Name and Shame: The Federal PQC Requirements

Blog Post

Part four of Qrypt’s “Understanding Quantum Risk” series of articles.


The US federal government has gotten very serious in the last few years about preventing data theft through decryption by a future generation of quantum computers. A flurry of executive orders, legislation and agency-level rule-making is creating a new landscape of post-quantum computing (PQC) security standards. If you do business with the federal government, especially providing any sort of IT services, these new requirements will soon impact you and it is important to understand how.


This new landscape of PQC standards and requirement creates urgency for many businesses because those who are non-compliant will be named in reports and tarred with their failures. A national security memorandum issued by the White House in May of 2022 laid out a list of requirements and deadlines for federal agencies to change their means of encryption to new standards that will not be vulnerable to the growing ecosystem of quantum computing.


The memorandum includes an order that “Within 1 year of the date of this memorandum, and on an annual basis thereafter, the heads of all Federal Civilian Executive Branch (FCEB) Agencies shall deliver to the Director of CISA and the National Cyber Director an inventory of their IT systems that remain vulnerable to [cryptanalytically relevant quantum computers], with a particular focus on High Value Assets and High Impact Systems. Inventories should include current cryptographic methods used on IT systems, including system administrator protocols, non-security software and firmware that require upgraded digital signatures, and information on other key assets.”


Vendors who have not made their offerings PQC secure should expect their names to be included on that report every year until they are compliant, or perhaps until they have lost their federal contracts due to their non-compliance. These requirements could potentially spread to some who work for state-level agencies in situations where federal agencies are partnering or supporting their work. The bottom-line is that government contractors can’t ignore these new directives. Doing nothing will result in a loss of business and the potential of being completely replaced by a more agile provider.


The US federal government, as well as many foreign governments, has invested heavily in developing more powerful quantum computers through efforts like the National Quantum Initiative. They are committed to bringing this technology to maturity. The federal government’s funding and muscle helped to ensure the success of classical computers, spaceships and nuclear energy. It would be unwise to bet on their failure in this instance, and the new federal PQC requirements reflect their confidence that their efforts will succeed.


The above-mentioned national security memorandum also sets deadlines for developing new cryptographical standards, which government agencies and many of their vendors will need to comply with. The National Institute of Standards and Technology (NIST) and NSA have been directed to publicly release new PQC encryption standards by 2024. The memorandum also directed the establishment of the Migration to Post-Quantum Cryptography Project, which “shall develop programs for discovery and remediation of any system that does not use quantum-resistant cryptography or that remains dependent on vulnerable systems.” This means, among other things, that there is a concerted effort to quickly identify systems that need to migrate. If your organization’s work touches on any federal computer systems, they will notice and you will have to come into compliance.


Congress has echoed the quantum concerns and objectives of the White House in passing the Quantum Computing Cybersecurity Preparedness Act in July of 2022. The Act requires that within a year of NIST announcing their new PQC standards, “the Director of OMB shall issue guidance requiring each executive agency to develop a plan, including interim benchmarks, to migrate information technology of the agency to post-quantum cryptography.”


When a data breach occurs or cyber incident occurs, another national security memorandum, “Improving the Nation’s Cybersecurity,” now requires that service providers promptly notify the agencies that they have contracted with. That memorandum also casts a direct gaze on security-related commercial software, stating that “The development of commercial software often lacks transparency, sufficient focus on the ability of the software to resist attack, and adequate controls to prevent tampering by malicious actors.”


Agency heads have been directed to “develop new standards, tools, and best practices for complying with the standards, procedures, or criteria” for cybersecurity described in the memorandum. “The guidelines shall include criteria that can be used to evaluate software security, include criteria to evaluate the security practices of the developers and suppliers themselves, and identify innovative tools or methods to demonstrate conformance with secure practices.” To stay competitive, agency providers and contractors need to play close attention to these various efforts as different agencies roll them out.


As the GSA spells out in its summary of Improving the Nation’s Cybersecurity, federal contracts will be modified to require compliance with the new cybersecurity requirements. They write explicitly that “If your company cannot accept the modification, you will not be able to sell to the Federal government.”


Qrypt’s Quantum Key Generation solution offers businesses a unique advantage to align with the goals of the new PQC requirements mandated by the federal government. By eliminating the transmission of encryption keys, the root of quantum risk, Qrypt’s solution ensures that businesses’ data remains unbreakable even to quantum computers and helps suppliers to the federal government demonstrate their commitment to meeting the new federal PQC standards. Furthermore, our Quantum Encryption solution provides an additional layer of encryption, securing messages from third-party interception and future compromise of the algorithm protecting the channel.


To learn more, sign up for our newsletter on our home page or contact our sales team at info@qrypt.com.