Your Guide to The New Federal Quantum Action Plan

As quantum computing continues to advance, the potential threat it poses to traditional cryptography has become a significant concern for governments and organizations worldwide. Recognizing the urgency of preparing for this new era of cryptography, the U.S. Federal Government has taken decisive steps to develop and implement a detailed Post-Quantum Cryptography (PQC) migration strategy. Please refer to the original document here.

This blog will explore the key elements of the Federal Quantum Action Plan, including the identification of systems that may not support PQC, the actions taken thus far, estimated costs, and the ongoing efforts led by the National Institute of Standards and Technology (NIST) to establish PQC standards.

Federal Quantum Action Plan and Strategy: Identifying Systems Unable to Support PQC 

The 2023 National Cybersecurity Strategy (NCS) outlines the Federal Government’s commitment to replacing or updating IT and Operational Technology (OT) systems that cannot defend against sophisticated cyber threats, including those posed by a Cryptographically Relevant Quantum Computer (CRQC). One of the critical steps in this process is the early identification of systems that may not be capable of migrating to PQC. 

There are various reasons why certain systems, both modern and legacy, might be unable to support PQC. Some hardware and software were not designed with cryptographic implementations that can be easily modified. Legacy systems, in particular, may lack the processing power, memory, or bandwidth required to implement PQC algorithms. Replacing these systems will likely be a time-consuming and resource-intensive task, already underway as part of the broader NCS implementation. 

Agencies must identify these unsupported systems as early as possible to avoid delays in the PQC migration process. Given the interconnected nature of cryptographic systems across agency networks, the inability to migrate one system could hinder the migration of others.

To address this, agencies are encouraged to perform real-world testing using pre-standardized PQC algorithms and to continue these efforts once NIST finalizes the PQC standards. The guidance in OMB’s M-23-02 memorandum reinforces this approach, urging agencies to test PQC in production environments with appropriate safeguards to ensure the tests reflect real-world conditions. 

Actions Taken: Laying the Groundwork for PQC Migration

In November 2022, the Office of Management and Budget (OMB) issued M-23-02, a directive requiring federal agencies to prioritize the inventory of cryptographic systems and develop funding estimates for their migration to PQC. This memorandum also established an interagency PQC migration working group that meets bi-weekly and reports to a quarterly interagency policy committee on the implementation of National Security Memorandum 10 (NSM-10), which focuses on quantum-resistant cryptography. 

In January 2024, OMB and the Office of Science and Technology Policy convened a roundtable with government representatives, industry leaders, and academic experts to discuss the requirements of NSM-10 and the relevant legislative acts. The insights gained from this roundtable are expected to guide future PQC migration efforts. 

Looking ahead, OMB, in coordination with the Cybersecurity and Infrastructure Security Agency (CISA) and NIST, will issue guidance within one year of the adoption of the first set of NIST PQC standards. This guidance will direct agencies to develop prioritized migration plans and will continue to leverage the interagency working group to coordinate efforts and connect stakeholders as the migration progresses. 

Estimating the Costs of PQC Migration: A Preliminary Financial Overview

The transition to PQC is expected to be a substantial financial undertaking. OMB and the Office of the National Cyber Director (ONCD), in collaboration with CISA and NIST, have been working with federal agencies to prepare for this transition. Their efforts have focused on three key activities: 

• Developing an Initial Cryptographic Inventory

  Agencies have been tasked with creating an inventory of cryptographic systems on prioritized information systems, excluding national security systems (NSS).

• Developing Cost Estimates

  Based on the initial inventories, agencies have developed rough cost estimates for migrating their systems to PQC. The preliminary government-wide cost estimate for this migration, covering the period from 2025 to 2035, is approximately $7.1 billion (in 2024 dollars). Separate estimates are being developed by the Department of Defense, the Office of the Director of National Intelligence, and the National Manager for NSS.

• Prioritizing the Transition

  Agencies have also developed criteria to prioritize systems for migration based on the specific conditions and qualities of their host systems and networks.

These cost estimates are subject to annual updates as agencies become more familiar with their cryptographic inventories, costing methodologies, and the transition process. The initial projections reflect a high level of uncertainty, as many systems may not be capable of accommodating new cryptographic algorithms due to limitations in their hardware or firmware. Replacing these systems is expected to constitute a significant portion of the overall migration cost. 

