On August 21, 2023, the Cybersecurity and Infrastructure Security Agency (“CISA”), National Security Agency (“NSA”), and National Institute of Standards and Technology (“NIST”) issued a joint quantum-readiness factsheet (the “Factsheet”) to inform organizations—particularly those that support critical infrastructure sectors—about quantum computing threats and to urge these organizations to begin planning for future migration to post-quantum cryptographic (“PQC”) standards.  CISA, NSA and NIST are part of a government-wide effort to prepare for the development of computers that can break existing encryption algorithms in a short period of time—which the Factsheet refers to as “cryptanalytically-relevant quantum computers” or “CRQCs”.  The Factsheet provides several recommendations for organizations, including that such organizations should establish a “quantum-readiness roadmap” to prepare for the migration to PQC standards; create a “cryptographic inventory” of the cryptography within the products, applications, and services used by the organization; and engaging with the organizations’ technology vendors about the vendors’ plans for quantum-readiness. 

Quantum-Readiness Roadmap

The Factsheet urges organizations to establish a “quantum readiness roadmap” that will prepare the organizations for the migration to PQC standards, which the Factsheet notes are currently under development by NIST and slated for release in 2024.  The Factsheet suggests that entities can begin by establishing a project management team to plan and scope the organization’s migration to PQC and begin identifying the organization’s reliance on quantum-vulnerable cryptography, such as systems and assets that depend on existing digital signature standards.  The Factsheet notes that this “cryptographic inventory,” which is discussed further below, will enable the organization to identify and prioritize the systems that will need to migrate to PQC in the future and to assess potential risks to the organization that may be presented by CRQCs. 

Cryptographic Inventory

The Factsheet explains that, when prepared, an organization’s cryptographic inventory serves multiple purposes.  For example, according to the Factsheet, organizations are often unaware of the breadth and functional dependency on quantum-vulnerable “public-key cryptography” that is within the products, applications, and services that they use.  A cryptographic inventory provides visibility, supports risk assessment efforts, and facilitates engaging vendors to address potential supply chain risks.  The Factsheet also notes that a cryptographic inventory will help an organization transition to a zero trust architecture, identify data that is accessible from outside their operational environment, and inform what data protected by existing cryptography could be targeted and decrypted when CRQCs become viable.

The Factsheet provides several recommendations for how to develop the cryptographic inventory.  For example, the Factsheet suggests that organizations can use discovery tools to look for vulnerable algorithms in their Information Technology (“IT”) and Operational Technology (“OT”) environments, including algorithms used in network protocols, assets on end user systems and servers, and in the organization’s continuous integration/continuous delivery (“CI/CD”) development pipeline.  The Factsheet recommends that the cryptographic inventory should also identify when and where quantum-vulnerable cryptography is used to protect the organization’s most sensitive and critical data, as well as identify estimates for how long those data need to be protected.

Vendor Engagement

The Factsheet also provides steps that organizations and their vendors should take to address PQC adoption.  Specifically, the Factsheet encourages organizations to engage with the organization’s vendors about the vendors’ quantum-readiness roadmaps.  The Factsheet also notes that organizations should start considering updates to the organization’s contracts with vendors to ensure that older products used by the organization will be upgraded with PQC and new products will have PQC built in.  The Factsheet also encourages vendors to review the NIST-published draft PQC standards to begin planning and testing for integration and to be prepared to support PQC as soon as possible after the NIST standards become final.

Supply Chain

Finally, the Factsheet outlines a number of considerations related to supply chain risks that the use of quantum-vulnerable cryptography by vendors may present to organizations.  The Factsheet recommends that organizations:  (1) prioritize high-impact systems, industrial control systems (“ICS”), and systems with long-term confidentiality needs; (2) identify and develop plans to address quantum-vulnerable cryptography in custom-built technologies, which the Factsheet asserts will likely require the most effort to make quantum-resistant; and (3) engage with vendors to ensure both commercial-off-the-shelf (“COTS”) and cloud-based products supplied by vendors are accounted for in the organizations’ quantum-readiness roadmaps.

Looking Forward

The Factsheet builds on the Quantum Computing Cybersecurity Preparedness Act, enacted in December 2022, which requires the Office and Management and Budget (“OMB”) to issue guidance for U.S. executive branch agencies “on the migration of information technology to post-quantum cryptography,” which includes a requirement that each agency develop an inventory of quantum-vulnerable cryptography, similar to one of the recommended actions in the Factsheet.  A similar effort to migrate national security systems (including those used by the Department of Defense and Intelligence Community) to PQC is also underway.  The Factsheet signals the U.S. Government’s continued interest in PQC and the development of strategies to address CRQCs and suggests that the U.S. Government believes the private sector—particularly owners and operators of critical infrastructure—needs to begin similar preparations.  Additionally, since the March 2022 passage of the Cyber Incident Reporting for Critical Infrastructure Act, the door to regulation of critical infrastructure appears open.  Accordingly, entities within or supporting the critical infrastructure sectors may wish to continue monitoring for further developments in this space, including the forthcoming release of the NIST PQC standards in 2024, and may also wish to begin preparations for PQC now in anticipation of possible future requirements or legislation.

