The National Institute of Standards and Technology on Thursday published guidance describing how implementation of post-quantum cryptography (PQC) both supports and relies on the safeguards in the agency’s major cybersecurity publications.
The draft NIST document, derived from the output of the agency’s PQC migration project, is designed to illustrate the connections between the tools required for adopting quantum-resistant encryption and the security practices that NIST recommends in its Cybersecurity Framework and other guidance.
“The capabilities demonstrated in the project support several security objectives and controls identified” in other NIST guidance documents, the agency said in its new publication. “At the same time, responsible implementation of the demonstrated capabilities is dependent on adherence to several security objectives and controls identified in these risk framework documents.”
Collecting information about which technologies use cryptography supports the Cybersecurity Framework practices of creating hardware and software inventories, the document notes. Similarly, analyzing cryptographic weaknesses supports the CSF practice of identifying vulnerabilities in technology assets.
On the flip side, the CSF practice of establishing clear processes for managing technology configurations is a prerequisite to the PQC migration step of implementing new quantum-resistant algorithms, the document says. And the CSF practice of identifying threats to an organization “can inform requirements for” quantum-ready hardware security modules.
In addition to mapping PQC activities onto the CSF, the document also maps them onto NIST’s security and privacy controls catalog, known as Special Publication 800-53. Analyzing cryptographic weaknesses supports the principles in 800-53’s risk assessment category, according to the document, while implementing PQC algorithms will often require adherence to that publication’s section on public key infrastructure certificates.
In the document, NIST also encourages organizations focused on PQC migration to collaborate on a CSF profile, a document explaining how their community is using the CSF to accomplish their goals. Similar CSF profiles exist for ransomware mitigation, GPS data integrity and semiconductor manufacturing. NIST said a CSF profile for PQC activities would “ease the community’s migration to PQC.”
