Are federal agencies’ post-quantum cryptography preparations on track?

Today, the government uses standard cryptographic algorithms to protect its data. But amid the rise of quantum computers, these algorithms may not offer the security they once did. 

Put simply, quantum computers — with the ability to factor extremely large prime numbers — could one day break into these algorithms, helping adversaries access all sorts of critical information, including personal data about U.S. citizens and critical scientific and military secrets. 

“If we can build large-scale quantum computers that run exactly as physics predicts that they should,” explains Ryan O’Donnell, a computer science professor at Carnegie Mellon, “then they will be able to break most of the cryptography that was in use up until now.” 

The danger isn’t just a future risk. Researchers — and the government — are also concerned about “store now, decrypt later” attacks. These involve hackers accessing critical federal systems now, and then saving these systems until they can have the quantum computing capabilities to decrypt the data held within them. Even this scenario presents a major security problem, argues Jeremiah Blocki, a Purdue computer science professor who researches password security.  

To address this risk, the Office of Management and Budget told federal agencies last November to start preparing. The OMB memo instructed federal agencies to start studying all the systems that may need to be transitioned to post-quantum cryptography (PQC).

By May 4, all federal agencies — excluding the Department of Defense — were supposed to submit an inventory of those systems (and then repeat the process every year) to the Office of the National Cyber Director and DHS’s Cybersecurity and Infrastructure Security Agency (CISA). During this time, they were also supposed to designate a lead to handle the inventory and the PQC migration, among other goals. 

But a month after that May 4 deadline, it’s not clear how well all federal agencies are keeping up. FedScoop reached out to the more than 20 agencies outlined in the Chief Financial Officers Act, a 1990 law that also spells out the responsibilities of federal chief information officers, and received a range of responses. 

Many of those agencies, including the departments of Homeland Security, Commerce Department, and Health and Human Services, did say they were up to date on requirements. But others provided unclear responses about their status. Several agencies, including USAID and the departments of Agriculture and Education, said they were unable to share an update. Other agencies, including the Department of Transportation, the Treasury, and the Social Security Administration, did not respond to repeated requests for comment. 

The Department of Housing and Urban Development sent a general statement addressing the agency’s investment in IT and cybersecurity improvements but didn’t directly address whether its staff had created the required inventory or say that it had designed a migration lead. The Small Business Administration, meanwhile, said that it conducts its inventory “as required,” but would only say that a “federal employee” manages the agency’s cryptographic inventory. 

“Agencies have prioritized their systems for migration to post-quantum cryptography,” an OMB official told FedScoop. “OMB and ONCD are working with agencies to ensure accurate cost estimates as we prepare for this transition.”

“The consequences associated with the Snowden leaks or the recent Discord leaks would pale in comparison to the consequences associated with agencies’ failure to comply with the November 2022 Memo on Migrating to Post-Quantum Cryptography,” Sam Howell, a research assistant at the Center for a New American Security’s Technology and National Security Program, told FedScoop in an email. 

“[It’s] important to begin the migration to post-quantum cryptography now because the process could take a long time and entails a lot of challenges,” she added. 

Building an inventory is a critical first step in preparing for post-quantum cryptography, according to the OMB memo. That inventory is supposed to include systems that an agency uses or that are operated on behalf of that agency, including “high impact information” systems and  “high-value assets.”

Next, agencies — excluding the Defense Department and intelligence community agencies — were supposed to start preparing funding assessments aimed at estimating how much the post-quantum cryptography (PQC) migration could cost. 

The White House wants the federal government to transition to PQC systems by 2035. Still, a June report from the National Quantum Initiative Advisory Committee stated that “an earlier completion date would be highly preferable and should be achievable through vigorous U.S. Government action.”

“I don’t want to presume to tell a federal agency what data they need to protect or should protect,” said Blocki, the computer science professor from Purdue. ”But I can imagine that they’re going to have a lot of data that remain sensitive even 50 years from now.”