CISA Unveils Plan to Automate Post-Quantum Crypto Inventory

17 Aug 2024 – The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has released a “Strategy for Migrating to Automated Post-Quantum Cryptography Discovery and Inventory Tools” on August 15, 2024.

In essence, this strategy is a roadmap for federal civilian agencies to identify where they are using cryptography that will be vulnerable to quantum attacks, using automated tools to create an inventory of those systems. The release comes in direct response to White House directives – notably OMB Memorandum M-23-02 (issued Nov 2022) and National Security Memorandum-10 (NSM-10) – which called for urgent preparation for post-quantum cryptography (PQC) across the federal government. CISA’s strategy, developed in consultation with NIST and NSA, lays out who needs to act (federal civilian agencies), what needs to be done (automate cryptographic inventory), when (starting now, with milestones through the late 2020s), why (the looming threat of quantum computers that could break today’s encryption), and how (by developing Automated Cryptography Discovery and Inventory tools integrated into existing security programs).

Why now?

National Security Memo-10 warns that a future cryptanalytically-relevant quantum computer (CRQC) could eventually crack widely used encryption, jeopardizing federal systems. Adversaries might even steal encrypted data now and decrypt it later once quantum capabilities are available – a “harvest-now, decrypt-later” scenario. In light of this, OMB’s memo M-23-02 mandated agencies to inventory all cryptographic systems using quantum-vulnerable algorithms (think RSA, ECC, Diffie-Hellman, etc.) and report those to the Office of the National Cyber Director (ONCD) and CISA. That memo also tasked CISA to devise a strategy for automated tooling to support tracking progress toward adopting PQC. CISA’s newly published strategy fulfills that task – providing a game plan to use automation for discovering cryptography in use and measuring agencies’ migration progress.

What’s in the strategy?

At its core, the plan calls for deploying Automated Cryptography Discovery and Inventory (ACDI) tools across federal civilian executive branch (FCEB) networks. These tools will scan both cloud-based and on-premises systems to find instances of cryptographic algorithms and gather key details like algorithm type and key length. The primary goal is to enable CISA and ONCD to assess each agency’s progress in transitioning to PQC. By using ACDI tools, agencies can build an inventory of all information systems and assets containing “CRQC-vulnerable” cryptography – essentially any encryption that could be broken by a powerful quantum computer. Importantly, this inventory will feed into an annual reporting process to CISA/ONCD (as required by policy), tracking how the transition to quantum-safe solutions is advancing. In short, agencies will move from ad-hoc spreadsheet reports to a more automated, continuous inventory of their vulnerable crypto assets.

The strategy also details how these tools integrate with existing federal cybersecurity frameworks. One key integration is with CISA’s Continuous Diagnostics and Mitigation (CDM) program – the government’s baseline system for monitoring assets and vulnerabilities. CISA intends to plug the new crypto-discovery capabilities into CDM so that cryptographic assets are detected and reported through the same dashboards agencies already use for cybersecurity monitoring. This means expanding CDM’s data model and sensor suite to capture cryptographic information. As the report notes, CDM’s current dashboards and analytics will need to be expanded to support new data elements from ACDI tools. For example, the inventory tools might identify an application using RSA-2048 for digital signatures; CDM would record that algorithm and key length, enabling analysts to see which systems still rely on legacy algorithms.

Another integration point is CyberScope, the platform used for federal agencies’ FISMA security reporting. Agencies initially submitted their “quantum-vulnerable crypto” inventories via spreadsheet, but OMB is updating FISMA requirements to include PQC transition metrics. Once that happens, CyberScope will be updated to accept the new data fields, so agencies can report their crypto inventories and progress via the centralized CyberScope interface instead of manual forms. In effect, the strategy envisions a future where an agency’s dashboard can automatically show how much of its environment is quantum-ready, and annual compliance reports will draw from this data directly.

Who and what is prioritized?

CISA’s guidance urges agencies to focus first on their highest-impact and most sensitive systems. That includes any High-Impact systems (as defined by FISMA), High Value Assets (HVAs), and any other systems “likely to be particularly vulnerable to CRQC-based attacks,” especially those containing data that must remain confidential through 2035. The year 2035 is highlighted as a notional horizon – information that needs to stay secure until 2035 (or beyond) is at risk of quantum decryption if intercepted now. So, an agency might start by inventorying systems holding state secrets or personal data that will still be sensitive a decade from now, since those are targets for adversaries looking to exploit quantum breakthroughs in the future.

