July 3, 2026

Trust in hardware has been a long-time pursuit of mine dating back to the early 2000s when NSA was rolling out the HAIPE program, the Trusted Computing program, which leveraged the standards of the Trusted Computing Group, and the NSA Commercial Solutions for Classified program. It was during that time, when I was at IBM, that I had the opportunity to engage with Jon Rolf who was working at NSA and driving these programs. Jon had a long and noteworthy career at NSA, recently ending as the Director of NIAP and overseeing the Common Criteria program. Our paths crossed recently and I was delighted to offer Jon an opportunity to join me in a podcast to get his thoughts about his time at NIAP and where Common Criteria is headed. Check out the podcast or read the web interview below to learn more!

 


Spotlight on Mr. Jonathan Rolf

» Title: Independent cybersecurity consultant and founder of Rolf Cyber LLC; Former Director of NIAP

» Email: jcrolf2@yahoo.com

» Linkedin: linkedin.com/in/jonathan-rolf-39149815

Check out his bio below.


Chris Daly: So, Jon, you just recently retired from the NSA and from your job at the National Information Assurance Partnership (NIAP). While you were at NIAP, I’d like to know what you were finding as the main issues and challenges.

Mr. Jon Rolf, Former Director of NIAP, founder of Rolf Cyber LLC: For the last three years that I was at NIAP, we were pushing a lot of change and I think we’re seeing the outcomes of that now. One of the biggest changes we saw was that each nation’s standards organization was pushing a cybersecurity agenda. One important one was the EU pushing out their security mandates, goals, and Common Criteria rollout. So, we tracked with that and as they got things in order and as we were doing things on our side, there was a big push towards how do the vendors see mutual recognition. How do we partner, work with them? It’s an ongoing thing and we didn’t solve that, but we got some things in place where the EU had their system in place for Common Criteria and we have our whole structure of Common Criteria recognition arrangement between 36 countries and it continues to grow.

And the challenge there is how do you maintain this level of mutual recognition, include the EU structure, and add more participating countries in this longstanding, over 25-year agreement. So that was a big thing that we were working on in the past three years and NIAP continues to work at it. As of now, I’m an outside person, but I’ve still attended a lot of the sessions and briefed at the Common Criteria type meetings that are going on annually. I’ll be briefing at the upcoming International Common Criteria Conference in Italy this year too, talking about this topic. Mutual recognition is a big issue. The vendors are seeing how they maneuver through that. So that was number one challenge during my time at NIAP.

The other thing has been this constant churn in technologies and looking at how it affects NIAP and Common Criteria. Cloud technologies are the big ones we looked at – we had some really smart team members in the NSA looking at cloud technologies. NIAP Common Criteria is traditionally very structured and based on a point-in-time product. You evaluate the security capabilities, the requirements and test it and validate it. And as you know, Chris, cloud is ever changing – not a single point-in-time product. Which baseline should you test? How do you standardize on such a dynamic? How do you look at that? And so, you work within, looking at Common Criteria, put a structure in place. We had a lot of people looking at the framework to develop guidance on cloud. So there’s guidance out there at NIAP on cloud, but again, there is on-going work with things like the FedRAMP certification in the US, and comparing our approach to cloud with other countries’ certification schemes.

And again, it’s an international theme you’re seeing on the technology change challenge as well – how do you partner with other nations and look at those things?

A third big challenge we have people looking at right now is supply chain. How do you know what’s in your baseline, what’s in the product, what’s being tested and that whole idea of vulnerability tracking. How do you respond to vulnerabilities quickly and in a way that doesn’t put systems at harm or the people on those systems at harm.

And for a fourth challenge, as we had talked earlier before the session here, Chris, is the impact of AI. AI is this big area that’s kind of stressing us to figure out how you define, how do you test, how do you look at that?

But that’s kind of a future look.

