Sponsors (2)
This is not an official government website.
Copyright © 2026 PLEJ LC. All rights reserved.
Requires federal authorities to create a national strategy and pilot program to move federal high-impact information systems and critical infrastructure toward post-quantum cryptography. It sets deadlines for a strategy, a pilot requiring at least one high-impact system upgrade per sector risk management agency by Jan 1, 2027, agency cost surveys, interagency reporting to Congress, and annual GAO progress assessments.
The bill speeds and standardizes federal migration to post‑quantum cryptography—improving security and coordination—but does so at the cost of near‑term spending, compliance burdens, operational strain, and potential expansion of regulatory obligations that may require future updates as standards evolve.
Federal agencies and critical infrastructure operators (e.g., utilities, financial institutions, hospitals) get clear, standardized definitions for cryptography and 'high‑impact systems' aligned with FIPS 199 and NIST guidance, enabling more consistent risk categorization and coordinated cybersecurity planning across sectors.
Agencies are given concrete benchmarks and deadlines (including a requirement that at least one high‑impact system per sector be upgraded by Jan 1, 2027) to migrate to post‑quantum cryptography, reducing long‑term vulnerability of critical systems to quantum attacks.
GAO annual reporting requirements increase transparency and accountability about agency progress on migration pilots and deployments, helping Congress, state governments, and the public track implementation and results.
Federal agencies and private entities (especially utilities, financial firms, and hospitals) will face substantial upgrade, personnel, and compliance costs to implement post‑quantum cryptography—costs that may fall to taxpayers, customers, or reduce funds for other priorities.
Mandated pilots and migration timelines could strain IT staff and agency resources, diverting personnel and attention from other operational priorities and ongoing projects at federal and state levels.
The Act's broad definitions may expand the set of entities subject to regulatory obligations and oversight (including penalties), increasing compliance burden particularly for small businesses and certain infrastructure operators.
Introduced July 30, 2025 by Gary C. Peters · Last progress July 30, 2025