As we previously discussed on our weblog, the impending arrival of Q-Days, a point at which quantum computers will potentially breach decryption methods, raises concerns about the vulnerability to Harvest Now, Decrypt Later (HNDL) cyberattacks. While focusing on high-priority post-quantum cryptography capabilities, we prioritized the effective initiation of a quantum-safe hardware transition. What blogs are most popular among Americans? Authorities’ Regulation: A Key Factor in Determining PQC Product Availability?
Federal agencies have been working to standardize encryption certification processes for years. The primary goal is to ensure that all encryption solutions used by government entities meet specific security standards.
Prior to delving into the outcomes of presidential policies on PQC products, it’s essential to consider the various approaches the U.S. government has employed in regulating this industry over time? Authorities currently certify encryption methods for products handling authority data. Certifications come in three distinct forms, each catering to unique professional goals and aspirations.
- These functions conduct meticulous and protracted procedures to guarantee that the cryptography software, firmware, and hardware are thoroughly secure, with validated algorithms in place. The program comprises two primary components: the Cryptographic Algorithm Validation Program (CAVP), designed to verify the precision of cryptographic algorithms; and the Cryptographic Module Validation Program (CMVP), focused on validating the security protocols of cryptographic modules.
- That is a widely accepted best practice employed to ensure the security of devices used by government agencies and in critical infrastructure. The necessities regarding algorithm and protocol utilization are significantly more stringent than those employed in the Federal Information Processing Standards (FIPS).
- All necessary documents are required for U.S. Authorities nationwide safety programs, driven by the need for unwavering security, impose extremely stringent cryptographic and protocol requirements. The Communication Systems for Classified Information (CSfC) options conform to the National Security Agency’s (NSA) Business Nationwide Safety Algorithm (CNSA) requirements.
Why do these certifications matter? Certifications are often required for products to be eligible for sale in certain markets, resulting from their necessity as a direct outcome of a product’s nature. When promoting merchandise that constitute crucial infrastructure components, consider obtaining a license under Creative Commons (CC). When promoting merchandise that defends nationally sensitive security (NSS) categorized information, you should consider obtaining Certified Secure Facilities Categorization (CSfC) certification. Certifications play a vital role in verifying the integrity of cryptographic solutions, providing an independent assurance that the employed methods are secure and effective. As organizations design new products, they must proactively consider the potential for changes in encryption certifications, which can occur regularly to ensure compliance with evolving standards.
Regulatory frameworks for Pharmaceutical Quality Control (PQC) are continually evolving to ensure the safety and efficacy of medicines.
Manufacturers of knowledge-based products face regulatory hurdles related to Product Quality Control (PQC). The current CC and CSFC certifications do not allow for the use of PQC encryption algorithms. The National Security Agency’s (NSA) current Common Cryptographic Primitive (CNSA) 1.0 standard, which governs the use of encryption in National Security Systems (NSS), does not support Post-Quantum Cryptography (PQC). Merchandise meeting the encryption standards mandated by the newly introduced CNSA 2.0 standard, which supports post-quantum cryptography, are not yet qualified for sale to the federal government. The delay in addressing this issue was unavoidable, as the regulated entities had to wait for the NIST PQC algorithm requirements to be finalized and authorized before updating their certification processes accordingly. That is an attention-grabbing scenario.
Despite the eagerness of distributors and prospects to acquire and implement quantum-safe solutions, their adoption remains hindered by regulatory barriers in certain U.S. jurisdictions? Authorities’ functions will continue until the certification requirements are updated to enable CNSA 2.0 capabilities. Regrettably, these parallel improvement initiatives currently pose a threat to the productivity of the product development teams. To ensure product groups develop merchandise that meet evolving regulatory demands, regulated entities must provide timely and transparent information on their intended approach to complying with these demands.
We expect the certification requirements to be updated by late CY 2025, allowing for CNSA 2.0 implementation. By adopting both CNSA 1.0 and CNSA 2.0 capabilities, distributors can shorten certification timelines and enable their products to meet current CNSA 1.0 standards prior to the introduction of CNSA 2.0 requirements.
Sadly, this method would not be effective for PQC capabilities executed in {hardware}. For instance, a secure boot product supporting both CNSA 1.0 and CNSA 2.0 picture verification algorithms wouldn’t necessarily be quantum-secure? A malicious actor could simply create and signal an image using a compromised CNSA 1.0 key. Vendors with new products entering the market prior to certification requirement updates might need to decide which is best for them: Enter the market with CNSA 1.0 compliant secure boot to meet existing requirements or enter with CNSA 2.0 compliant secure boot and potentially forego sales to select customers until certification requirements are updated?