One of my big pushes while at NIAP, and even before that when we worked together, Chris, was on technologies like trusted computing and other trusted compute technologies. The main recurring theme is how do you involve industry? How do you validate those technologies? And in general, at NIAP, it’s how did you involve them in coming in and being able to test, being able to put new versions on the roadmap. Having products certified and ready for the government is different for each product – each product family has a different lifecycle. For example, if you look at something like cellular, it’s a constant six-month cycle of a new product being developed and released.  How does a vendor program for that when it takes hundreds of thousands or maybe even upwards of a million dollars to have a certification scheme in place annually and keep those products constantly pushed out and available for the customers to meet mandates and regulations from the government.

And the final thing I’ll kind of throw in there, which the government’s going through right now, is a resourcing and budgeting challenge, which is huge. How do you keep the contracts in place? How do you keep the people there and how do you partner with industry and put the right dollars in right places there?

Active Cyber™: I can see that last challenge being a big one these days.

So, I know also in your history and probably some of the stuff you worked on at NIAP and other places was crypto. Right now quantum computing and post quantum cryptography is kind of a big emerging issue and I know that you’ve been involved in that. What do you see as the key concerns regarding the quantum threat and how does that translate into an economic impact?

Mr. Jon Rolf: Okay. On the whole quantum thing, I think we hit this podcast at just the right time. President Trump recently signed a memo that said we’re going to lead the world in quantum computing and we’re going to start addressing the whole post quantum cryptography push out there. And a couple days later, the Department of War drops their whole strategy of where things are going with post quantum. And as a precursor to that, my old organizations, NSA and NIAP, we’re already working things out. For example, there’s the Commercial National Security Algorithm Suite 2.0 (CNSA 2.0), which is kind of the mandate for national security systems on the commercial algorithm suite which will address all the post quantum concerns.

I think everybody this year is coming to realization that it has to happen now. It’s not something that’s five years in the future. As you mentioned, we have a whole host of mathematicians that’s saying it’s real, the harvest and decrypt later kind of problem is there, people are acknowledging it across the board. And you’re getting different industry participants like Google calling out earlier dates of a cryptographically relevant quantum computer and things they’re concerned with. [See recent Microsoft announcement.] There are deadlines now that people want to meet.  The Department of War has laid out a structure of how they’re going to get there and how they’re going to report that.

Going through the next year, it’s going to be a big task to figure what do you have, how are you going to mitigate, how are you going to roll the new algorithms out? And when a relevant quantum computer drops, the problems start. And as you looked at some of the solutions and we did, we know that the issues surface in many areas – whether it’s the firmware upgrades that depend on the asymmetric algorithms or it’s the key exchanges and things like that that will cause problems.

So that’s kind of all mapped and identified that those need to progress. But of course there remain other core concerns on how do you put systems out there that can be fully updated securely with the post quantum algorithms along with signatures and the hashing and the secure boot up processes to allow further upgrades in the field.

Active CyberTM: So I heard you say a couple things about the timeline, it’s now and that really gets into the harvest now decrypt later type of threat. And in terms of a quantum computer that can start to actually do what everybody fears, is that timeline, what, 2030, sooner? What are we looking at here?

Mr. Jon Rolf: I attended a conference this year where the NSA and NIST put the timeline out there. I’ve got projects I’m working on how you map to these dates. The US government is setting up next year, 2027, for putting acquisition mandates in place, basically saying if you’re buying products, you need to be addressing post quantum crypto.

Some of the hard cutoff dates are 2030 and 31 end of year – the algorithms all need to be in place. You must have the ability at the end of the year to turn off the algorithms that are at risk. So there’s a scramble right now and questions coming in from vendors to the government of what does this mean? What people are hearing is that starting 2027 going through this 2031, we want things in place and operational to drive things. Things like key management infrastructure, certificate base, things like that, those are the first problems they want to try to handle. There are bigger problems to deploy and provide a solution across the enterprise. So yes, those are some of the dates, and there’s a hard push now.

With the strategy set, the main recommendation is to know what you have in your inventory and have a really well-thought-out plan of getting to a post quantum state. I’ve had some discussions with some of the vendors and the point is you can’t turn it on overnight. It’s not a switch that happens and things come out. So, there are strategies and roadmaps and things like that. And one of the things that I’m hoping to see happen over the next couple years is to start publishing these strategies and measure where on the roadmap organizations are at. People are investing right now and putting things in place, but how do you ensure you are making the right acquisition decisions? So it’s a conversation and an understanding of where industry is.

