The quantum threat to cryptography has kept the field of cryptography in a state of suspense for decades. In May 2022, a seismic event happened that most didn’t notice at first, but we’re about to feel the shakes. The White House published the National Security Memorandum on Promoting United States Leadership in Quantum Computing While Mitigating Risks to Vulnerable Cryptographic Systems, also called NSM-10. Section three of this lengthy document dives deep into mitigating the risks quantum computers will one day pose to encryption. Details include several actions federal agencies must take once the National Institute of Standards and Technology (NIST) releases new post-quantum cryptography (PQC) ciphers in 2024. We expect private sector regulators to adopt the exact requirements, making NSM-10 a crystal ball for future tasks awaiting information security professionals. While the timeline for formal adoption of NSM-10 for private sector is not known, organizations that are subject to PCI DSS compliance already have a requirement, 12.3.3 in PCI DSS 4.0, that becomes mandatory after March 31, 2025, and is considered an optional best practice until then.
Migrating to new cryptography takes time, and it is already past time to start assessing how ready organizations may be for PQC crypto agility—that is, for implementing new ciphers without causing mass disruptions. Planning for PQC will also help with PCI DSS 4.0 compliance. Many merchants who have taken advantage of various scope reduction technologies eliminating cardholder data from their environments will not be affected by this requirement. Organizations who store, process or transmit cardholder data will have to ensure all three components of this requirement will be in place by April 1, 2025. These three components are summarized below.
One of the first action items NSM-10 creates for federal agencies is the annual inventorying of vulnerable systems. The U.S. Office of Management and Budget (OMB) was the first agency to release its own memorandum detailing how it would accomplish the task. This first inventory was due in May 2023. Private sector companies can consider such inventorying as an expected first step that will be required of them.
Requirement 12.3.3 of PCI 4.0 calls for an up-to-date, documented inventory of all ciphers and protocols; this means at least annually, ideally aligned with NSM-10. Doing so will provide a significant component of what will be needed for a PQC crypto agility assessment. It is impossible to begin migrating to PQC without this first step. To ensure this component of requirement 12.3.3 is met, the inventory will need to include the purpose for which the cipher is used (for example, protection of payment card data pre-authorization, or transmission of payment card data from A to B) and where the cipher is used (for example, MS SQL database, file share, etc.)
Monitoring industry trends
Ninety days after NIST releases new standards for PQC in 2024, the Secretary of Commerce, through the Director of NIST, will release a proposed timeline for the deprecation of quantum-vulnerable ciphers. This timeline will be reviewed and adjusted annually, and the industry must monitor the results. Whether anyone believes quantum computers powerful enough to crack encryption are 10 or 100 years away is irrelevant. When ciphers are deprecated, they become everyone’s problem and must be replaced.
Requirement 12.3.3 of PCI DSS 4.0 calls for “active monitoring of industry trends regarding continued viability of all cryptographic cipher suites and protocols in use.” An action plan based on NIST deprecations adds to the required evidence for PCI, in addition to monitoring any other reasons ciphers may be deprecated, as we witnessed with moving from SSL to TLS, etc. Responsibility for the monitoring of industry trends regarding viability of cryptographic ciphers used must be formally assigned and a procedure for such monitoring should be documented, along with the results or conclusions drawn. The documentation will support validation of compliance with this requirement.
Plan for migration
NSM-10 calls for agencies to create a plan for migration to PQC within a year of the release of the new standards. That plan must contain milestones that show the entire migration can be completed by 2035. Creating such a plan will add evidence to the last component of requirement 12.3.3: “A documented strategy to respond to anticipated changes in cryptographic vulnerabilities.” While the plan for migration to PQC will address vulnerabilities in cryptography that can be exploited by quantum computers, other potential cryptographic vulnerabilities will need to be analyzed and have respective mitigation plans documented accordingly to fully comply with requirement 12.3.3.
When NSM-10 gets adapted to the private sector, it will likely contain many more activities than those required by PCI 4.0. Conversely, for PCI, it will be necessary to provide more evidence of monitoring industry trends and action plans than just what was covered here, as the PCI DSS requirements are also intended to protect against cryptographic vulnerabilities unrelated to quantum computing. Still, as we stated at the start of this blog, the new PCI DSS requirement is a great way to start down the path to PQC readiness. While PCI DSS requires encryption only of cardholder data and authentication factors, it is a good practice to adopt a comprehensive data protection strategy that would address all sensitive data handled or retained by the organization and account for all applicable standards and regulation. Implementing PQC should be part of the data protection strategy for any organization that leverages cryptography.