Recently, CISA (the US Cybersecurity and Infrastructure Agency) issued some detailed guidance on automated PQC discovery and tools that can be used by federal agencies to collect inventories of vulnerable assets and systems.
Following on from the Office of Management and Budget’s November 2022 memorandum (M-230-02), federal agencies are required to report on cryptographic systems that use quantum-vulnerable cryptography, and consequently CISA have been mandated to develop a strategy on automated tooling and support in this effort.
It’s noteworthy, as the guidance lays out recommendations that include both manual data collection and the use of automated support sooner rather than later, particularly for assets that contain data ‘expected to remain mission-sensitive in 2035.’ In fact, CISA presents a timeline during which the agency will monitor the ongoing status of migration, in collaboration with NIST and the wider community, and with a view to deploying automated cybersecurity tools across the Federal Civilian Executive Branch (FCEB).
The guidance reinforces the evident acceleration of PQC migration, not just for US federal agencies, but also for the rest of the world. Coming as it does, on the heels of the finalized NIST standards, FIPS 203, 204 and 205, it’s another push towards compliance, ensuring that the world’s technology supply chain is ready for cryptography modernization.
You can read the full report here.