The other piece of the puzzle is you need to provide some funding by the government side to push things forward quicker because the whole lifecycle of chipsets and low level hardware, as you know from some of the things we looked at in trusted computing, doesn’t happen on a one or two-year cycle. I mean, those manufacturers are looking five or more years out. So government might need to step into some of those areas to accelerate development to get some of the things they need. And that’s some of the things I think that are going to float up to the top of agendas in the next year or so.

Active CyberTM: So we’re talking about the vendors getting ready, but what about the government getting ready? I mean, doing all the evaluations that you’d still have to do to approve these products, are they resourced and ready to go once the flood of these products start hitting the government?

Mr. Jon Rolf: You’re hitting all the good questions, Chris. Let me tell you. The answer is probably governments can’t handle everything at the beginning of the rush. As I mentioned earlier, there is a concern over budget and resourcing. Making sure the people you need are there when you get a government shutdown and contracts shutdown, that has an effect. So I think there’s a real concern. The process is there that can meet that kind of numbers for testing and validation. Is the capacity there right now? It’s something that over the next year of staffing requests and budget upgrades, I think they need to be concerned about. It’s a very good question. So governments want to be there but they are going to be pushed hard to meet their responsibilities and work with the industry.

People at NIST who’ are doing the whole CNSA 2.0 algorithm validations, I think they’ve shown some capability to modernize and put systems in place. So, as for the algorithm testing and validation, that’s in place and I think the NIST schedule can meet the projected critical milestones of the timeline. But when you get into some of the larger scale, whole system testing, and if everybody hits at the same time, it could be somewhat of a problem.

Active CyberTM: Would mutual recognition via international collaboration help to assuage the demand for government validation and evaluation testing, you think? Or would we be reluctant to accept on the crypto side stuff that, for example, Italy did or Germany did or France did?

Mr. Jon Rolf: Crypto is kind of a US-held specialty. I don’t know how you want to put it, but on all the protection profiles, in general, the answer is there are some ways you can. The testing and the protection profiles do identify what the requirements are and it can be tested independently outside in other organizations. But the way we facilitated the streamlining and created the efficiencies for evaluations is by having NIST do the whole process that they are authorized which can result in testing in very quick time. And I’ll push on that. NIST is very good at what they do and standardizing and testing those algorithms that are spec’ed out by them. There’s a challenge that internationally algorithms don’t exactly align and there’s things like hybrid crypto, which the US government doesn’t endorse. But the government wants a hard switch over and a push toward to quantum capable while not tying it into the legacy type algorithms.

So there’s mutual recognition and we need to continue to work in that area, but crypto sovereignty and ownership in those areas is an idea we’ve talked about for years. And I think we’re going to continue on a worldwide basis of figuring out what the best set of algorithms are, but there’s always going to be national algorithms that’ll compete and they’ll be products that US will want and maybe somebody like a China or Russia or somebody like that would want a whole other set of algorithms. So industry has to walk that line.

Active CyberTM: Are you seeing interest in these algorithms by the cryptocurrency guys and the other blockchain type of folks out there?

Mr. Jon Rolf: We’ve had some discussions and I think there’s some problems that they can run into. So the answer is yes, they’re waking up to the issues that they need to address. I’m not a cryptocurrency guy in what I did before and everything else, so I’m not really deep in that area, but I’ve seen and heard some of the conversations and people highlighting that they need to address the same sort of issues. They could have real big issues with the type of finances and things that they’re protecting. And I’m sure they’re starting to look at it, but yes, it’s a concern for them as well.

Active CyberTM: Because that makes me also think about other regulatory gaps that may be out there and issues that aren’t being addressed yet because cryptocurrency kind of falls out a little bit of some of those regulations in banking today to some extent. And so if they’re not being pushed by any regulation to go do this, then I can see that some of their consumers may be at jeopardy if they don’t take advantage of the technology in a timely way.

