#decryptlater

NIST NCCoE

NIST NCCoE releases major post-quantum cryptography migration drafts amid the quantum menace.

NIST's National Cybersecurity Centre of Excellence (NCCoE) has produced several draft publications to help organisations manage the difficult Post-Quantum Cryptography (PQC) transition. These publications include early practice guides NIST SP 1800-38A, 38B, and 38C and the first public draft of Cybersecurity White Paper (CSWP) 48.

This publication is part of the NCCoE's ongoing work to demonstrate relevant capabilities and procedures that help organisations move to PQC, or quantum-resistant cryptography. This effort is a solid partnership between over 50 government and industry organisations.

Combating “Harvest Now, Decrypt Later”

Cryptographic procedures secure sensitive electronic data. These algorithms have resisted typical computer attacks for decades. Future quantum computing could crack encryption, putting data and information at risk.

Organisations should start planning their PQC migration immediately to protect their high-value, long-lived sensitive data. The construction of a quantum computer useful for cryptography is debated, but some scientists believe it might happen in less than ten years. Standardising a new algorithm and completely integrating it into information systems has typically taken time, making migration efforts more critical.

The looming threat is a “harvest now, decrypt later” cyberattack. In this assault, the adversary actively seeks and keeps encrypted data even when they cannot crack it. They hope a powerful quantum computer they build later will shatter the encryption and reveal the secrets. To counteract this quantum capacity, Post-Quantum Cryptography PQC must be adopted to protect data from both conventional and quantum computers.

Fitting PQC Migration into Risk Frameworks

The NCCoE's latest version relies on CSWP 48, Mappings of Migration to PQC Project Capabilities to Risk Framework Documents. This white paper helps companies bridge the risk management-PQC migration gap.

CSWP 48 maps the NCCoE Migration to PQC project's capabilities to security goals and controls in two of NIST's most important cybersecurity risk management documents:

NIST Cybersecurity Framework 2.0 (CSF 2.0): This widely used framework helps firms manage and reduce cybersecurity risk.

SP 800-53: Information System and Organisation Security and Privacy Controls Information systems can be protected by a long range of methods in this document.

Available mappings help organisations coordinate their PQC migration efforts with their security outcomes and more complete cybersecurity risk management methods. It also helps organisations set security targets and procedures for PQC conversion success.

Collaboration for Practical Implementation

The PQC migration project aims to make the process easier for developers, product integrators, and customer organisations. The project has two key workstreams to achieve this:

Cryptographic Discovery: This workstream helps organisations locate and use cryptography in their systems using inventory methods.

Interoperability Testing: This stream helps standards bodies update protocols to include PQC and vendors adopt new PQC algorithms. Importantly, the testing finds and fixes compatibility issues in a controlled environment, which will reduce the time organisations spend on migration.

Over 50 organisations' activities help this project. AWS, Cisco Systems, Google, IBM, JPMorgan Chase, Keyfactor, Microsoft, and Palo Alto Networks are major IT and financial organisations involved. Important partners include the NSA and other government agencies. This coordinated effort aims to reduce the “harvest now, decrypt later” hazard.

Additionally to CSWP 48, the NCCoE provided early drafts of NIST SP 1800-38A, 38B, and 38C. These materials provide practical guidance for program managers, corporate decision-makers, and IT specialists on PQC conversion.