Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

Quantum-safe cryptography standards: what should teams do now?


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 12212
Topic starter  

TL;DR: NIST’s draft quantum-safe standards for CRYSTALS-KYBER, CRYSTALS-DILITHIUM and SPHINCS+ start the transition from theory to implementation, with a 90-day comment period and protocol work already underway for TLS, S/MIME and SSH, according to DigiCert. Crypto inventories and upgrade planning now matter because long-lived data and signatures are already exposed to harvest now, decrypt later risk.

NHIMG editorial — based on content published by DigiCert: NIST Releases Quantum-safe Cryptography Standards: What Happens Now?

By the numbers:

  • NIST has released draft standards for CRYSTALS-KYBER, CRYSTALS-DILITHIUM and SPHINCS+ for a 90-day comment period starting Aug. 24, 2023.

Questions worth separating out

Q: How should security teams prepare for post-quantum cryptography migration?

A: Security teams should start with a full cryptographic inventory, then rank assets by business criticality, data lifespan and trust dependency.

Q: Why does quantum-safe cryptography matter to IAM and NHI programmes?

A: Quantum-safe cryptography matters because identity trust depends on certificates, signatures and secure key exchange across human, machine and workload identities.

Q: What breaks when cryptographic agility is missing?

A: When cryptographic agility is missing, organisations struggle to replace algorithms in production without outages, inconsistent trust chains or delayed renewals.

Practitioner guidance

  • Inventory every cryptographic asset Build a central view of certificates, keys, signing systems and protocol dependencies across production, development and archived data.
  • Classify long-lived trust dependencies Identify where RSA and ECC support protects data or identities that must remain valid for years, including code signing, email signing, archived records and IoT devices.
  • Automate PKI change control Use centralised management to reduce manual certificate handling, shorten rollover time and limit errors during algorithm replacement.

What's in the full article

DigiCert's full blog post covers the operational detail this post intentionally leaves for the source:

  • Protocol-level discussion of how CRYSTALS-KYBER, CRYSTALS-DILITHIUM and SPHINCS+ map into TLS, S/MIME and SSH
  • Guidance on prioritising assets by lifespan, sensitivity and update difficulty before quantum-safe rollout
  • Practical PKI centralisation and automation considerations for certificate replacement at scale
  • Background on the standards process and why the 90-day NIST comment period matters for implementation planning

👉 Read DigiCert's analysis of NIST quantum-safe cryptography standards →

Quantum-safe cryptography standards: what should teams do now?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 11787
 

Crypto-agility is now an identity governance requirement, not a cryptography side project. Once trust chains span web sessions, signed code, workload certificates and device identities, the ability to replace algorithms without service disruption becomes a governance issue. The article correctly frames the transition as operational, because identity systems will absorb the migration cost long before quantum computers are mainstream. Practitioners should treat cryptographic inventory as a control surface.

A few things that frame the scale:

  • Only 44% of developers are reported to follow security best practices for secrets management, according to The State of Secrets in AppSec.
  • The average estimated time to remediate a leaked secret is 27 days, despite 75% of organisations expressing strong confidence in their secrets management capabilities.

A question worth separating out:

Q: Which frameworks should teams use to govern post-quantum readiness?

A: Teams should use the NIST Cybersecurity Framework 2.0 to structure governance, inventory and change management, then map cryptographic migration tasks into existing risk and asset management processes. For identity-heavy environments, the same controls need to cover certificates, workload trust and lifecycle ownership. That keeps post-quantum planning inside normal governance rather than a separate project.

👉 Read our full editorial: NIST quantum-safe standards put crypto agility on the clock



   
ReplyQuote
Share: