https://community.isc2.org/t5/Industry-News/Report-on-Post-Quantum-Cryptography-NSM-10/m-p/73029#M7107 <P>Hi All</P><P>&nbsp;</P><P><SPAN class=""><SPAN>The Whitehouse released the "REPORT ON POST-QUANTUM CRYPTOGRAPHY" as required by the Act and National Security Memorandum 10 (“NSM-10”).<BR /><BR />This document is useful as it:<BR />Describes the US national strategy to transition to Post Quantum Cryptography<BR />Estimates the funding needed<BR />Summarizes the work done already, mostly by NIST<BR /><BR />Highlights:<BR />Estimates the existence of a Cryptographically Relevant Quantum Computer (CRQC) in the 2030s, in line with the my most trusted estimations. Recognizes quantum computing as a double edged sword: the U.S. Government must support the development of quantum computing to maintain competitive advantage in the future while preparing the defense from their threat.<BR />The strategy for migration is includes:<BR /><span class="lia-unicode-emoji" title=":triangular_flag:">🚩</span> A comprehensive and ongoing cryptographic inventory. The ubiquitous and embedded nature of public-key cryptography means that maintaining a comprehensive inventory will be an iterative and ongoing process, including automated and manual tasks.<BR /><span class="lia-unicode-emoji" title=":triangular_flag:">🚩</span> The threat of record-now-decrypt-later attacks means that the migration to PQC must start well before a CRQC is known to be operational.<BR /><span class="lia-unicode-emoji" title=":triangular_flag:">🚩</span> Agencies must prioritize systems and data for PQC migration. Migrating public-key cryptography to PQC will require deliberate planning over multiple years. Interoperability is a primary concern for migration. Their priorities are: High impact information systems, agency high value asset,<BR /><span class="lia-unicode-emoji" title=":triangular_flag:">🚩</span> Any other systems that contain data expected to remain mission-sensitive in 2035, or are logical access control systems based in asymmetric encryption (such as PKI).<BR /><span class="lia-unicode-emoji" title=":triangular_flag:">🚩</span> Systems that will not be able to support PQC must be identified as early as possible. Agencies must identify these unsupported systems as early as feasible in order to begin planning and avoid PQC migration delays. The report identifies that the cost to replace these systems constitutes a significant portion of the overall estimate.<BR />The total government-wide cost between 2025 and 2035 will be approximately $7.1 billion in 2024 dollars. Initial cost estimates represent a rough order of magnitude rather than precise calculations.&nbsp;This does not include National Security Systems. The report warns that these estimates are rough orders of magnitude rather than precise calculations.<BR /><BR />The document is interesting and informative. Interesting to see the $7.1 billion budget. I don't know how much that is in the overall IT budget. I guess for normal companies an important part of the budget could be allocated to BAU tech updates and renovations. But they have identified that systems that cannot be updated take a large portion of the cost. It makes sense to identify them ASAP and consider obsolescence elimination plans and an update to procurement policies to stop buying anything without a roadmap to support PQC.<BR /><BR /></SPAN><SPAN>Regards<BR /></SPAN></SPAN></P><P>&nbsp;</P><P><SPAN class=""><SPAN>Caute_Cautim</SPAN></SPAN></P><P>&nbsp;</P><P>&nbsp;</P> Mon, 12 Aug 2024 19:31:57 GMT Caute_cautim 2024-08-12T19:31:57Z https://community.isc2.org/t5/Industry-News/Report-on-Post-Quantum-Cryptography-NSM-10/m-p/73029#M7107 <P>Hi All</P><P>&nbsp;</P><P><SPAN class=""><SPAN>The Whitehouse released the "REPORT ON POST-QUANTUM CRYPTOGRAPHY" as required by the Act and National Security Memorandum 10 (“NSM-10”).<BR /><BR />This document is useful as it:<BR />Describes the US national strategy to transition to Post Quantum Cryptography<BR />Estimates the funding needed<BR />Summarizes the work done already, mostly by NIST<BR /><BR />Highlights:<BR />Estimates the existence of a Cryptographically Relevant Quantum Computer (CRQC) in the 2030s, in line with the my most trusted estimations. Recognizes quantum computing as a double edged sword: the U.S. Government must support the development of quantum computing to maintain competitive advantage in the future while preparing the defense from their threat.<BR />The strategy for migration is includes:<BR /><span class="lia-unicode-emoji" title=":triangular_flag:">🚩</span> A comprehensive and ongoing cryptographic inventory. The ubiquitous and embedded nature of public-key cryptography means that maintaining a comprehensive inventory will be an iterative and ongoing process, including automated and manual tasks.<BR /><span class="lia-unicode-emoji" title=":triangular_flag:">🚩</span> The threat of record-now-decrypt-later attacks means that the migration to PQC must start well before a CRQC is known to be operational.<BR /><span class="lia-unicode-emoji" title=":triangular_flag:">🚩</span> Agencies must prioritize systems and data for PQC migration. Migrating public-key cryptography to PQC will require deliberate planning over multiple years. Interoperability is a primary concern for migration. Their priorities are: High impact information systems, agency high value asset,<BR /><span class="lia-unicode-emoji" title=":triangular_flag:">🚩</span> Any other systems that contain data expected to remain mission-sensitive in 2035, or are logical access control systems based in asymmetric encryption (such as PKI).<BR /><span class="lia-unicode-emoji" title=":triangular_flag:">🚩</span> Systems that will not be able to support PQC must be identified as early as possible. Agencies must identify these unsupported systems as early as feasible in order to begin planning and avoid PQC migration delays. The report identifies that the cost to replace these systems constitutes a significant portion of the overall estimate.<BR />The total government-wide cost between 2025 and 2035 will be approximately $7.1 billion in 2024 dollars. Initial cost estimates represent a rough order of magnitude rather than precise calculations.&nbsp;This does not include National Security Systems. The report warns that these estimates are rough orders of magnitude rather than precise calculations.<BR /><BR />The document is interesting and informative. Interesting to see the $7.1 billion budget. I don't know how much that is in the overall IT budget. I guess for normal companies an important part of the budget could be allocated to BAU tech updates and renovations. But they have identified that systems that cannot be updated take a large portion of the cost. It makes sense to identify them ASAP and consider obsolescence elimination plans and an update to procurement policies to stop buying anything without a roadmap to support PQC.<BR /><BR /></SPAN><SPAN>Regards<BR /></SPAN></SPAN></P><P>&nbsp;</P><P><SPAN class=""><SPAN>Caute_Cautim</SPAN></SPAN></P><P>&nbsp;</P><P>&nbsp;</P> Mon, 12 Aug 2024 19:31:57 GMT https://community.isc2.org/t5/Industry-News/Report-on-Post-Quantum-Cryptography-NSM-10/m-p/73029#M7107 Caute_cautim 2024-08-12T19:31:57Z