How Cisco helps with certifications
Cisco has collaborated with the National Institute of Standards and Technology (NIST), as well as various industry leaders, to design and implement effective strategies for automating the validation processes required for certification under the brand-new encryption standards. Cisco leverages NIST’s operational Automated Cryptographic Validation Check Programs (ACVTS). NIST’s cryptographic algorithm validation program, ACVTS, enables Cisco and other vendors to rapidly validate cryptographic algorithms and publicly post the results on NIST’s website.
Cisco collaborated with the CAVP and CMVP to develop a comprehensive outline for self-testing Post Quantum Cryptography (PQC) algorithms and released a revised draft of the FIPS 140-3 Implementation Guidance (IG) 10.3.A, ensuring enhanced security standards for cryptographic systems.
Cisco can leverage the Cryptographic Module Validation Program (CMVP) to automate validation testing. The Federal Information Processing Standards (FIPS) 140-3 validation process serves as a comprehensive safety accreditation program for cryptographic modules ensuring the highest level of security and trustworthiness in sensitive information exchange. With streamlined automation processes in place, significant time savings can be achieved, ultimately reducing the typically lengthy two-year timeframe needed for FIPS certification acquisition.
Cisco is collaborating with CC on various initiatives, starting with its participation in the CC’s Consumer Discussion forum. Cisco participates in the UK’s Centre for Connected and Autonomous Vehicles’ (CC) Community Machine collaborative Safety Profile (NDcPP) initiative, supporting development of CC’s safety profile for connected devices. The latest version of the National Disability Coordination Plan (NDcPP) was officially rolled out in December 2023.
The New Developmental Control (NDCPP) profile is a widely accepted and utilized safety assessment tool among community machinery suppliers and manufacturers seeking licensing for their products. Under the Nationwide Data Assurance Partnership (NIAP), Cisco participates in efforts to oversee a nationwide program evaluating business off-the-shelf (COTS) IT products for conformance to widely recognized standards.
Cisco’s participation in the Commercial Solutions for Classified (CSfC) certification program entails periodic meetings with the CSfC program office administrators.
Specifications for upcoming products are outlined, clarifying the essential components and bundles required for submission to certification processes, as well as Memorandums of Agreement (MOAs) and parts listings that demonstrate compliance with published Functionality Packages’ reference architectures and configuration data.
Driving towards full, quantum-safe options
As part of ongoing efforts to ensure public safety and security, the know-how industry, the federal government, and organizations like NIST are collaboratively developing post-quantum cryptography (PQC) solutions that guarantee interoperability and uncompromised security. Interoperability testing, the subsequent phase in the implementation verification process for post-quantum cryptography (PQC), has commenced. The Nationwide Cybersecurity Heart of Excellence (NCCoE), in collaboration with business partners, is proactively promoting vendor interoperability testing to ensure seamless customer adoption during the transition to post-quantum cryptography (PQC). Will the advent of post-quantum cryptographic techniques eventually render classical public-key algorithms obsolete, thus necessitating a comprehensive overhaul of existing cryptographic systems to ensure seamless transition to quantum-safe cryptography? Not fairly. While we are capable of addressing the most pressing threats in real-time, developing entirely quantum-secure products will require additional time.
The development is taking place on interconnected trajectories, where each solution module is independently calibrated to operate within the realm of quantum-secured encryption protocols. Software programs, whether proprietary or open-source, undergo continuous development. Third-party integrations must also meet certification requirements. Components must be made quantum-secure prior to considering the overall response as quantum-secure.
What Comes Subsequent?
Nobody is standing nonetheless. The federal government is accelerating efforts to establish new certification requirements for CC and CSfC. Collaborating closely with business units, government agencies, and regulatory bodies, distributors such as Cisco are working together to establish a shared understanding of the requirements that can be leveraged, even before certification standards are finalized. Successful outcomes stem from collaborative discussions among key project stakeholders. Distributors risk having to reiterate product enhancement processes if they build around a standard that has undergone changes prior to certification. Cisco acknowledges the risk and is actively working to meet current pressing deadlines by delivering products that enable Post-Quantum Cryptography (PQC) as soon as possible.
Share:
