Federal Agencies
Regarding Upcoming Threats, Agencies Give Post-Quantum Cryptography Priority in Acquisitions
As part of a multiyear effort to protect sensitive data from the potential threat posed by future quantum computers, federal agencies are being aggressively pushed to include post-quantum cryptography (PQC) requirements in their purchase processes.
Concerns about the “harvest now, decrypt later” situation are what are driving this push. U.S. officials are concerned that adversaries may be stealing encrypted data now, storing it, and then waiting to decrypt it when more sophisticated quantum systems become available in the future, even though it is not anticipated that quantum computers that can crack current encryption techniques will be fully developed for at least another ten years. Because of this, the change is both urgent and essential.
This program is led by NIST, the NSA, the Office of the National Cyber Director, and CISA. These federal agencies held a debate with over 600 federal IT professionals to emphasise the importance of post-quantum cryptography.
Garfield Jones, associate chief of strategic technology at CISA, emphasised the importance of raising agency awareness. “Federal Agencies are being advised to include PQC requirements directly in their acquisition documentation as vendors start to adopt the new standards,” he said.
You can also read Quantum Computing as a Service QCaaS Applications, Benefits
Bipartisan support is seen in the government’s strong guidelines for this transition. A national security objective to reduce “as much quantum risk as feasible” by 2035 was established by former President Joe Biden in 2022. After that, federal agencies were instructed by the Office of Management and Budget (OMB) to inventory their most critical IT assets and create comprehensive plans for the PQC transition. In January, Biden also issued an executive order on cybersecurity that included updated PQC criteria. Interestingly, neither of Biden’s cyber orders have been revoked by the Trump administration, indicating that the policy’s significance will not change.
CISA was expressly required by the January presidential order to release a list of product categories that support post-quantum cryptography by the middle of July. Federal Agencies must take action to incorporate PQC requirements in solicitations for any product that potentially support this list within 90 days of CISA’s release.
NIST, which last year finalised three post-quantum cryptography standards, is laying the groundwork for this transition. As the agency builds its list of PQC devices, CISA is actively collaborating with companies to assess their cryptographic solutions.
Many organisations are still in the early stages of implementation in spite of these efforts. According to a recent DigiCert poll, just 5% of organisations have actually adopted quantum-safe encryption, despite the fact that a sizable majority (69%), of organisations are aware of the threats posed by quantum computing.
The FBI’s Cyber Technical Analytics and Operations section leader, Todd Hemmen, stated that the current ten-year transformation plan calls for a “thought-driven, process-driven approach” in addition to urgency. He reaffirmed the “harvest now, decrypt later” adage, stressing that information that is made public now may be compromised later. He did point out, though, that federal agencies are rarely under such immediate time pressure to make snap choices.
There are unique difficulties in putting the new PQC algorithms into practice. These algorithms are “a little heavier” than conventional ones, Jones noted. Potential implementation challenges should be anticipated by federal agencies, especially in domains such as operational technology. In order to prevent unforeseen problems, he suggested that federal agencies get ready by collaborating with vendors, comprehending their roadmaps, and incorporating needs into acquisition documents and policy.
Funding is mentioned as a major barrier in addition to technical and integration challenges. Prior estimates from OMB, which did not include classified systems used by the Defence Department and the intelligence community, put the cost of the government-wide transition at about $7.1 billion over ten years.
Securing money for PQC may prove more challenging than for other tech priorities, such as artificial intelligence, according to Landon Van Dyke, senior advisor for technology adoption and strategy at the State Department. He emphasised that the main advantage of a successful PQC transition a safe, breach-free “quiet day” does not have the obvious return on investment that executives are drawn to. According to Van Dyke, the challenge is persuading leaders that “if you don’t do it, we’re in trouble.” “And they’ll ask, ‘Well, what’s my return?’” he continued. You will return on a calm day.
A crucial step in preparing government systems for the impending quantum age is the need to incorporate post-quantum cryptography into governmental acquisitions, which strikes a balance between the threat’s long-term nature and the urgent necessity to start protecting sensitive data.
You can also read Rigetti Announces Launch Of Ankaa 3 Quantum Computer
Thank you for your Interest in Quantum Computer. Please Reply