NIST PQC Standards Mandated

- The Office of Management and Budget (OMB) projects that the transition to post-quantum cryptography will cost federal agencies approximately $7.1 billion between 2025 and 2035. A significant portion of this estimate is allocated for replacing government technology that cannot support the new cryptographic systems. - This mandate is underpinned by the Quantum Computing Cybersecurity Preparedness Act, signed into law in December 2022. This act required the OMB to create guidance for agencies and report to Congress on the necessary strategy and funding for the migration. - The new standards were finalized by NIST in August 2024 and are published as Federal Information Processing Standards (FIPS). These include FIPS 203 (ML-KEM), FIPS 204 (ML-DSA), and FIPS 205 (SLH-DSA). - The transition timeline is guided by National Security Memorandum 10, which aims to mitigate quantum risks by 2035. More detailed NIST guidance suggests that currently used algorithms like RSA-2048 and ECC-256 will be deprecated by 2030 and disallowed entirely after 2035. - A primary driver for this urgency is the threat of "harvest now, decrypt later" attacks. This strategy involves adversaries collecting and storing encrypted government data now, with the intent of decrypting it once a cryptographically relevant quantum computer is developed. - In response to the mandate, the Cybersecurity and Infrastructure Security Agency (CISA) has established a PQC Initiative and released a list of product categories that support the new standards to guide federal procurement. - The standardization process was a multi-year global effort led by NIST, which began with a formal call for proposals in December 2016 and evaluated dozens of submissions before selecting the final algorithms.