MA

OMB Issues Guidance to Prepare Agencies for a Post-Quantum World

Published: December 01, 2022

Federal Market AnalysisCybersecurityInformation TechnologyOMB

OMB asks federal departments to start an inventory of cryptographic systems, among other actions, to prepare for a post-quantum world.

The advent of quantum computing is a welcome one, with the promise of ultra-advanced computing to tackle the most complex of problems. Nonetheless, the emerging technology also poses a cyber risk, with the ability to compromise encrypted systems. As such, the White House issued a pair of directives in May 2022 to both recommit to quantum R&D as well as help prepare federal agencies for a post-quantum environment by 2035.

Recently, OMB issued a memorandum, Migrating to Post-Quantum Cryptography, which requires agencies to prepare for post-quantum cryptography (PQC) implementation. The actions under the OMB memo are to coincide with work at NIST on standardizing quantum-resistant public-key cryptographic algorithms. In July 2022, researchers at NIST announced the successful development of four new quantum-resistance algorithms called Crystals-Kyber, Crystals-Dilithium, Falcon and SPHINCS+. Final standards are planned for publish within the next two years.  

The OMB memo is centered on the federal inventory of cryptographic systems, defined as “an active software or hardware implementation of one or more cryptographic algorithms that provide one or more of the following services: (1) creation and exchange of encryption keys; (2) encrypted connections; or (3) creation and validation of digital signatures.”

Specifically, OMB calls on agencies to:

  • Submit a list of cryptographic systems, excluding national security systems, by May 2023. Systems must be considered High Value Assets (HVA), high impact, or any other system the agency determines to be vulnerable to quantum attack.
  • Assess funding to migrate inventoried systems and assets to PQC in FY 2025 budget requests.
  • CISA, NSA and NIST to coordinate on a strategy to automate assessment of agency progress towards adoption of PQC.
  • CISA and agencies to work with vendors to identify candidate environments, hardware, and software to test PQC.
  • OMB and Office of the National Cyber Director (ONCD) to establish a cryptographic migration working group to assist agencies with cryptographic inventories and migration.

Undoubtedly, agencies will require contractor solutions and services to migrate and secure critical systems to a quantum-resilient state and avoid major threat. According to the OMB memo, agencies must prepare as soon as possible to implement PQC, remaining aware that encrypted data may even be recorded now and potentially decrypted later.