Full Report
CISOs should demand more of their vendors and use regulation as an ally to persuade board members to accelerate the transition to post-quantum safety
Analysis Summary
The provided article snippet focuses on the urgent need to prepare for the transition to Post-Quantum Cryptography (PQC) due to the future threat posed by Cryptographically Relevant Quantum Computers (CRQCs). A key theme is the responsibility of organizations to act now, especially regarding long-duration secrets, and to demand readiness from their third-party vendors.
Here is the summary structured as requested:
# Best Practices: Quantum Readiness and Vendor Management for Cryptographic Transition
## Overview
These practices address the immediate and long-term security requirements for organizations transitioning their cryptographic infrastructure to be resistant to attacks from future Cryptographically Relevant Quantum Computers (CRQCs). The focus is on proactive management, especially concerning vendors utilizing or securing sensitive, long-duration data.
## Key Recommendations
### Immediate Actions
1. **Initiate Quantum Risk Assessment:** Immediately inventory all systems, data, and communications that rely on current asymmetric encryption methods that PQC aims to replace.
2. **Prioritize Long-Duration Secrets:** Identify and catalogue any "long-duration secrets" (data or keys needing protection for many years) that must begin the migration planning *now*, as postponing this increases risk exposure significantly.
3. **Demand Vendor Accountability:** CISOs must immediately begin asking vendors about their specific plans, timelines, and progress toward implementing Post-Quantum Cryptography (PQC) standards.
### Short-term Improvements (1-3 months)
1. **Develop a PQC Transition Roadmap:** Create a formal, documented roadmap for migrating current cryptographic dependencies to NIST-standardized PQC algorithms.
2. **Vendor Risk Scoring Update:** Incorporate vendor PQC readiness metrics (e.g., commitment to transition, use of crypto-agility) into existing third-party risk management (TPRM) scoring models.
3. **Implement Crypto-Agility Measures:** Begin efforts to decouple cryptographic implementations from specific algorithms to ensure systems can be rapidly updated as PQC standards finalize and deployment proceeds.
### Long-term Strategy (3+ months)
1. **Phased PQC Migration:** Execute the multi-year plan to systematically deploy PQC solutions across core infrastructure, focusing first on high-value, high-exposure assets.
2. **Mandate PQC in Procurement:** Integrate binding PQC readiness clauses and timelines into future contracts and renewals for all relevant third-party services and hardware.
3. **Continuous Monitoring of Standards:** Establish a process to continuously monitor updates from standardization bodies (like NIST) to ensure planned cryptographic implementations remain aligned with final standards and best practices.
## Implementation Guidance
### For Small Organizations
- **Focus on Vendor Contracts:** Since internal resources may be limited, strongly focus immediate efforts on reviewing existing vendor contracts and demanding clear PQC compliance statements or transition contracts.
- **Adopt NIST Guidance Early:** Follow guidance released by NIST for early adopters, focusing on known reliable PQC candidates even before final standardization, for non-critical systems requiring immediate protection.
### For Medium Organizations
- **Pilot PQC Deployments:** Dedicate resources to pilot PQC solutions in less critical environments to gain operational experience and measure performance impacts before enterprise-wide rollout.
- **Establish Internal Inventory:** Develop a comprehensive inventory of all cryptographic assets; this forms the necessary baseline for subsequent risk prioritization and migration sequencing.
### For Large Enterprises
- **Establish Cross-Functional PQC Governance:** Form a dedicated team involving representatives from Security, R&D, Procurement, and IT Operations, overseen by executive leadership, to drive the organization-wide transition.
- **Develop Cryptographic Inventory and Classification System:** Implement automated tools to discover, classify, and track cryptographic usage across the entire complex landscape, including legacy systems.
## Configuration Examples
*Specific technical configurations were not detailed in the provided context, but the focus should be on transitioning to NIST-selected PQC algorithms (e.g., CRYSTALS-Kyber for key establishment and CRYSTALS-Dilithium for digital signatures) once officially released.*
## Compliance Alignment
While specific compliance mandates for PQC are evolving, efforts align broadly with:
- **NIST SP 800-208:** Recommendations for Stateful Hash-Based Signature Schemes (related to PQC development).
- **ISO/IEC 27001/27002:** Requirements for managing Cryptographic Controls and Third-Party Risk Management.
- **NIST Cybersecurity Framework (CSF):** Specifically under the Identify (Asset Management) and Protect (Data Security) functions.
## Common Pitfalls to Avoid
- **"We'll deal with that later" Mentality:** Delaying planning for secrets that need long-term confidentiality, as the transition timeline is already compressed by the need to protect data *today* that attackers might harvest now (Store Now, Decrypt Later).
- **Ignoring Vendor Responsibility:** Assuming third parties will handle the PQC transition without explicit organizational oversight, contracts, and verification.
- **Underestimating Crypto-Agility Requirements:** Implementing PQC solutions in a hard-coded manner that prevents easy switching to later standards or patches that may emerge during the transition process.
## Resources
- **NIST Post-Quantum Cryptography Standardization Project:** The official source for PQC algorithm selections and standards. (Search for "NIST PQC Standardization").
- **Vendor Documentation:** Requesting specific PQC readiness roadmaps and capability assessments directly from technology and service providers.