Dickson generally agreed that businesses should move as quickly as possible to this advanced encryption, but that businesses need to consider many factors, such as cost, when determining a timeline. “There is a cost that determines how fast you can go. It costs money to change [technology]”, he said. “[Enterprise CISOs and CIOs] may decide that some items are not updated until you need to change them.”
Urs Würgler, senior management consultant for Swisscom CISSP, a security vendor in Zurich, Switzerland, wrote in a LinkedIn comment about the NIST report, “in terms of technology, the phrase ‘not allowed’ is interesting. There are US agencies that are subject to certain NIST compliance if they must comply with DFARS or FISMA. In this case, compliance with NIST SP 800-171 is required and does not yet refer to PQC.”
“It cannot be said that the PQC has not been included in the concept of implementing the requirements approved by the regions of the country,” Würgler wrote. “The concept of ‘cryptographic agility’ has been discussed for at least 20 years, but its practical implementation remains a challenge. Given the immediate need for PQC, this situation is not good at all.”
Source link