Guidance (HHS-PQC)

Guidance Document  -- Initial Steps:

• BLUF: The specific content of a guidance document will vary depending on its purpose and target audience. However, the below elements provide a general framework for creating a comprehensive and effective guidance document.  

• General Elements in a Guidance Document: (8 Elements)

  1. Introduction:

     • Purpose: Clearly states the purpose of the document and the target audience.

     • Scope: Defines the specific area or subject matter covered by the document.

     • Overview: Provides a high-level overview of the key topics and recommendations.

  2. Background:

     • Context: Explains the relevant background information and context for the guidance.

     • Problem Statement: Identifies the problem or issue that the guidance aims to address.  

     • Relevant Regulations and Standards: Outlines any applicable regulations, standards, or best practices.

  3. Goals and Objectives (G&O):

     • Goals: Defines the overall objectives of the guidance.

     • Objectives: Specifies the specific, measurable, achievable, relevant, and time-bound (SMART) objectives to achieve the goals.

  4. Key Principles and Recommendations:

     • Key Principles: Provides fundamental principles or guidelines to follow.

     • Recommendations: Offers specific recommendations or best practices to implement.

     • Procedures: Outlines step-by-step procedures for specific tasks or processes.

  5. Implementation Guidance:

     • Implementation Strategies: Provides guidance on how to implement the recommendations.

     • Resource Requirements: Identifies the resources needed for implementation.

     • Timeline: Specifies the timeline for implementation.

  6. Monitoring and Evaluation:

     • Performance Metrics: Defines key performance indicators (KPIs) to measure success.

     • Monitoring Procedures: Describes how to monitor progress and compliance.

     • Evaluation Process: Outlines the process for evaluating the effectiveness of the guidance.

  7. Appendixes (Optional):

     • Supporting Documentation: Includes additional supporting documents, such as checklists, templates, or case studies.

  8. References:

     • Citations: Lists any references or sources used in the document.

PQC Migration  -- Goals & Objectives ("General" Roadmap):

• BLUF: By focusing on these goals and objectives (G&O), HHS can effectively prepare for and execute a successful PQC migration (PQCM), safeguarding their sensitive data while maintaining compliance, interoperability, and cost-efficiency. 

• Goals & Objectives (aka "General" Roadmap): (8 Goals)

  1. Goal 1: Protect Sensitive Data from Quantum Attacks

     • Objective 1.1: Identify systems and applications that use vulnerable cryptographic algorithms.

     • Objective 1.2: Assess the risk associated with each identified system or application.

     • Objective 1.3: Prioritize systems and applications for migration based on risk assessment.

  2. Goal 2: Ensure a Smooth and Secure Migration Process

     • Objective 2.1: Develop a comprehensive migration plan, including timelines, resource allocation, and contingency plans.

     • Objective 2.2: Select appropriate PQC algorithms based on NIST recommendations and security requirements.

     • Objective 2.3: Implement PQC algorithms securely and efficiently into systems and applications.

     • Objective 2.4: Test and validate the PQC implementation to ensure security and functionality.

  3. Goal 3: Maintain Operational Continuity and Minimize Disruptions

     • Objective 3.1: Minimize downtime during the migration process.

     • Objective 3.2: Develop a rollback plan in case of issues or unexpected challenges.

     • Objective 3.3: Provide clear communication and training to staff involved in the migration process.

  4. Goal 4: Stay Updated on PQC Developments and Best Practices

     • Objective 4.1: Monitor NIST recommendations and industry standards for PQC.

     • Objective 4.2: Stay informed about emerging threats and vulnerabilities related to quantum computing.

     • Objective 4.3: Regularly review and update the PQC migration plan to adapt to evolving technologies and threats.

  5. Goal 5: Ensure Regulatory Compliance

     • Objective 5.1: Identify relevant regulations and industry standards that impact the use of PQC.

     • Objective 5.2: Assess the compliance impact of the PQC migration.

     • Objective 5.3: Develop a compliance plan to ensure adherence to regulations and standards.

  6. Goal 6: Maintain Interoperability

     • Objective 6.1: Identify systems and organizations that may be affected by the PQC migration.

     • Objective 6.2: Assess the interoperability impact of the PQC migration.

     • Objective 6.3: Develop an interoperability plan to minimize disruptions.

  7. Goal 7: Optimize Resource Allocation and Minimize Costs

     • Objective 7.1: Identify the resources required for the PQC migration.

     • Objective 7.2: Develop a cost-effective migration strategy.

