The Cybersecurity and Infrastructure Security Agency on Friday released post-quantum cryptography transition guidance focused on preparing the most vulnerable federal digital systems for the possible emergence of cryptographically related quantum computers.
With the early release of the first standardized algorithms suitable for protecting information stored on classical computers from quantum computer attacks, CISA guidance dated August 15 recommends the use of automated cipher discovery and cipher discovery. Recommendations are provided for federal civilian executive branch agencies to conduct initial system inventories. Inventory software.
CISA wants agencies to start the transition process early. The guidance states that inventory processes require both manual data collection and the use of automated support.
“The primary goal of this strategy is to enable assessment of agency (post-quantum encryption) transition progress,” the guidance reads. “This includes the use of (automated cryptographic discovery and inventory) tools to assist (federal civil executive branch) agencies in inventorying information systems and assets containing CRQC vulnerable cryptography. Masu.”
CISA urges civilian agencies to first identify potential vulnerabilities and migrate assets that store sensitive information on high-impact information systems and certain networks. The guidance also prioritizes assets that “contain data that is expected to remain mission-sensitive well into 2035.”
CISA has also identified three areas of ongoing research that are expected to inform ongoing PQC transition efforts. These depend on understanding the automatic encryption detection tools available in the industry and how well those tools work to accurately detect the built-in algorithms used within a particular software package. I am.
“CISA has not been able to confirm the full range of cryptographic algorithm detection capabilities available through automatic cryptographic discovery tools,” the guidance states.
Future efforts in this area will see CISA, along with other partners, lead the National Institute of Standards and Technology’s National Cybersecurity Center of Excellence’s “Transition to PQC” project.
The use of automated inventory scanning software has become a minor point of contention between government and industry. Government partners are working to establish baseline standards for reliability of automated encryption discovery and inventory tools, but industry argues that manual network inventory is too cumbersome to be done efficiently. I am.
The new guidance includes the requirement that such tools operate independently or in conjunction with other network analysis efforts to collect specific cryptographic inventory data from networks, file systems, database systems, and software packages. It is stated that it may be helpful. It added that further steps are needed for enterprises to integrate automatic detection tools into their network scans. CISA notes that while some automation capabilities are available to agencies through continuous diagnostic and mitigation programs, these capabilities are still insufficient to meet CISA’s goals. The CDM’s current dashboards and analytics “need to be expanded to support the data elements provided by the ACDI tool,” the report states.
“This pilot will determine the optimal level of integration, including data elements and interfaces,” the guidance states. “As part of this pilot program, we will need to conduct a comparative analysis to determine the extent to which ACDI tools can discover crypto assets versus manual means to discover known assets.”
Following the release of the guidance, CISA and other federal partners will support a thorough review of PQC within federal networks in the coming months, including updating reporting requirements and further evaluating appropriate tools for government network analysis. We plan to take further measures to ensure this.
