Navigating the Government’s Transition to Post-Quantum Encryption: A Strategic Approach

Author: Harvey Morrison

As quantum computing continues to evolve, the security of existing cryptographic systems faces an unprecedented threat. Post-quantum encryption (PQE) is no longer a distant goal; it is a critical, urgent priority. Marion Square has been actively tracking the federal government’s transition to PQE, working closely with both technology companies and government agencies to ensure a smooth and secure transition.

Federal mandates such as NSM-10 and OMB 23-02 have set the course for agencies to begin their PQE journeys. The stakes are high, and failure to meet these mandates could expose critical systems to quantum-enabled adversaries. According to the recent OMB report to Congress, the government is expected to spend approximately $1 billion annually over the next decade on this transition, though many experts predict the true cost could be much higher.

Successfully navigating this transition will require careful planning, comprehensive assessments, and strong collaboration between agencies and technology providers. Here, we outline the essential phases of the transition process and explain how to get the Discovery and Inventory stage right.

The Importance of NSM-10, OMB 23-02, and the OMB Report

Federal agencies are under strict orders to secure their cryptographic systems against quantum threats, with NSM-10 and OMB 23-02 providing clear directives. These mandates require agencies to initiate the transition to quantum-resistant encryption, with specific deadlines and deliverables.

• NSM-10 mandates the identification and protection of national security systems.

• OMB 23-02 outlines the timeline for upgrading cryptographic mechanisms in civilian systems, including reporting requirements to ensure transparency and accountability.

The recent OMB report to Congress highlighted the financial and logistical magnitude of the transition, projecting costs of nearly $1 billion annually for the next decade. However, many believe this estimate falls short, especially considering the complexities and interdependencies involved in upgrading government-wide cryptographic infrastructure.

For federal agencies, it is essential to begin preparations immediately. With such significant financial resources at stake, agencies must ensure that every dollar spent brings them closer to a fully quantum-resilient environment.

Discovery and Inventory: The First Step in the Transition

The first—and arguably the most important—phase in this transition is the Discovery and Inventory of cryptographic systems. Agencies must thoroughly assess their current encryption mechanisms to determine where vulnerabilities lie and where quantum-safe technologies need to be applied.

Unlike traditional system inventories, which can be mostly automated, the PQE transition requires a hybrid approach that includes manual efforts. Simply running a tool to scan networks for encryption won’t suffice. The complexity of cryptographic infrastructures means that manual validation is essential to ensure no asset is overlooked.

Key components of the Discovery and Inventory phase include:

• Manual and Automated Inventory of Systems: Agencies must identify and document all cryptographic mechanisms, including encryption algorithms, keys, protocols, and libraries, in use across all systems.

• Classification of Cryptographic Components: Each asset must be categorized based on its criticality, sensitivity, and vulnerability to quantum threats.

• Data Flows and Dependency Mapping: Analyze how cryptography is implemented across networks, systems, and applications. This includes identifying dependencies between internal systems and third-party services.

• PQ-Vulnerability Evaluation: Assess each cryptographic asset for its exposure to quantum threats based on existing algorithms such as RSA, ECC, and others.

• Identification of Critical Systems: Prioritize the systems that are mission-critical or handle sensitive data, ensuring they are the first to transition to PQE.

Successfully completing this phase will provide agencies with a clear understanding of their cryptographic landscape, enabling them to develop an informed strategy for upgrading their systems to meet quantum-resilience requirements.

Moving from Inventory to Action: Risk Assessments and Compliance

Once the inventory is complete, agencies must submit their findings to OMB along with a detailed report on risks and compliance gaps. These reports are not just a formality—they are a roadmap for ensuring that each agency’s transition to PQE is tailored to its specific needs and vulnerabilities.

The two primary reports agencies must submit include:

Risk Assessment and Prioritization Matrix

• This document must include a risk analysis of all cryptographic systems, prioritized based on their criticality, sensitivity, and vulnerability to quantum attacks.

• Agencies are required to provide recommendations for high-priority systems that require immediate attention and develop a transition plan accordingly.

Compliance Gap Analysis Report

• This report outlines gaps in current practices relative to NSM-10 and OMB 23-02 requirements, particularly focusing on cryptographic mechanisms that are vulnerable to quantum computing threats.

• Agencies must offer recommendations for achieving compliance and outline policies for future-proofing encryption as quantum technologies evolve.

These reports are critical for demonstrating that agencies are not only compliant but are also taking proactive steps to future-proof their cryptographic infrastructure against evolving threats.

The Role of Technology Companies in Supporting Federal Agencies

The transition to post-quantum encryption will require strong collaboration between federal agencies and technology providers. Companies offering PQE solutions will be key partners in providing the tools, expertise, and automation required for a successful transition.

From automating the discovery and inventory process to providing advanced cryptographic tools, technology providers will play a crucial role in:

• Automating Cryptographic Inventories: Deploying tools that help agencies automatically detect and document cryptographic mechanisms, reducing the burden on manual processes.

• Quantum-Safe Encryption Solutions: Offering scalable, future-proof cryptographic systems to replace vulnerable algorithms.

• Ongoing Risk Assessment: Supporting agencies with continual risk evaluations and updates as quantum technologies and cryptographic standards evolve.

This partnership ensures that agencies can meet their compliance requirements while staying ahead of quantum-enabled threats.

Overcoming Challenges: How Marion Square and Partners Can Help

For many agencies, the sheer scope of the PQE transition can be overwhelming. Marion Square, in collaboration with Square Peg and Carahsoft, is here to guide agencies through each step of this journey. From conducting detailed inventories to building comprehensive risk assessments, we provide the expertise and tools needed to secure critical systems against future quantum threats.

We understand the challenges agencies face in identifying legacy cryptographic systems, navigating compliance requirements, and future-proofing infrastructure. Our PQE Transition Checklist is designed to streamline this process, ensuring that no critical assets are overlooked, and agencies can transition to PQE as efficiently as possible.

Get Involved: Webinar and Resources

If you are interested in learning more about the post-quantum encryption transition process, Marion Square, in conjunction with Square Peg and Carahsoft, has developed a PQE Transition Checklist that is available upon request. We are also hosting a webinar on the 22nd, where our experts will discuss the intricacies of PQE transition planning, compliance, and risk mitigation.

Contact us today to request a copy of the checklist, or register for the webinar to learn how your agency or company can navigate the complexities of PQE with confidence.

Conclusion: Take Action Now

The transition to post-quantum encryption is a critical, complex undertaking. By acting now and securing the right partnerships, federal agencies can ensure they meet compliance mandates while safeguarding their most sensitive systems from the coming quantum threat. Marion Square and our partners stand ready to help you navigate this transition with the expertise and solutions necessary for long-term success.