Mr. Jon Rolf: Yes, I think that’s a fair statement.

Active CyberTM: Okay. So what do you see as the level of adoption for these post quantum standards today? As you said, there’s a train starting to form here. Are we seeing adoption widespread or is it focused to particular sectors like financial or Department of War, for example, or are we seeing a pretty widespread across the board

Mr. Jon Rolf: So I’ve got a focused view of Department of War, national security or government enterprise. I mean, government leverages cloud, and enterprise technology like everybody else. So I think a good thing is the government acting as a catalyst to try to make things happen. All the major vendors we’ve talked to have absolutely been adopting, talking about roadmaps, how they’re getting there, sharing some of the challenges. So everybody’s got a concern. And then of course what it comes down to is the vendors want to sell and deploy in the government marketplace. Like I said, the roadmaps are all starting to show it and we’ve had conversations over the last two, three years with those sort of people.

Active CyberTM: Okay. So let’s shift a little bit. So you talked about AI earlier on. What’s your prognostications about AI and how it’s going to affect cryptography over the next five years as well as its impact on Common Criteria evaluations – what are the effects that AI is going to have in this space?

Mr. Jon Rolf: Yes, AI is the million-dollar question, Chris, now. It’s driving everything, but it’s interesting. AI was out there and the whole quantum thing popped up again in and took center stage. But going back, AI is in the news every day. The governments are embracing AI on a large scale in multiple areas. On the cryptographic front specifically, we looked at products to provide vulnerability illumination. Then what we’ve seen in the last six months from the different drops of Mythos and the other tools out there, and what it does for discovery, for patching, for all these things extended our review. But when this first started to drop out, you had these conversations of, oh, well, the defensive side will be in a better position because they can automate and do this. But I think you and I all agree is the defensive side never gets the benefit of any of this.

We have been chasing offensive AI on the defensive side and what do you do with that? I mean, one piece is the automation in the vulnerability space that continues to go on. Whether it’s the whole behavior in the cyber area or something else, I think there’s some negotiations that need to go on internationally on expected behavior, expected punishment, and how do we manage these sorts of things.

So that’s an aspect that I think might map to some of the mutual recognition efforts and how do we work in those areas.

Another AI thing that occurred recently is we stood up a whole office focused on our AI policy. AI is all encompassing. Once in a while you get these expansive technologies. Cloud was one of them. AI is another one that spans so big that you can’t really handle it under one word. I mean, it’s just there’s different silos that it affects and whether it’s what does a model look like, how do you validate, how do you review those models? Or in a certification sense, how do you look at the security capabilities, functionality, and things that you would look to assess?

And we’re just in the beginning of that whole review. I think everybody right now is on leveraging the efficiencies of what it can do, but the effects and impacts are another thing that people are looking at as well. I’m starting to just open up these different areas or doors that just have to be addressed independently. And maybe it’s a whole framework or a whole subset of things underneath AI that need to be broken out and looked at. But yes, the international cooperation should make things better, we can accelerate the analysis of things from a Common Criteria perspective because Common Criteria takes time to make sure that the testing’s done right. In a perfect world, I see a positive from Common Criteria’s impact on AI, its constant testing and evaluation. You can get to this point where you’ve got an updated idea of how secure your system or model is.

We’re not there though. It’s that point in time that I talked about earlier. It would be the same thing for cloud. I mean, we have the whole idea of monitoring and assessing where things are at, but wouldn’t it be great if AI truly facilitated mapping to the security capabilities updates and what’s being done, how it’s being patched? I think people are looking at that, but think about the complexities of that and getting it right and then verifying that we’re in the right place. And yes, my mind starts to explode on how you do some of those things.

Active CyberTM: Yes. So, it makes me think, okay, so will there be protection profiles for LLMs or for agents for that matter? And could that incorporate some of the guardrails that folks are looking for? I Then I’m thinking, could you apply AI to examine the algorithms? Is NIST doing that?

