Full Report
Somewhere in the United States right now, a water treatment facility is running control systems that a quantum computer will eventually be able to compromise, and there is no federal deadline requiring anyone to fix it. The risk is here and now, and America is moving too slowly to protect itself. On March 25, Google announced it…
Analysis Summary
# Regulation/Compliance: Quantum-Resistant Cryptography (QRC) Transition
## Overview
This compliance landscape focuses on the migration from classical cryptographic standards to quantum-resistant cryptography (QRC). The goal is to protect sensitive federal data and critical infrastructure from "harvest now, decrypt later" attacks and the future threat of Cryptographically Relevant Quantum Computers (CRQC).
## Key Details
- **Issuing Authority:** The White House (OMB/NSC), National Institute of Standards and Technology (NIST), and National Security Agency (NSA).
- **Effective Date:** Phased implementation (initiation began 2022-2024).
- **Jurisdiction:** Federal Agencies, National Security Systems (NSS), and Government Contractors/Vendors.
- **Status:** In Effect (with proposed accelerations to mandatory deadlines).
## Requirements
### Mandatory Requirements
1. **Inventory Collection:** Federal agencies must identify all systems using encryption vulnerable to quantum computers.
2. **Standard Adoption:** Transition to NIST-approved post-quantum cryptographic algorithms as they are finalized.
3. **NSS Compliance:** Intelligence and defense systems must follow NSA’s Commercial National Security Algorithm Suite (CNSA 2.0) timelines.
### Recommended Practices
1. **Crypto-Agility:** Designing and procuring systems where encryption can be upgraded via software/firmware without replacing hardware.
2. **Accelerated Timelines:** Adopting a 2030 completion target (matching private sector leaders like Google) rather than the current 2035 baseline.
3. **EU Alignment:** adhering to principles in the EU Cyber Resilience Act regarding industrial equipment longevity.
## Affected Organizations
- **Industries:** Federal Civilian Agencies, Defense Industrial Base (DIB), Intelligence Community, and Critical Infrastructure (Water, Energy, Finance).
- **Organization Size:** All federal agencies and their primary technology providers.
- **Geographic Scope:** United States (Federal jurisdiction) with international implications for global supply chains.
## Compliance Timeline
- **May 2022:** National Security Memorandum 10 (NSM-10) established the initial framework for quantum risk mitigation.
- **December 2027:** Proposed deadline for new federal procurement to require "upgradable encryption" designs.
- **2030:** NIST deadline to phase out vulnerable legacy encryption standards.
- **2035:** Current projected deadline for full federal transition to QRC (Note: Experts are currently lobbying to move this to **2030**).
## Implementation Guidance
### Assessment Phase
- **Cryptographic Discovery:** Catalog all applications, hardware, and communication protocols utilizing public-key cryptography (RSA, Diffie-Hellman, Elliptic Curve).
- **Risk Prioritization:** Identify "high-value assets" (HVA) with long-term data sensitivity (data that remains classified or sensitive for 10+ years).
### Implementation Phase
- **Procurement Updates:** Integrate quantum-resistant requirements into all new IT acquisition contracts.
- **Hybrid Deployment:** Utilize hybrid modes (combining classical and quantum-resistant algorithms) during the transition period to maintain legacy interoperability.
### Validation Phase
- **Interoperability Testing:** Verify that QRC implementations do not degrade system performance or break existing secure tunnels.
- **Compliance Reporting:** Annual progress reports to OMB as mandated by the Quantum Computing Cybersecurity Preparedness Act.
## Technical Requirements
- **Algorithm Migration:** Transition to NIST-standardized algorithms (e.g., ML-KEM, ML-DSA).
- **Firmware Upgradability:** Mandatory support for signed, remote cryptographic updates for Industrial Control Systems (ICS) and Internet of Things (IoT) devices.
## Penalties & Enforcement
- **Fines:** Not explicitly defined for agencies, but non-compliant vendors risk debarment or loss of federal contracts.
- **Other Consequences:** Operating "outside federal security guidance" after 2030, leading to increased liability and loss of Authority to Operate (ATO).
- **Enforcement:** OMB oversight and Inspector General (IG) audits of agency cybersecurity maturity.
## Related Standards
- **NIST IR 8547:** Guidance on phasing out vulnerable encryption.
- **CNSA 2.0:** NSA’s specific algorithm requirements for National Security Systems.
- **EU Cyber Resilience Act:** International benchmark for hardware cryptographic agility.
## Resources
- **Official Documentation:** National Security Memorandum on Promoting United States Leadership in Quantum Computing (NSM-10).
- **Guidance Documents:** NIST Post-Quantum Cryptography (PQC) Project pages.
## Practical Recommendations
- **Inventory Now:** Do not wait for the 2030 deadline to begin cryptographic discovery; the "harvest now" threat is active.
- **Demand Agility:** Ensure every Request for Proposal (RFP) for hardware lasting more than 5 years includes a requirement for "cryptographic agility."
- **Budgeting:** Lifecycle replacement budgets should be adjusted now to account for the higher computational overhead of QRC algorithms.