CISA aims for inventory clarity with post-quantum cryptography guidance
The Cybersecurity and Infrastructure Security Agency is pushing forward on its oversight of federal post-quantum cryptography migration, unveiling a strategy document last week that details how the agency intends to monitor and assess governmentwide progress on the transition.
The public release of CISA’s guidance on Friday, required by a 2022 Office of Management and Budget memorandum on migrating to post-quantum cryptography, lays out plans for the deployment of automated cryptography discovery and inventory (ACDI) tools to aid agencies as they work to inventory any IT systems or assets that may contain vulnerable cryptography.
The cyber agency said the ACDI tools will serve the purpose of automating “the collection of the cryptographic characteristics required for the inventory,” and also be integrated with its Continuous Diagnostics and Mitigation (CDM) program. Combining forces with ACDI tools and the CDM program could lessen the resources needed for generating inventory content, the guidance noted.
Much of CISA’s guidance centers on the inventorying of data items that agencies will have to report. Agencies are currently required by OMB to report their inventories through CyberScope, a spreadsheet form that is submitted to CISA and the Office of the National Cyber Director. OMB’s memo notes that future changes to Federal Information Security Modernization Act requirements will require updates to CyberScope, but agencies should continue reporting through that system.
CISA’s guidance lists multiple steps for how ACDI tools should be developed and integrated, including instructions for how those tools should be added to a list of CDM-approved products, how modifications to CDM dashboards should be handled and more.
The cyber agency has now embarked on “a long transition period” that will see it “monitor and maintain the status of migration to PQC,” according to the guidance, while it also continues to observe agency reporting on the use of quantum-vulnerable cryptography and offer support as needed.
Other actions required over the next several months include the creation of a list of PQC-enabled products for cryptographic systems by CISA and the General Services Administration, the publication of an initial draft documenting the National Institute of Standards and Technology’s “demonstrations of discovery and inventory tools,” and the launch of a CISA-run pilot program on ACDI tool development and integration.