Mr. Jon Rolf: NIST is not there right now. I mean, everything that NIST is doing and we’ve done in the past is somewhat very regimented based on the security implications and what it is that is under evaluation. But things are changing due to complexity. Although the new matrix models and everything else that the Post Quantum world is doing starts to test your brain as well and it’s not a point in time and it’s these very rigid requirements … You come to decisions based on eliminating other choices. So I think we’re getting to this point where things are getting so complex and yes, a tool like AI if implemented correctly and with updates may help evaluate implementations. I mean, there’s been things in the past where algorithm’s been broken because people have taken shortcuts or simplified or did things that weren’t exactly correct or their assumptions made were wrong. So if you can take this AI model that sits there and runs down every possibility for you and helps you find that error, I think that that’s a good thing.

And again, like I said, the brain just kind of explodes with all the possibilities and everything that’s going on and then you think all the data centers that are running this.

Active CyberTM: Okay. So I was thinking about this: as a vendor or as an enterprise even, I’ve got all these different certifications I got to meet, especially if you get into the defense world, – Common Criteria, the CMVP, you’ve got FedRAMP, you’ve got CMMC, RMF certifications, I could go on and on I think for a while here. And so I’m thinking if I’m a developer and I’m building something, can I have one process by which I send this off to Common Criteria, I send this off to CMVP, to FedRAMP, to my internal validation testing and I have this single, continuous, cohesive, end-to-end process where all these schemes and tests are kind of plugged in to this process – to my SecDevOps process. Do you think that such a convergence could happen so you could have this kind of scheme that would be dynamic and go all the way across for all the different controls, different certification schemes, different security evaluations that you would have to do?

Mr. Jon Rolf: Now you’re making my head explode. Each scheme provides a different type of security evaluation solution. We have different schemes that map to different systems.

So I think there’s always been this goal to simplify. I mean, the vendors of course want that. The fact is the evaluation process is just a cost center in itself that ties up resources. And the question is, are the products more secure? I think there’s a lot of test cases that we can show that things are found, identified and removed from the product. So I think all those solutions are right. We had a lot of challenges in NIAP even before we said, “Hey, let’s look at cloud.” And the whole point is there are gaps. There are gaps between the programs.

And then the whole idea is that you need this cohesive idea of what’s going on, whether it’s during development or whether it’s pre-fielding to make sure you have a correct implementation (Common Criteria), or whether it’s in the field (like RMF or even FedRAMP), which is more operational monitoring. And again, you have these different organizations complement each other – you build security in before you field the product and remediate if you find something in the field and the products need to be changed. The idea is good. The challenge is how do you open up and have these dialogues and show the information and reduce redundancies? And that is extremely difficult. So I think that’s something as government security organizations we need to look across and see how we do that.

The standards are a lot better, and how they test the standards in the labs is better. I mean, everything NIAP is doing is a lot better and more comprehensive than we have done in the past. Now it’s the challenge of how you align these different schemes and work together to solve the overall security challenge. But there’s always interests that are okay with the state of things, and trying to be perfect would not help a lot of things as well, but that’s the world we’re at and it’s this constant battle of offensive and defensive type of things.

Active CyberTM: I guess I’d like to finish with a question about crypto agility. You’ve heard that term, we’ve heard that term for a long time. So what can organizations do now that they are moving into the PQ space to make their systems more crypto agile? I remember talking about crypto agility during Y2K, how did we make our systems more agile back then? So what about today? I mean, is the hardware better? Is it more agile? Is the software more agile? Is it getting better that way? What are we doing to make things better and what else do we still have to do?

Mr. Jon Rolf: Sure. Crypto agility is one of the words of the day as we go through the post quantum algorithm updates. Everything we’re saying and showing is make sure the products are securely updateable, map to the requirements and can address any future issues. Now being in the government for 37 years and working with you, Chris, on a lot of things, you see the transition of technology’s capabilities and the products today and the chip sets and everything are just unbelievable. And the whole AI thing and the processing power and the co-processors that are able to do things that before we were so locked into and you couldn’t change. The crypto algorithms required chips to be so specialized and kind of mapped and programmed for specifically that. The chip sets and what they’re looking at now, of course, they’re looking at the whole structure of the postquantum algorithms.

