Phase 1 - Discovery - Mind Palace

#### Step 5: Review the information to be collected during this phase, as illustrated below. 1. The goal is discover where and how cryptographic products, algorithms and protocols are used by your organization to protect the confidentiality and integrity of your organization’s important data and digital systems. 2. The information collected during this phase will be needed to assess your organization’s quantum risks in the next phase. ![[Pasted image 20241208173217.png]] #### Step 6: Appoint and empower someone to plan and execute a detailed discovery of where and how public-key cryptography is used by your organization. 1. Normative Reference: 1. NIST: Special Publication 1800-38B: [Migration to Post Quantum Cryptography, Quantum Readiness: Cryptographic Discovery, December 2023, Preliminary Draft](https://www.nccoe.nist.gov/sites/default/files/2023-12/pqc-migration-nist-sp-1800-38b-preliminary-draft.pdf) 2. Informative References: 1. IBM Redbook: Chapter 2 - [The journey to quantum protection](https://www.redbooks.ibm.com/redbooks/pdfs/sg248525.pdf), 19 July 2022, pages 15-26 2. Thales Blog: [Future-Proof Your Crypto Strategy for the Post-Quantum-Age](https://cpl.thalesgroup.com/blog/encryption/future-proof-your-crypto-strategy-post-quantum-age): Insights from CNSA 2.0 and FIPS 140-3, June 27, 2024 [[Preparing a Cryptographic Inventory - An Essential Step Toward Quantum Readiness]] #### Step 7: Investigate whether using automated tools would facilitate your crypto discovery. Organizations should balance their security needs with their needs for usability and availability when considering such automated tools. Informative Reference: NIST: [Migration to Post-Quantum Cryptography: Preparation for Considering the Implementation and Adoption of Quantum Safe Cryptography (Preliminary Draft); Volume A: Executive Summary ](https://www.nccoe.nist.gov/sites/default/files/2023-04/pqc-migration-nist-sp-1800-38a-preliminary-draft.pdf) #### Step 8: Use the results from tasks #6 and #7 Build an inventory of where and how your organization uses public-key cryptography to protect its most important data and IM, IT and OT systems. Also identify any legacy cryptographic systems being used. 1. Normative References: 1. CISA, NSA and NIST: [Quantum-Readiness: Migration to Post-Quantum Cryptography](https://www.cisa.gov/sites/default/files/2023-08/Quantum%20Readiness_Final_CLEAR_508c%20%283%29.pdf), 2023, Page 2 2. Informative references: 1. FS-ISAC: [Infrastructure Inventory Technical Paper](https://www.fsisac.com/hubfs/Knowledge/PQC/InfrastructureInventory.pdf?hsLang=en), March 2023, 19 pages #### Step 9: Identify the important factors by which public-key cryptography affects the operation and security of your systems and applications (e.g., key sizes, latency and throughput limits, current key establishment protocols, how each cryptographic process is invoked, dependencies). 1. Normative references: 1. CFDIR QRWG: [[Content Needed to Describe an Organizations Uses of Cryptography]] 2. CFDIR QRWG: [[Matrix of Cryptography Use Cases]] 2. Informative references: 1. NIST: [Getting Ready for Post-Quantum Cryptography](https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04282021.pdf), Cybersecurity White Paper, April 28, 2021, Page 5 #### Step 10: Analyze the findings from #8 and #9 to develop a prioritized list of your organization’s most important quantum-vulnerable systems that must be protected. 1. Informative reference: 1. CCCS: ITSAP.00.017 – [Preparing Your Organization for the Quantum Threat to Cryptography](https://www.cyber.gc.ca/en/guidance/preparing-your-organization-quantum-threat-cryptography-itsap00017) February 2021, 2 pages 2. Engineering at Meta: [Post-quantum readiness for TLS at Meta](https://engineering.fb.com/2024/05/22/security/post-quantum-readiness-tls-pqr-meta/), May 22, 2024