2. Joe Biden Memorandum
On May 4th, President Biden signed a new executive order focusedon post-quantum cryptography,his second featuring this
subjectin 2022, and we’ve still 8 months of the year to go.
The January memorandum directed all federalagencies to prepare for post-quantum cryptography by reporting on all vulnerable
cryptography on national security systems. But compared to what has just been signed at The White House, the January
memorandum was light weight.
The May 4th Memorandum is loaded with new directions for agency collaboration, communication, planning, and technical
work, all with the focus of adopting post quantum cryptography.
3. Much more Collaboration,Communication& Planning
The advent of quantum computers will mean cryptography has to be replacedeverywhere, and with everyoneabout to go
through this migration, what could be better than sharing best practices and learning fromeach other?
To this end, the memorandum includes directions to establish a “Migration to Post-Quantum Cryptography Project” whose
purpose will be to “develop programs fordiscoveryand remediationof any system that does not use quantum-resistant
cryptography”.
There are also instructions for cycles of communication designed to keep the whole US government laser focused on delivering a
speedy and successful migration. These include annual reports with “recommendations for accelerating those entities’ migration
to quantum-resistant cryptography”,ongoing inventoryreports that “documentall instances where quantum-vulnerable
cryptography is used by NSS”, and working groups to “identify needed tools and data sets, and other considerations to inform the
development by NISTof guidance and best practices to assistwith quantum resistant cryptography planning and prioritisation”.
4. Specific requirements for Federal Crypto-Inventories
In the January memorandum the requirement for a Crypto-Inventorywas definitely being hinted at but not made explicit.
However this time around we have extremely clear language in Sec5.(c)(v):
“...aninventory of their IT systems that remain vulnerable to CRQCs, with a particular focus on High Value Assets and High Impact
Systems.”
Now it is explicit: Federal agencies need to build a Crypto-Inventory, and this now comes with specific requirements:
“Inventories should includecurrent cryptographic methods used on IT systems, including system administratorprotocols, non-
security software and firmware that require upgraded digital signatures, and information on other key assets.”
We also see that where January’s focus wassolely on National Security Systems (NSS), this directive goes further, requiring the
Directors of NIST, CISA, and theNSA to:
“establishrequirements for inventorying all currently deployed cryptographic systems, excluding National Security Systems
(NSS).”
All Federalcryptography is now in scope, and that means much morework ahead.
5. Recognising an “Imperative”role for Crypto-Agility
Even our shiny new PQ cryptography willneed to be replaced at somepoint; and if Rainbow is anything to go by then wewill need
to be prepared to respond quickly in such a scenario.
It’s this awareness (along with the lingering trauma of migrating from MD5, SHA-1, and 3DES) thatleads to organisations
prioritising crypto-agility. As the Memorandum puts it:
“Central to this migration effort will be an emphasis on cryptographic agility, both to reduce the time required to transition and to
allow for seamless updates for future cryptographic standards. This effort is imperative across all sectors of the United States
economy, fromgovernment to critical infrastructure, commercialservices to cloud providers, and everywhere elsethat vulnerable
public-key cryptography is used.”
What is most interesting is the immediate recognition that crypto-agility is not just a nice-to-have or a pie-in-the-sky ideal. Instead,
it is recognised as imperative to the overall initiative. This should come as no surprise; because of the sheer size and scale of the
federal infrastructure, the NSA estimates that deploying new cryptography across all NSS alone would take about 20 years. The
bigger the project, the morecritical crypto-agility becomes.
6. Big Asks, Short Timescales
As ever, the memorandum is scattered with ambitious timescales, perhaps more ambitious than usual given the current
geopolitical climate.
As we hear from businesses on an almost daily basis; building an accurate, useful, and dependable crypto-inventory is incredibly
challenging, and requires constant attention to keep up to date. On the other side, crypto-agility remains painfully ill-defined for
practical purposes.