So again, most of the people I’ve talked to acknowledge that, understand it – the whole set of issues around software updateability. This includes the trusted boot process and even the firmware signatures are addressing the capability to potentially upgrade even the crypto algorithms. I mean, there’s a concern that you do that right, you keep it in a root of trust and you don’t want those things to change or be modified in the field. So there’s a whole security concern there. But the answer is absolutely everybody’s mapping to get at the critical components in the infrastructure and then make sure that you can update and don’t need to go through this whole modification. As you watch this, the next couple of years, the investment in equipment upgrades and thing is going to be massive. And I think that’s another challenge that people are going to have to look at.

Where do you program it and how do you make sure? You can’t just tell somebody, “Oh, you need to update all your server infrastructure in your architecture.” I mean, that’s something that they didn’t look at our program for and it’s not a funded initiative. So I think as we look at that, that’s going to be there. But yes, crypto agility is first thing that comes to mind on how we’re going to meet this. And then the challenge is if something is found out in the future, you’re going to want to be able to swap out the chips without pulling chips and soldering and dropping in new.

No, everything is put in place so that it’s robust, signed, encrypted, capable of doing that and the goal is to get that right and understand that. But again, it’s in a short pipeline. So if you force things to happen quickly, not everything is perfect.

Active CyberTM: I worry also about the OT environment. They don’t move quite as fast when it comes to infrastructure upgrades right now, although we’re starting to see a little bit more adoption on security tech there. But when the crypto stuff comes out, I mean, I’m thinking that could actually be a big impact on them.

Mr. Jon Rolf: That’s a big focus area and I was working with some people in government who were looking at how do you push some of those folks in these previously disconnected OT systems that are now connected. How do you make sure that they have security things in place? And it is slower and it maps to those kinds of concerns.

Active CyberTM: Well, Jon, this has been great. I think we probably want to figure out a follow-up talk in the near future here and see where things are going, especially after you are done touring all these different conferences. So I would be happy to do that and so happy that you joined me today.

Mr. Jon Rolf: Thanks, Chris. And we’ve had a long history going back to the trusted computing space and virtualization and what could be done with these technologies. I remember some people didn’t think those technologies were going to amount to much, and now, the enterprise is relying on those technologies as core technologies. Trusted computing is still out there and addressing how do you keep the system secure and are already mapping to the post-quantum algorithms and deploying in those TPMs today. Awesome.


Thanks, Jon, for sharing your insight about Common Criteria and post quantum crypto from your time at NSA and NIAP. I believe, as you do, it is going to be a very dynamic space over the next few years as PQ rolls out and as AI takes effect on the evaluation processes and technology involved. And thanks to my subscribers and visitors to my site for checking out ActiveCyber.net! Please give us your feedback because we’d love to know some topics you’d like to hear about in the area of active cyber defenses, authenticity, PQ cryptography, risk assessment and modeling, autonomous security, digital forensics, securing OT / IIoT and IoT systems, Augmented Reality, AI, or other emerging technology topics. Also, email chrisdaly@activecyber.net if you’re interested in interviewing or advertising with us at Active Cyber™.

About Mr. Jonathan Rolf

Jonathan “Jon” Rolf is an independent cybersecurity consultant and founder of Rolf Cyber LLC, leveraging over 37 years of distinguished leadership in national security. He previously served as the Director of the National Information Assurance Partnership (NIAP), overseeing the U.S. Common Criteria Evaluation and Validation Scheme at the National Security Agency (NSA). During his career, he led initiatives in industry engagement implementing security requirements in commercial technologies, managed the Technology Division within the Unified Cross Domain Management Office, oversaw the Trusted Computing Portfolio in the Commercial Solutions Center, and managed development of trusted voice products for the STU-III program. Mr. Rolf holds an M.B.A. and an M.S. in Electrical Engineering from the University of Maryland, along with B.S. degrees in Electrical and Computer Engineering from the University of Missouri.