Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Caute_cautim
Community Champion
‎08-12-2024 03:31 PM
‎08-12-2024 03:31 PM

Report on Post-Quantum Cryptography - NSM-10

Hi All

 

The Whitehouse released the "REPORT ON POST-QUANTUM CRYPTOGRAPHY" as required by the Act and National Security Memorandum 10 (“NSM-10”).

This document is useful as it:
Describes the US national strategy to transition to Post Quantum Cryptography
Estimates the funding needed
Summarizes the work done already, mostly by NIST

Highlights:
Estimates the existence of a Cryptographically Relevant Quantum Computer (CRQC) in the 2030s, in line with the my most trusted estimations. Recognizes quantum computing as a double edged sword: the U.S. Government must support the development of quantum computing to maintain competitive advantage in the future while preparing the defense from their threat.
The strategy for migration is includes:
🚩 A comprehensive and ongoing cryptographic inventory. The ubiquitous and embedded nature of public-key cryptography means that maintaining a comprehensive inventory will be an iterative and ongoing process, including automated and manual tasks.
🚩 The threat of record-now-decrypt-later attacks means that the migration to PQC must start well before a CRQC is known to be operational.
🚩 Agencies must prioritize systems and data for PQC migration. Migrating public-key cryptography to PQC will require deliberate planning over multiple years. Interoperability is a primary concern for migration. Their priorities are: High impact information systems, agency high value asset,
🚩 Any other systems that contain data expected to remain mission-sensitive in 2035, or are logical access control systems based in asymmetric encryption (such as PKI).
🚩 Systems that will not be able to support PQC must be identified as early as possible. Agencies must identify these unsupported systems as early as feasible in order to begin planning and avoid PQC migration delays. The report identifies that the cost to replace these systems constitutes a significant portion of the overall estimate.
The total government-wide cost between 2025 and 2035 will be approximately $7.1 billion in 2024 dollars. Initial cost estimates represent a rough order of magnitude rather than precise calculations. This does not include National Security Systems. The report warns that these estimates are rough orders of magnitude rather than precise calculations.

The document is interesting and informative. Interesting to see the $7.1 billion budget. I don't know how much that is in the overall IT budget. I guess for normal companies an important part of the budget could be allocated to BAU tech updates and renovations. But they have identified that systems that cannot be updated take a large portion of the cost. It makes sense to identify them ASAP and consider obsolescence elimination plans and an update to procurement policies to stop buying anything without a roadmap to support PQC.

Regards

 

Caute_Cautim

 

 

Preview file
1149 KB
Reply
0 Kudos
0 Replies