Federal agencies, on a journey over the next decade-plus to shore up their systems before the arrival of quantum computers, have made progress in starting to understand the scope of their legacy cryptographic encryption that will need to be replaced, according to a senior Biden administration cybersecurity official.
“For the first time in history, the civilian government, we have a comprehensive inventory of our asymmetric cryptography across all the agencies and their critical systems,” Nick Polk, senior adviser to the federal CISO, said Tuesday at GDIT’s Emerge Quantum event, produced by FedScoop.
Scientists and researchers have predicted that as cryptanalytically relevant quantum computers come into existence, they will be capable of breaking the public-key cryptography used in encryption across much of the world today. As such, the Biden administration in 2022 issued National Security Memorandum-10 acknowledging the threat and setting a course of action to protect against it by migrating to post-quantum cryptography. Subsequently, the Office of Management and Budget issued guidance last fall setting requirements for federal agencies to complete that migration by 2035.
Looking back on the time since those policies were issued, Polk pointed to inventorying as the “biggest area of progress we’ve seen and the most important.”
“So, this inventory that, you know, sounds like … we have a spreadsheet of cryptography, is really critical because now the agencies have a baseline for understanding where that cryptography is in all their systems,” Polk said.
Earlier this year, FedScoop reported on agencies’ progress in meeting an early deadline to inventory their encryption systems — a process that will happen every year through 2035 as required by the guidance — and found mixed results.
Acknowledging that, Polk said: “We didn’t get it perfect the first time.” But that’s why it’s an “iterative process” that will improve each year.
“What it has given us is, you know, essentially, the foundation for the roadmap that agencies are going to be creating once [the National Institute of Standards and Technology] does release their post-quantum cryptography standards to actually program out and plan out their migration to PQC,” he said, referencing NIST’s forthcoming quantum-resistant cryptographic algorithms — three of which should be officially released next year.
Beyond working with agencies on inventorying, OMB is also working to figure out how much money agencies will need to complete this migration, and Polk claimed there’s been some iterative progress there as well.
“This is going to be a costly endeavor. And so we need to figure out, you know, how we can actually effectively represent that cost requirement in the president’s budget request over the next 10-12 years,” he said.
A major part of this, Polk explained, is exploring “how we can use the purchasing power and the kind of tech ecosystem stewardship of the federal government to work with different private sector partners to actually … make sure that cost is accurately represented in contracts or different services the government uses.”