     • Objective 7.3: Monitor and control costs throughout the migration process.

  8. Goal 8: Adhere to Security Best Practices

     • Objective 8.1: Develop and implement a robust security framework for the PQC migration.

     • Objective 8.2: Conduct regular security assessments and vulnerability scans.

     • Objective 8.3: Train staff on security best practices related to PQC.

HHS  PQC Migration Guidance Document  --(Initial 1st Draft):

• BLUF: By following this guidance document, HHS can effectively transition to PQC and protect its sensitive data from future quantum threats.  

• Initial 1st Draft: (8 Elements)

  1. Introduction

     • Purpose: This guidance document outlines a strategic approach for the Department of Health and Human Services (HHS) to transition to Post-Quantum Cryptography (PQC) and mitigate the risks of quantum computing advances.

     • Scope: This document covers identifying vulnerable systems, risk assessment, selection of appropriate PQC algorithms, implementation strategies, security considerations, and ongoing monitoring.

     • Overview: The document provides a high-level overview of the PQC migration process, including key milestones, timelines, and resource requirements.

  2. Background

     • Context: Quantum computing has the potential to break classical cryptographic algorithms, compromising the confidentiality, integrity, and availability of sensitive HHS data.

     • Problem Statement: HHS systems and applications rely on classical cryptographic algorithms that may be vulnerable to future quantum attacks.

     • Relevant Regulations and Standards: This guidance document aligns with federal cybersecurity directives, NIST standards, and industry best practices.

  3. Goals and Objectives (3 High-Level Goals)

     • Goal 1: Protect Sensitive HHS Data

       1. Objective 1.1: Identify systems and applications that use vulnerable cryptographic algorithms.

       2. Objective 1.2: Assess the risk associated with each identified system or application.

       3. Objective 1.3: Prioritize systems and applications for migration based on risk assessment.

     • Goal 2: Ensure a Smooth and Secure Migration Process

       1. Objective 2.1: Develop a comprehensive migration plan, including timelines, resource allocation, and contingency plans.

       2. Objective 2.2: Select appropriate PQC algorithms based on NIST recommendations and security requirements.

       3. Objective 2.3: Implement PQC algorithms securely and efficiently into HHS systems and applications.

       4. Objective 2.4: Test and validate the PQC implementation to ensure security and functionality.

     • Goal 3: Maintain Operational Continuity and Minimize Disruptions

       1. Objective 3.1: Minimize downtime during the migration process.

       2. Objective 3.2: Develop a rollback plan in case of issues or unexpected challenges.

       3. Objective 3.3: Provide clear communication and training to HHS staff involved in the migration process.

  4. Key Principles and Recommendations

     • Prioritize High-Risk Systems: Focus on systems handling highly sensitive data or critical infrastructure.

     • Adopt NIST-Recommended Algorithms: Use NIST-recommended PQC algorithms to ensure security and interoperability.

     • Implement Strong Key Management Practices: Establish robust key management practices to protect cryptographic keys.

     • Conduct Regular Security Assessments: Perform regular security assessments to identify and address vulnerabilities.

     • Stay Informed on PQC Developments: Monitor emerging PQC technologies and best practices.

  5. Implementation Guidance

     • Identify Vulnerable Systems: Conduct a comprehensive inventory of systems and applications.

     • Assess Risk: Evaluate the risk associated with each system based on data sensitivity and potential impact.

     • Select PQC Algorithms: Choose appropriate PQC algorithms based on NIST recommendations and specific use cases.

     • Develop a Migration Plan: Create a detailed migration plan, including timelines, resource allocation, and testing strategies.

     • Implement PQC: Deploy PQC algorithms securely and efficiently, considering compatibility and performance.

     • Test and Validate: Conduct rigorous testing to ensure the security and functionality of the PQC implementation.

  6. Monitoring and Evaluation

     • Performance Metrics: Track key performance indicators, such as system uptime, security incident rates, and compliance with security standards.

     • Monitoring Procedures: Implement regular monitoring and logging to detect and respond to security threats.

     • Evaluation Process: Conduct periodic evaluations to assess the effectiveness of the PQC migration and identify areas for improvement.

  7. Appendixes

     • Appendix A: NIST PQC Algorithm Recommendations

     • Appendix B: PQC Implementation Guidelines

     • Appendix C: Security Best Practices for PQC

  8. References

     • NIST PQC Standardization Process

     • Relevant Cybersecurity Frameworks and Standards