NIST has released a new document, open for public commentary, on its post-quantum cryptography guidance. The working draft titled, “Migration to Post-Quantum Cryptography: Preparation for Considering the Implementation and Adoption of Quantum-Safe Cryptography” seeks to raise awareness on the proliferation of public-key cryptography and its functional dependencies within most products, services, and operational environments.
The major theme and goal of the document is to help organizations understand the security architecture in their networks and the vast dependencies on public-key encryption so that organizations can prioritize modernization and better plan for the replacement of public-key encryption with quantum-resistant cryptography.
As NIST continues its efforts to finalize the PQC standard, the agency is reinforcing its previous warnings that organizations must begin their migration planning now. A recommended first step is complete visibility into and a full inventory of the use of cryptography across the organization.
Bill Newhouse, a cybersecurity engineer with NIST and the National Cybersecurity Center of Excellence (NCCOE) shares: “In advance of final PQC standards, discovery activities are a necessary first step to learn which cryptographic algorithms are being used today to protect data and communications. From this discovery step, migration prioritization decisions can begin to be made.”
Quantum Xchange is helping organizations prepare their PQC migration roadmap using a risk-based approach. Our cryptographic discovery and risk assessment tool, CipherInsights, continually monitors network traffic to provide users with a near real-time view into risks and remediation based on each of the five core CISA zero-trust pillars: data, applications, network, device, and identity.
Cryptographic vulnerabilities and risk factors such as unencrypted traffic, clear-text passwords, expired certificates, self-sign intermediate certificate authorities, insecure encryption algorithms are scored using standard guidelines. The risk dashboard provides users with a clear understanding of their cybersecurity posture and a prioritized list of risk mitigation to maintain compliance, pass audits, and better prepare for the great crypto migration – the replacing of legacy encryption with quantum-safe algorithms.