The strategy also clarifies that “cryptographic systems” in this context means any hardware or software implementation of cryptography providing key exchange, encrypted communication, or digital signatures – in other words, everything from VPNs and web servers using TLS, to code-signing tools, to IoT devices doing encrypted messaging. All of these need to be discovered and catalogued if they use vulnerable algorithms.

Key implementation steps and timeline

To turn this strategy into reality, CISA lays out a series of phased actions and milestones (with collaboration from NIST, NSA, and the agencies themselves). Some of the notable steps include:

Tool Assessment (2024): NIST will evaluate the state of cryptographic discovery tools in the market, assessing their capabilities and gaps. (This leverages NIST’s NCCoE “Migration to PQC” project, where over 28 industry partners are already working with discovery tools.) The outcome will inform which tools are “suitable” for government use.

Pilot Integration (2024–25): Once viable ACDI tools are identified, CISA will conduct a pilot program to integrate these tools with the CDM platform. The pilot will determine the best way to feed tool outputs into CDM’s dashboards and databases, and what data elements/interfaces are needed. During the pilot, CISA plans a comparative analysis: how much can the tools discover vs. what was previously only found via manual inventory. CISA has committed to share results of this pilot within 180 days of its start.

CyberScope Updates (by 2025): In parallel, OMB is expected to update FISMA reporting requirements to cover PQC transition progress. Within about a year of the pilot, CISA will enhance CyberScope to support the new PQC metrics. This will shift agency reporting from the current spreadsheet-based method to the standardized CyberScope forms for crypto inventory data.

CDM Integration (within 1 year post-pilot): Within 360 days after the pilot’s completion, CISA will roll out updates to the CDM program to fully support the integrated discovery tools. This means updated CDM sensors (potentially new plugins or scanners for crypto), an expanded data model to record cryptographic algorithm info, and new dashboard views/analytics for PQC readiness. CISA will also begin maintaining a “PQC-compliant products” list – essentially a list of approved or available products that have implemented post-quantum crypto – and update it over time. Agencies can compare this list against their inventory to identify which systems still need upgrades.

Wider Deployment (2025–2026): Within 120 days of the pilot’s completion, agencies are expected to start planning deployment of ACDI tools to any environments not covered by CDM. This ensures that even systems and networks that aren’t under the regular CDM monitoring (for example, certain legacy systems or contractor-operated systems) will be scanned for vulnerable cryptography. By 2026 and beyond, the goal is for agencies to have these tools broadly in use, continuously updating their cryptographic asset inventory.

Ongoing Updates and PQC Transition: The strategy is intended to be a living document – CISA, NSA, and NIST will provide annual updates as needed as technology evolves. The ultimate aim is that by the early 2030s (well ahead of any predicted cryptographic apocalypse), agencies will have completed much of their PQC transition. CISA will use data from CyberScope reports and CDM dashboards to spot any agencies or systems lagging in the transition, and will offer support or mitigation guidance where needed. This could include helping agencies address particularly stubborn crypto implementations or finding workarounds for products that have no quantum-safe upgrade ready.

Overall, CISA’s strategy – produced in partnership with NIST and NSA – is a federally coordinated push to inventory and ultimately replace vulnerable encryption before quantum computers arrive. It marries new automated scanning technology with existing cybersecurity infrastructure (like CDM and FISMA reporting) to ensure that progress can be tracked and guided at a national level. As NIST prepares the new PQC algorithms for standardization (the first of which were just announced in 2022 and expected to be finalized in 2024), efforts like this inventory are laying the groundwork so agencies know where those new algorithms will need to be implemented.

My Perspective – A Critical Step Toward PQC

I find CISA’s move both highly strategic and very welcome. This is more than just a bureaucratic checklist – it’s a recognition that you can’t protect what you haven’t discovered. In my experience, many organizations (government or otherwise) struggle to catalog all the cryptography running in their environments. Algorithms lurk everywhere: in obvious places like VPN appliances, and in less visible ones like internal software libraries or IoT device firmware. Manually auditing all of that is a herculean task, prone to human error and quickly out-of-date. CISA’s push for automated cryptography discovery is a crucial modernization, bringing scale and consistency to the problem of crypto inventory. It signals to the market that there’s a real demand for tools that can sniff out cryptographic algorithms across large networks – and that those tools will be supported and integrated at the federal level.