NIST’s Role in Developing PQC Standards and Addressing Challenges

The success of the Federal Government’s PQC migration strategy hinges on the widespread availability and adoption of open PQC standards. NIST is leading this effort through an open standards development process, which involves extensive collaboration with cryptographers and security researchers both in the U.S. and internationally. This process began in December 2016 when NIST issued a public call for PQC algorithm submissions. 

Since then, NIST has methodically evaluated submitted algorithms, advancing the most promising candidates through multiple rounds of review. By July 2020, NIST had selected four algorithms for initial standardization, with additional candidates being considered as new use cases emerge. 

However, strong algorithms alone are not enough. The security of cryptographic systems also depends on how these algorithms are implemented. NIST, through its Cryptographic Module Validation Program (CMVP), conducts independent tests to ensure that cryptographic defenses are correctly built and function as intended.

The CMVP has become a crucial part of the PQC migration process, but the volume of cryptographic modules awaiting testing has surged beyond current program capacity, leading NIST to initiate a CMVP modernization effort. This effort aims to expand testing lab capabilities, increase staffing, and secure contract support to handle submission surges, all of which are critical to clearing the current backlog and preparing for the future demands of PQC migration.

In addition to standardization, NIST’s National Cybersecurity Center of Excellence (NCCoE) has launched the “Migration to Post-Quantum Cryptography” project, which explores best practices for preparing for and migrating to PQC. This project has produced several key publications, including: 

• NIST SP 1800-38B

  Approach, Architecture, and Security Characteristics of Public Key Application Discovery Tools.

• NIST SP 1800-38C

  Quantum Resistant Cryptography Technology Interoperability and Performance Report.

Timeline of Key Milestones in the PQC Migration Process 

The journey to PQC migration has been marked by several key milestones: 

• April 2015: Workshop on Cybersecurity in a Post-Quantum World held at NIST, Gaithersburg, MD.

• December 2016: Federal Register Notice announces Request for Nominations for Public-Key Post-Quantum Cryptographic Algorithms.

• July 2020: Third-round finalists and alternate candidates announced by NIST.

• June 2021: Third NIST PQC Standardization Conference held virtually.

• January 2024: OMB and the Office of Science and Technology Policy convene the PQC interagency migration working group roundtable.

These milestones reflect the ongoing, collaborative effort between federal agencies, industry partners, and academic institutions to prepare for the transition to quantum-resistant cryptography.

How Encryption Consulting Can Help with Post-Quantum Cryptographic Migration

At Encryption Consulting, we offer Post-Quantum Cryptographic Advisory Services designed to help organizations navigate the complexities of quantum-era cybersecurity. Our services provide deep insights into potential quantum risks and guide you through the transition to quantum cyber-readiness, aligning with PQC standards recommended by CISA, NSA, and NIST. 

We assist in evaluating and modernizing your cryptographic infrastructure through strategic planning and proactive cryptographic discovery. Our Quantum Readiness Roadmap & Strategy ensures a seamless transition to quantum-resistant cryptography, safeguarding your data against emerging quantum threats and ensuring long-term resilience. 

Why Choose Us?

• Quantum Threat Assessment: Identify and mitigate quantum risks to secure sensitive data.

• Visibility and Compliance Enhancement: Ensure compliance and enhance the security posture of your cryptographic infrastructure.

• Customized Strategy & Implementation: Develop and implement a tailored quantum-readiness strategy for a secure transition.

• Future-Proofing Your Digital Assets: Reinforce security, compliance, and trust against rising quantum threats.

Prepare for the Quantum Era with Encryption Consulting! With our expertise, your organization can confidently face the future, ensuring that your cryptographic infrastructure is robust, compliant, and ready to withstand the challenges posed by quantum computing advancements. 

Conclusion

The Federal Quantum Action Plan is a crucial initiative to protect digital infrastructure from the emerging threats of quantum computing. With a focus on identifying vulnerable systems, estimating migration costs, and developing robust PQC standards, the U.S. Federal Government is laying the groundwork for a secure transition. 

As quantum technology continues to advance, staying ahead of potential threats and aligning with best practices will be essential for securing your digital assets. By partnering with Encryption Consulting, you can effectively address these challenges and secure your organization against the uncertainties of tomorrow.