessed that there are risks from quantum computing to each.
The RAND assessment also identified the following four NCFs to be the most important to successful migration given that these NCFs have impact across all others:
- Provide Internet-Based Content, Information, and Communication Services
- Provide Identity Management and Associated Trust Support Services
- Provide Information Technology Products and Services
- Protect Sensitive Information
Action will be required of stakeholders across all NCFs to implement the products and services these four NCFs will develop to enable further updates to take place.
CISA recommends that stakeholders responsible for these NCFs partner closely with NIST, DHS, and other government agencies to ensure their preparedness to not only migrate themselves, but also to support the migration of digital communications across other NCFs.
Review CISA Insights: Preparing Critical Infrastructure for Post-Quantum Cryptography for specific details on potential impacts to NCFs and other recommended actions.
Although NIST does not expect to publish a standard for use by commercial products until 2024, organizations should start preparing for the transition now by following the DHS Post-Quantum Cryptography Roadmap, which includes:
- Inventorying your organization's systems for applications that use public-key cryptography.
- Inventorying, categorizing, and determining the lifecycle of the organizational data.
- Testing the new post-quantum cryptographic standard in a lab environment; however, organizations should wait until the official release to implement the new standard in a production environment.
- Creating a plan for transitioning your organization's systems to the new cryptographic standard that includes:
- Performing an interdependence analysis, which should reveal issues that may impact the order of systems transition.
- Decommissioning old technology that will become unsupported upon publication of the new standard.
- Ensuring validation and testing of products that incorporate the new standard.
- Creating acquisition policies regarding post-quantum cryptography. This process should include:
- Setting new service levels for the transition.
- Surveying vendors to determine possible integration into your organization's roadmap and to identify needed foundational technologies.
- Alerting your organization's IT departments and vendors about the upcoming transition.
- Educating your organization's workforce about the upcoming transition and providing any applicable training.
For more information see the Post-Quantum Cryptography Roadmap.
The National Institute of Standards and Technology (NIST) has announced that a new post-quantum cryptographic standard will replace current public-key cryptography, which is vulnerable to quantum-based attacks.
The Post-Quantum Cryptography Initiative to unify and drive agency efforts to address threats posed by quantum computing.
CISA Releases New Insight on Preparing Critical Infrastructure for the Transition to Post-Quantum Cryptography
A Press Release detailing the potential impacts of quantum computing to National Critical Functions (NCFs).
The Department of Homeland Security (DHS), in partnership with the Department of Commerce’s National Institute of Standards and Technology (NIST), has released a roadmap regarding risks related to the advancement of quantum computing technology.
Department of Commerce’s National Institute of Standards and Technology (NIST)Post-Quantum Cryptography
NIST initiated a process to solicit, evaluate, and standardize one or more quantum-resistant public-key cryptographic algorithms.
New public-key cryptography standards will specify one or more additional unclassified, publicly disclosed digital signature, public-key encryption, and key-establishment algorithms, and are capable of protecting sensitive government information.
The advent of quantum computing technology can compromise many of the current cryptographic algorithms used to protect digital information.
Frequently Asked Questions regarding quantum computing and post-quantum cryptography.
View resources and guidance regarding Post-Quantum Cybersecurity.
National Security Memorandum on Promoting United States Leadership in Quantum Computing While Mitigating Risks to Vulnerable Cryptographic Systems
View memorandum relating the White House's policies and initiatives related to quantum computing.
For questions about CISA’s post-quantum cryptography, please send an email to: firstname.lastname@example.org