Dickson agreed in general that enterprises must move as quickly as they can to this improved encryption, but that a business needs to consider many factors, such as cost, when deciding on a timeline. “There’s a cost factor determining how fast you can go. It costs money to replace [technology]”, he said. “[Enterprise CISOs and CIOs] may decide that some things aren’t updated until you have to replace it.”
Urs Würgler, a senior management consultant with Swisscom CISSP, a security vendor in Zurich, Switzerland, wrote in a LinkedIn comment about the NIST report, “in a technical context, the expression ‘disallowed’ is interesting. There are US agencies that are subject to some NIST adherence if they must obey DFARS or FISMA. In this case, NIST SP 800-171 compliance is required and is not yet making reference to PQC.”
“It goes without saying that PQC is not yet referenced in the sense of implementation requirements mandated by nation states,” Würgler wrote. “The concept of ‘cryptographic agility’ has been discussed for at least 20 years, but its practical implementation remains niche. Given the impending need for PQC, this situation is far from ideal.”