Photo of Caleb Skeath Caleb Skeath

Caleb Skeath advises clients on a broad range of cybersecurity and privacy issues, including cybersecurity incident response, cybersecurity and privacy compliance obligations, internal investigations, regulatory inquiries, and defending against class-action litigation. Caleb holds a Certified Information Systems Security Professional (CISSP) certification.

Caleb specializes in assisting…

Caleb Skeath advises clients on a broad range of cybersecurity and privacy issues, including cybersecurity incident response, cybersecurity and privacy compliance obligations, internal investigations, regulatory inquiries, and defending against class-action litigation. Caleb holds a Certified Information Systems Security Professional (CISSP) certification.

Caleb specializes in assisting clients in responding to a wide variety of cybersecurity incidents, ranging from advanced persistent threats to theft or misuse of personal information or attacks utilizing destructive malware. Such assistance may include protecting the response to, and investigation of an incident under the attorney-client privilege, supervising response or investigation activities and interfacing with IT or information security personnel, and advising on engagement with internal stakeholders, vendors, and other third parties to maximize privilege protections, including the negotiation of appropriate contractual terms. Caleb has also advised numerous clients on assessing post-incident notification obligations under applicable state and federal law, developing communications strategies for internal and external stakeholders, and assessing and protecting against potential litigation or regulatory risk following an incident. In addition, he has advised several clients on responding to post-incident regulatory inquiries, including inquiries from the Federal Trade Commission and state Attorneys General.

In addition to advising clients following cybersecurity incidents, Caleb also assists clients with pre-incident cybersecurity compliance and preparation activities. He reviews and drafts cybersecurity policies and procedures on behalf of clients, including drafting incident response plans and advising on training and tabletop exercises for such plans. Caleb also routinely advises clients on compliance with cybersecurity guidance and best practices, including “reasonable” security practices.

Caleb also maintains an active privacy practice, focusing on advising technology, education, financial, and other clients on compliance with generally applicable and sector-specific federal and state privacy laws, including FERPA, FCRA, GLBA, TCPA, and COPPA. He has assisted clients in drafting and reviewing privacy policies and terms of service, designing products and services to comply with applicable privacy laws while maximizing utility and user experience, and drafting and reviewing contracts or other agreements for potential privacy issues.

Photo of Moriah Daugherty Moriah Daugherty

Moriah Daugherty advises clients on a broad range of cybersecurity, data privacy, and national security matters, including government and internal investigations, regulatory inquiries, litigation, and compliance with state and federal privacy laws.

As part of her cybersecurity practice, Moriah specializes in assisting clients…

Moriah Daugherty advises clients on a broad range of cybersecurity, data privacy, and national security matters, including government and internal investigations, regulatory inquiries, litigation, and compliance with state and federal privacy laws.

As part of her cybersecurity practice, Moriah specializes in assisting clients in responding to cybersecurity incidents, including matters involving Advanced Persistent Threats targeting sensitive intellectual property and personally identifiable information. Moriah also assists clients in evaluating existing security controls and practices, assessing information security policies, and preparing for cyber and data security incidents.

As part of her litigation and investigations practice, Moriah leverages her government experience to advise clients on national security and law enforcement related compliance issues, internal investigations, and response to government inquiries.

Prior to becoming a lawyer, Moriah spent eight years working for the Federal Bureau of Investigation and U.S. Department of Justice.

Photo of John Webster Leslie John Webster Leslie

Web Leslie represents and advises emerging and leading companies on a broad array of technology issues, including on cybersecurity, critical infrastructure, national security, investigations, and data privacy matters.

Web provides strategic advice and counsel on cybersecurity preparedness, cyber and data security incidents, healthcare…

Web Leslie represents and advises emerging and leading companies on a broad array of technology issues, including on cybersecurity, critical infrastructure, national security, investigations, and data privacy matters.

Web provides strategic advice and counsel on cybersecurity preparedness, cyber and data security incidents, healthcare privacy and security, cross-border privacy law, and government investigations, and helps clients navigate complex policy matters related to cybersecurity, national security, and critical infrastructure protection.

In addition to his regular practice, Web also counsels pro bono clients on technology, immigration, and criminal law matters.

Web previously served in government in various roles at the Department of Homeland Security, including at the Cybersecurity and Infrastructure Security Agency (CISA), where he specialized in cybersecurity and critical infrastructure, public-private partnerships, and interagency cyber operations. He also served as Special Assistant to the Secretary of Homeland Security.