Importantly, the strategy zeroes in on a pain point we’ve seen first-hand: organizations often don’t know all the places they’re using vulnerable crypto. And if you don’t know, you certainly can’t fix it. By prioritizing high-impact and long-lived sensitive systems (data that must remain secure through 2035), CISA is being pragmatic. Those are the systems an adversary is likely to target for “collect now, decrypt later” operations. I strongly agree with this risk-based focus. It mirrors how we advise clients: tackle your most sensitive exposures first. If, say, an agency has a database of state secrets protected by classical RSA, that needs to be identified and slated for upgrade to a quantum-resistant algorithm ASAP. Lower-impact systems come next. This phased approach buys down the highest risk early.

That said, it’s clear (and the document openly admits) that the tools to do this are still maturing. There are real challenges to making automated crypto discovery effective in practice:

Embedded and Custom Cryptography: Many software products include cryptographic functions “baked in.” These could be custom encryption routines or proprietary implementations hidden inside applications. CISA acknowledges it’s not sure if current discovery tools can detect algorithms embedded in software packages or custom code. This is a big challenge – a tool might scan binaries or network traffic and still miss a subtle use of cryptography in an obscure subsystem. Improving detection of embedded crypto (perhaps via deeper code analysis or vendor disclosures) will be vital.

Vendor Black Boxes: Agencies rely on third-party software and hardware, where they can’t directly see the code. The strategy notes that automated tools may not discover crypto used inside commercial off-the-shelf products, so agencies might have to ask vendors to provide details and then track those manually. In practice, this means building a process to work with vendors – perhaps akin to a “cryptography bill of materials” for each product. Getting vendors on board could be tricky, but if CISA sets a reporting expectation, industry will likely follow suit (especially for government sales).

Coverage and Accuracy: The current generation of ACDI tools are “in various stages of development”. Some can scan file systems for known crypto libraries, others might analyze network handshakes to log what algorithms are negotiated. But none are perfect. They might produce false positives or miss things if not configured right. Part of the forthcoming pilot will test how well these tools find crypto versus manual methods – a smart move to establish a baseline of trust. It’s also possible multiple tools in combination will be needed to get full coverage (one for network scanning, one for static code analysis, etc.). Ensuring these tools don’t overwhelm analysts with data, and integrating the results into existing workflows (like CDM dashboards), will be key to success.

Resource and Skill Gaps: While automation reduces manual effort, agencies will still need skilled personnel to validate and interpret the findings. For example, if a tool flags that a server supports RSA and AES, someone must decide what to do – perhaps it’s using RSA only for a backup process and needs a specific fix. Training and guidance will be needed so that agency staff can act on the inventory data and prioritize replacements or upgrades. CISA’s involvement (e.g. offering support to agencies struggling with implementation) is reassuring – a centralized assist can spread best practices and help less-resourced agencies catch up.

From a strategic viewpoint, this effort fits neatly into the broader transition to post-quantum cryptography. It’s one piece of a larger puzzle: NIST is standardizing new algorithms, NSA is guiding national security systems on adoption timelines, and OMB is crafting policy to mandate progress. Now CISA is providing the tooling and execution framework for civilian agencies to actually get it done in practice. I’d argue this inventory phase is the foundational step. Only once you have a reliable inventory can you set a roadmap for migrating each system to PQC (and track how far along you are). It also helps in measuring risk over time – e.g., if by 2025 an agency still has 80% of its high-value systems using legacy crypto, that’s a red flag that can be addressed before it’s too late.

Another important aspect is the collaboration between CISA, NIST, and NSA. Historically, NIST provides standards (like the forthcoming PQC algorithm standards) and NCCoE projects to demonstrate implementations, NSA often drives requirements for national security systems, and CISA operationalizes guidance for civilian agencies. Here we see all three working in concert. This unified approach means the federal government is less likely to send mixed messages to industry or agencies. For example, if NIST (through NCCoE) finds that certain discovery tools perform well, that insight can flow into CISA’s guidance updates. Likewise, NSA’s expertise in cryptography ensures the inventory strategy aligns with intelligence community needs and threat models. As someone in the industry, I appreciate when government aligns its stars – it creates clearer targets for us to build solutions against.

I’m generally very supportive of CISA’s effort here. It strikes the right balance between urgency and realism. The timeline extending into the late 2020s acknowledges this won’t happen overnight – replacing encryption across large organizations is a multi-year marathon. But kicking off pilots now, and planning incremental upgrades (CyberScope update, CDM integration, etc.), shows proactive leadership. It’s much better than waiting until 2030 and then panicking about looming quantum threats. By that time, if all goes well, agencies will have a continuously updated dashboard of their crypto posture and a clear idea of what still needs fixing.

Of course, success will depend on execution. I’ll be watching to see how the pilot integration in 2024-25 plays out.