CISA guidance focuses on post-quantum cryptography tools

The Cybersecurity and Infrastructure Security Agency publicly released its post-quantum cryptography migration guidance on Friday, focusing on prepping the most vulnerable federal digital systems for the potential advent of a cryptographically-relevant quantum computer.

Accompanying the earlier release of the first standardized algorithms suited to protect information stored on classical computers from a hypothetical quantum computer attack, CISA’s guidance, dated Aug. 15, lays out recommendations for federal civilian executive branch agencies conducting initial system inventories using automated cryptography discovery and inventory softwares.

CISA’s wants agencies to launch their migration processes sooner rather than later. The guidance notes that  the inventory process requires both manual data collection and the use of  automated support. 

“The primary goal of this strategy is to enable the assessment of agency [post-quantum cryptography] transition progress,” the guidance reads. “Included is the use of [automated cryptography discovery and inventory] tools to support a [federal civilian executive branch] agency in its creation of an inventory of its information systems and assets that contain CRQC-vulnerable cryptography.”

CISA is asking civilian  agencies to first identify potential vulnerabilities and migrate high-impact information systems, or assets storing sensitive information on a given network. The guidance also prioritizes assets that “contain data expected to remain mission-sensitive in 2035.”

CISA also identified three on-going research arenas that are expected to inform ongoing PQC migration efforts. They hinge upon understanding the industry offerings of automated cryptographic discovery tools and how well they function to accurately detect embedded algorithms in use within certain software packages.

“CISA has not been able to confirm the full scope of cryptographic algorithm detection capabilities that will be available via automated cryptographic discovery tools,” the guidance reads.

Future work in this arena will be helmed by CISA along with other partners in the National Institute of Standards and Technology’s National Cybersecurity Center of Excellence’s “Migration to PQC” project. 

Utilizing automated inventory scanning softwares has been a minor point of contention between government and industry, as government partners work to establish baseline standards of trust in automated cryptography discovery and inventory tools while industry says manual network inventories are too cumbersome to undertake efficiently. 

The new guidance does state that such tools –– operating individually or in combination with other network analysis efforts –– may help with gathering certain cryptographic inventory data from networks, file systems, database systems, and software packages. It adds that further steps are required for entities to integrate automated discovery tools in their network scans. CISA notes that some automated capabilities are available to agencies via the Continuous Diagnostics and Mitigation program, but these offerings aren't yet adequate to CISA's goals. CDM's current dashboard and analytics “will need expanding to support data elements provided by ACDI tools,” the report states. 

“This pilot would determine the optimal level of integration including data elements and interfaces,” the guidance states. “As part of this pilot program, a comparative analysis should be conducted to determine the extent that ACDI tools can discover cryptographic assets vice those assets known via manual means.”

Following the guidance’s release, CISA and other federal partners will take more steps in the coming months to support PQC overhauls within the federal government networks, including updating reporting requirements and further evaluating tools suitable for government network analyses.