Forum Discussion
Tenable Post-Quantum Cryptography Inventory Support
Summary
The advent of quantum computing presents a significant threat to current cryptographic algorithms. Organizations worldwide are beginning the critical transition to post-quantum cryptography (PQC) resistant algorithms to ensure long-term data security. Government mandates, such as the U.S. National Security Memorandum 10 (NSM-10), outlines deadlines for PQC migration and specific actions agencies must take to migrate vulnerable systems.
Our PQC support is designed to help customers inventory use of TLS and SSH quantum-resistant and vulnerable algorithms within their infrastructure using remote Nessus-based scans.
Cipher Inventory and Reporting
Post-Quantum Cipher Plugins
Two remote-based scan informational reporting plugins for TLS and SSH protocols inform customers of their transition posture according to NIST Post-Quantum Encryption Standards.
- Services Using Post Quantum Cryptography: Reports on services equipped with at least one post-quantum cipher. It will specify which post-quantum ciphers were discovered, reporting by port and protocol.
- Services Not Using Post Quantum Cryptography: Reports on services that support no post-quantum ciphers.
These plugins will be enabled by default and included in existing scans.
Cryptographic Inventory Plugin Reporting
To enable a JSON-based inventory of each target by service and cipher, enable through either a preference on your Advanced Network Scan or by running the Cryptographic Inventory scan template. These preferences will initially be supported in Nessus and Tenable Vulnerability Management. They are planned to be added to Tenable Security Center at a later date.
Warning: Enabling this preference through the Advanced Network Scan is expected to increase the overall size of the plugin output per target and resulting Nessus database size. If you do not need to produce this inventory at all or on your regular scan cadence, it’s recommended to instead run the Cryptographic Inventory scan template to decrease the potential impact to your normal scan results.
Options to Enable Inventory Reporting
Advanced Scan Preference
Post Quantum Cryptography Scan Template
Cryptographic Inventory Plugin Details
The plugin enabled with the preference or scan template is an information plugin called Target Cipher Inventory. Within the output of this plugin, you will find a JSON structure containing the TLS and SSH inventories for the scanned target. You can export this inventory based on plugin output using the Tenable API if needed.
For TLS, the structure contains:
Attribute | Definition |
Encaps | Protocol encapsulation employed such as TLSv1, TLSv2, TLSv3 |
Port | Port used for TLS communication |
Curve Group | Encryption method |
Ciphersuite | Algorithm used to secure the TLS connection |
For SSH, the structure contains:
Attribute | Definition |
Proto | Protocol of SSH |
Port | Port used for SSH communication |
Name | Algorithm used to secure the protocol |
Type | Use of the named algorithm such as “message auth” |
Release Date
Tenable Vulnerability Management and Tenable Nessus: December 8, 2025
Tenable Security Center:
- December 8, 2025 for the informational plugins
- Cryptographic Inventory scan template release to be determined
1 Reply
Why is SC always behind? Is there any timeline on when the policy would be added to SC? I see it says TBD but it would be nice to know if was coming in a month, 2 months, etc....
