PQC Standards and Regulations: A Guide for Security Leaders

The growing threat of quantum computers necessitates a proactive approach to safeguarding sensitive information. This blog explores the evolving landscape of Post-Quantum Cryptography (PQC) standards and regulations, equipping security leaders to navigate this critical transition for their organizations.

Standardization Efforts: A Global Landscape

Several key organizations are spearheading PQC standardization efforts:

• National Institute of Standards and Technology (NIST): NIST has been pivotal in advancing PQC since 2016, focusing on identifying and standardizing robust PQC algorithms to secure digital communications against quantum threats. In 2023, NIST announced the first round of algorithms set to replace RSA and ECC, notably CRYSTALS-Kyber, CRYSTALS-Dilithium, and SPHINCS+, paving the way for three new Federal Information Processing Standards: FIPS 203 (ML-KEM), FIPS 204 (ML-DSA), and FIPS 205 (SLH-DSA), respectively. This effort marks a significant step towards the availability of quantum-resistant cryptographic systems. At the Real World PQC conference in March 2024, Dustin Moody, the leader of the NIST post-quantum cryptography project, announced that NIST expects to publish the final versions of these standards by the summer of 2024.
• European Telecommunications Standards Institute (ETSI) is also focused on addressing the challenges posed by quantum computing. ETSI's initiatives have aligned with the NIST standardization efforts and are focused on addressing the implementation realities of the shift to PQC.  
• The National Cybersecurity Center of Excellence (NCCOE), a division within NIST has been working with industry participants who have contributed their expertise in the practical implementation of PQC into existing products, ensuring that the solutions already in development remain interoperable, backwards compatible, and viable in high performance environments.  
• The Cloud Security Alliance (CSA) has developed guidelines and best practices for transitioning to PQC.  
• Internet Engineering Task Force (IETF) is actively shaping the future of secure communication with its Post-Quantum Use in Protocols (PQUIP) Working Group. This group tackles the specific challenges of integrating PQC algorithms into existing protocols, with a current focus on defining various forms of hybrid certificate implementations. These implementations aim to bridge the gap between conventional cryptography and quantum-resistant variants, ensuring a smooth transition.
• Building on the Software Bill of Materials (SBOM), a key security building block, the Open Web Application Security Project (OWASP), in partnership with IBM (arguably the leader in development of quantum computers),  is pioneering a Cryptographic Bill of Materials (CBOM) as part of their CycloneDX SBOM standard. This initiative aims to provide transparency into the cryptographic material used across software, facilitating vulnerability assessments, and ensuring a more secure software supply chain.
• Linux Foundation's PQC Alliance focuses on fortifying open-source PQC libraries and package implementations.

The Regulatory Horizon

PQC regulations are taking shape, driven by global recognition of the quantum threat. While specifics are still evolving, key trends point towards:

• Government Mandates: The U.S. and countries across the European Union are actively focused on quantum defense. Notably, in the U.S., in 2022 the administration issued NSM-10 (the National Security Memorandum on Promoting United States Leadership in Quantum Computing While Mitigating Risks to Vulnerable Cryptographic Systems) and Congress passed the Quantum Computing Cybersecurity Preparedness Act —both aimed at setting clear timelines for U.S. agencies and critical infrastructure to transition to PQC.
• Industry-Specific Regulations: Stringent regulations are likely to be implemented in critical sectors like finance and healthcare due to the immense sensitivity of the data handled. In 2022 NSA published the Commercial National Security Algorithm Suite 2.0 (CNSA 2.0) which details the timelines by which vendors who build systems used in National Security Systems must transition to PQC. There is also increasing regulatory scrutiny around cybersecurity in general. This includes the SEC's rules regarding incident disclosure (February 14, 2023), similar rules by the National Credit Union Association, and forthcoming rules from CISA for critical infrastructure.
• Industry Guidance: Organizations within specific sectors should also look to industry-specific guidance for requirements for PQC transition. For instance, in 2023 the Financial Services Information Sharing and Analysis Center(FS-ISAC) published guidance on completing cryptographic and PQC transition risk assessments, tailored specifically to the financial services industry.

Taking Action: A Strategic Roadmap

Staying ahead of the PQC curve is paramount for continued security for organizations of all sizes. Here's a strategic roadmap:

• Continuous Education: Ensure your security team is informed about the latest PQC standards and regulations. This knowledge is critical to informed decision-making in this rapidly evolving space.
• Proactive Implementation: Don't wait for regulations to dictate your course of action. Work with experts from companies like Haderaq to conduct a comprehensive survey of cryptographic usage across your infrastructure, third-party vendors, and products as the foundational activity. An PQC assessment is a crucial first step for scoping your project, understanding your risk, engaging stakeholders, prioritizing your PQC transition project, and allocating resources. Create a preliminary scope, risk, and timeline assessment before delving into specific updates, ensuring sufficient education and buy-in with your board, C-staff, and CISO regarding risks, required work, resources, tradeoffs, and the planning of subsequent PQC efforts.  

• Collaboration and Advocacy: Particularly for cryptographic technology vendors, engage with industry bodies and regulatory authorities to influence the development of PQC standards and regulations – critical to ensure products remain standards-compliant, interoperable, and competitive.  

The transition to PQC is a critical step in safeguarding digital assets in the quantum age. By staying informed about PQC standards and regulations and taking a proactive stance toward implementing quantum-resistant cryptography, you can ensure your organization remains secure, compliant, and a leader amidst a quickly evolving cybersecurity landscape. Given the broad impact of the shift to PQC and the rapid pace of changes in this field, it is crucial to acknowledge that there is a lot to stay on top of.

Contact Haderaq at learn.more@haderaq.com to learn more about the transition to PQC in this rapidly changing space.