Microsoft announces plan to transition to quantum resilience by 2033

Microsoft is looking to finalize the transition of its products to a post-quantum cryptographic standard by 2033, two years before the 2035 deadline the Biden administration previously recommended to mitigate “as much of the quantum risk as is feasible,” per a 2022 OMB memo. 

Microsoft outlined its approach in a new transition plan released on Wednesday and said it aims to follow three phases in its conversion to a cryptography standard that is resilient to a fault-tolerant quantum computer, with early adoption of quantum-safe systems beginning in 2029. 

The three phases are each focused on certain assets to transition individually, and start with foundational security components, move to core infrastructure services, and then end at all of Microsoft's services and endpoints. This approach aims to tackle the gargantuan task of completely overhauling Microsoft’s suite of digital products and services in an organized and timely manner, 

“While scalable quantum computing is not available today, the time to prepare is now,” the plan said. 

Updating the foundational security components hinges on incorporating quantum-safe key exchange mechanisms into Microsoft’s architecture so as to incorporate the available PQC algorithms across the company’s software platforms. 

Following this update, core infrastructure services will take security a step further by introducing new authentication and key management into application logins.

All of these updates to security measures will then be available in Microsoft’s endpoint devices that can transmit data between networks. The scope of this project encompasses popular services like Microsoft 365, Azure and other data platforms. 

Microsoft’s plan coincides with requirements and recommended timelines for PQC transitions authored by federal entities, including the Cybersecurity and Infrastructure Security Agency, the National Institute of Standards and Technology, and the Office of Management and Budget. 

Federal officials working on PQC and broader quantum information sciences and technology policy have long spoken out about the urgent need for all enterprises to begin moving their code to a PQC standard, following the development and standardization of the first algorithms suited for a post-quantum world. 

In July, Nextgov/FCW reported that OMB had drafted a memorandum that ordered vendors working with federal partners to create their individual phased PQC transition timelines along with cybersecurity requirements to which vendors must adhere. That memo has not yet been released publicly.

Following the release of its plan, Microsoft told Nextgov/FCW that it hopes its tenets can serve as a model for industry and government entities. 

“Because our roadmap aligns with global government timelines that other organizations will also need to meet, it provides a valuable reference point,” Microsoft said in a statement. “Each organization is unique, however, and will need to determine its own plan based on its risk profile and operational needs.”