NIST Standards Are Officially Finalized – Now What?

They’re finally here. Just a few weeks ago, the National Institute of Standards and Technology (NIST) finalized three of the four post-quantum cryptographic (PQC) algorithms, making us one step closer to the standards’ finalization. 

For background, NIST began this initiative back in 2016, when they called on the industry’s leading cryptographers to design and vet encryption options safe from breaking in a post-quantum (PQ) world. Then, in 2022, NIST selected the four winning algorithms that would be considered for the new PQC standards set to be finalized in the years ahead: CRYSTALS-KYBER (ML-KEM), which was designed for encryption, as well as CRYSTALS-Dilithium (ML-DSA), Falcon, and SPHINCS+ (SHL-DSA), which were intended to verify digital signatures. 

Flash forward to today: now, three of four algorithms are officially finalized as part of NIST’s PQC standards. This might leave security leaders asking, “What does this mean; What can we do?” 

Keyfactor’s CSO Chris Hickman breaks down the impact of the new algorithms on enterprise security teams.

With the finalization of the NIST cryptographic algorithms, organizations now have the tools needed to safeguard against the quantum threat. Below are the steps security teams need to take to ensure they are marching swiftly to PQC-readiness.

The first step business leaders need to take is to fully grasp that the PQC transition will take time. Keyfactor’s 2024 PKI & Digital Trust Report found that most organizations believe the transition to PQC will take about four years. But in reality, experts believe it will take 8-10 years to do it correctly. 

Without visibility into all the cryptographic assets across your organization, it is impossible to start the actual transition of those assets. Creating that inventory can take a lot of manpower. We strongly recommend investing in tools, such as Keyfactor’s EJBCA Enterprise Platform, to gather all of your cryptographic assets into one place. Leveraging automation ensures that no asset is left behind, while allowing IT and security teams to focus on other high priorities simultaneously.

Once all cryptographic assets are accounted for, businesses should create a clear implementation strategy. Some key steps that should be included in the strategic planning process:

• Determine a realistic budget that works for your organization
• Identify the tools your teams will need for a successful migration to PQC and which parts of the transition should leverage automation
• Lay out the exact timeline and steps to take
• Outline the responsibilities of each IT and security team member
• Set realistic deadlines for each stage

By accounting for these strategic elements, your team can ensure the most seamless transition possible. 

With a plan in place and organizational-wide visibility across all cryptographic assets, security teams should then start testing NIST’s PQC initial suite of finalized algorithms in sandbox environments. 

Teams can leverage Keyfactor’s PQC Lab – a free SaaS-based version of Keyfactor’s PKI platform, EJBCA Enterprise, that’s pre-configured to issue quantum-resilient certificates. The PQC Lab provides a quick and easy way for users to test and better understand the impacts of these changes on their infrastructure without impacting production environments.

Businesses should also test their crypto-agility to understand how quickly they can manage, update, and secure machine identities within their PKI infrastructure. This is a critical step in the PQC journey.

For more resources on the migration to PQC, check out Keyfactor’s PQC Lab page, which features helpful videos directly from the experts on our team. 

And, remember that the journey to PQC-readiness is a collaborative one. As with most complex security scenarios, there is no single solution.

If you’re interested in learning more about how Keyactor can be a dependable resource for you in the post-quantum world, let’s connect.